Too bad the author did not provide hardware specs. Such attack is even harder on DDR4 and DDR5 memory and most publications refer to legacy ram such as DDR3
> In my experience I have had the most success restarting the system while Windows is loading but before the login screen has appeared, at least in the case of finding FVEK keys.
So what is this? It was supposed to be memory attack and he's dumping the keys after someone unlocked it and it's booting?
So this is just another theoretical attack where perfect conditions must be met.
This attack has nothing to do with the memory type; memory is never made cold or allowed to decay. The system is hot-restarted into UEFI. Ideally no memory refreshes are skipped.
I do wish they provided the hardware specs too, though, as this reflects an incorrect UEFI platform implementation of MOR.
You are right, but i still have no idea what is the point of this article.
The guy unlocked the bitlocker, then restarted PC just before login screen appeared. He said that's when he had most success. What sense does it make to restart and start looking for key in memory, when bitlocker has been just unlocked.
I steal your Windows laptop. I want your data. I don't have your credentials, so can't login to Windows. I let your laptop boot to the point where Bitlocker is automatically unlocked, perform a hard reboot, dump the RAM, extract the keys, and can now decrypt your drive and extract your data.
> What sense does it make to restart when bitlocker has been just unlocked.
You steal a laptop. You turn on the laptop. You reboot it into UEFI and steal the keys. This is bad for BitLocker. Ideally this is not possible because the MOR bit should cause the keys to be erased by the platform initialization before boot-from-USB is possible.
Bitlocker is unlocked before you reach the login screen.
If I understand correctly, you need to start the PC, reboot just before the login screen appears, and boot to an USB application, which will copy the memory content.
You seem to think it's common to require a separate BitLocker unlock step. In reality, this is extremely rare: the vast majority of users have no idea about any of this and have BitLocker set to automatically unlock during system power on.
So this is a viable attack on many, many real-world systems. Adding a BitLocker password/PIN is a mitigation that prevents this attack.
Note that BitLocker is still very useful even in this mode: it guarantees that someone who steals your laptop can't just connect the disk to another system and read everything on it, unless they can actually extract the keys from RAM, or bypass Windows authentication - this attack allows them to do the former relatively easily.
> In my experience I have had the most success restarting the system while Windows is loading but before the login screen has appeared, at least in the case of finding FVEK keys.
So what is this? It was supposed to be memory attack and he's dumping the keys after someone unlocked it and it's booting?
So this is just another theoretical attack where perfect conditions must be met.