Authors: Matheus Bichara de Assumpção, Marcelo Abdalla dos Reis , Marcos Roberto Marcondes , Pedro Monteiro da Silva Eleutério , Victor Hugo Vieira
DFRWS EU 2023
Starting from Windows 11, the Trusted Platform Module (TPM) 2.0 has become a computer requirement, providing hardware-based security capabilities. This poses a challenge to digital forensics experts, as the number of BitLocker-encrypted evidence protected by TPM tends to increase. This paper presents a forensic method for obtaining the BitLocker Volume Master Key (VMK) from TPM-protected evidence
using Intel DCI technology and reverse engineering techniques. It shows how to enable Intel DCI in the firmware, reverse the Windows Boot Manager UEFI application, and debug the target computer using a USB 3 AeA cable to retrieve the VMK from memory. We have effectively applied the presented method on a computer with a 7th-generation Intel processor containing a BitLocker-encrypted volume with TPM protection and Windows 11 Pro. As a result, we were able to fully decrypt the BitLocker volume with the VMK and gain data access. We consider, however, that the success of the presented method depends on the ability to enable Intel DCI in the target computer, which may not be feasible in every system.