Images: How to bypass FileVault, BitLocker security

Step 7: Running 'keyfind'
Meanwhile, over at his laptop, Applebaum has transfered the contents of the MacBook's 1.25 GB of memory to his own computer in the "/tmp/declan-macbook" memory file.

Part of what makes this research so interesting are the cunning techniques the researchers invented to identify AES encryption keys in memory files. They work by using a feature of the AES algorithm called a key schedule as a kind of error-correcting code. That lets them reconstruct keys even if the contents of the dynamic RAM chips have begun to decay. The paper says: "Applying this method to keys with 10 percent of bits decayed, we can reconstruct nearly any 128-bit AES key within a few seconds. We have devised reconstruction techniques for AES, DES, and RSA keys, and we expect that similar approaches will be possible for other cryptosystems."

In this photograph, Applebaum is using a program called "keyfind" to examine the contents of the memory file. It doesn't take long to report back its first possible match for an AES key.

Talkback
Most Recent of 17 Talkback(s)

Thread View
Flat View

Bit Locker: It seems to me that the problem resides in the TPM. I do not use it. I store my password on a memory stick whereas using TPM stores it in the RAM. If the password is not on the computer to begin with it can't be hacked.... (Read the rest); Posted by: cobra96ds@... Posted on: 02/25/08 You are currently: a Guest | Log in | Terms of Use