(PipeItToDevNull) 1

I’ve lost the PIN and the recovery key and I didn’t store it anywhere. I reimaged the host of the VM as well. This is a bitlocker encrypted VHDX. I’ve looked into Elcomsoft Unlocking BitLocker: Can You Break That Password? | ElcomSoft blog but it doesn’t seem to be able to do what I need it to do.

Is there no way for me to recover the VHDX? Really no software out there, nothing?

4 Spice ups
2

If an encrypted disk could be bypassed, then it’s a worthless system.

Unless you can exploit one of the weaknesses in Bitlocker, no, you can’t get in without your passcode or recovery code.

The newer your OS, the less likely you will be able to exploit it too and even if you could exploit it, doing so isn’t easy.

5 Spice ups
3

Theoretically tho, given I know the PIN must have been at least 6 numbers and at max 20 numbers, if I were to have infinite patience and lot of time, couldn’t I use 1 PIN from all the (millions?) of combinations and find the ONE that’s correct? Bruteforcing basically. Or are there safeguards against this inside the TPM chip? I really need the data.

3 Spice ups
4

There are safeguards against that otherwise again, there would be no point, someone could just sit there attacking and trying all combinations of just numbers, which isn’t that hard. But it is VERY time consuming.

Your reply doesn’t match your post though.

It can be as little as 4 and a max of 20, but this doesn’t help.

4 Spice ups
5

Dang. You think even forensic IT professionals couldn’t decrypt it for me? I’m willing to pay

3 Spice ups
6

Highly unlikely, if someone, anyone, including forensic professionals could decrypt it, then the encryption is pointless.

Brute-force attacks are practically infeasible due to the encryption strength.
Forensic tools like ElcomSoft or Passware can only help if:

  • You have access to memory dumps from a live system where the VHDX was mounted.
  • You have partial credentials or cached keys.
  • The system was using TPM-only protection and the TPM is still accessible.

Otherwise, unfortunately you encrypted the drive to protect against people getting in, and this, in this case, includes you.

I’m sure you know this, but it is SO important to protect your PIN and/or recovery keys.

Check backups and your Microsoft account, just in case you did save it.

As an example, if your PIN was 20 numbers, and you wanted to crack this using an RTX 4070 Ti Super, it would take over 1500 years.

5 Spice ups
7

No I used TPM+ PIN. Am I toast?

3 Spice ups
8

btw if I’ve since re imaged the host running the VM, then the TPM isn’t accessible, right?

3 Spice ups
9

TPM is part of the physical host, a vTPM is generated based on the physical host.

Unless you have the vTPM, then yes, toast.

3 Spice ups
10

So the vTPM is now changed because I’ve re-imaged the host?

3 Spice ups
11

btw if I created a new VM to run the VHDX, it can’t be that I type in the right PIN but it still says it’s incorrect, right?

3 Spice ups
12

If the PIN is wrong, it’s wrong.

If you mount the VHDX to another machine, it should ask for the recovery key.

3 Spice ups
13

Unless you performed one of the many steps that they asked you to do so that you could recover your password, then no you can’t. But think about it. If you could just download some software to get around encryption then what purpose would it actually serve? None.

3 Spice ups
14

Okay but what about police for example? Couldn’t they decrypt a drive through their forensic IT pros? I would be willing to pay, I know it’s a lot of money but still.

3 Spice ups
15

Basically that’s my developer VM with so much of the source code of one of my apps I’ve been developing. I do have github and I have my work saved on there too as well as on my network share but I think it’s an older version so I need the VHDX.

3 Spice ups
16

I think you are missing the point.

If anyone, let’s say the police could decrypt the drive, then so could the bad guys too. Encryption exists for security, if someone can get past this, then there’s no point having it.
Besides, it’s not like you could walk in to a station and ask them to help you decrypt a drive.

This is why would should ensure your recovery key, at a minimum is secured somewhere, you’ve mentioned a few places you have access to, your recovery key should be in all of them, to avoid situations like this.

4 Spice ups
17

But don’t governments pay huge amounts of money for exclusive access to zero days for example for encryption tech like BitLocker? There’s some super smart developers out there specializing in zero-day development and they’re making bank.

Of course the bad guys can get them too, sure, but depends on whether they know about the devs who create the zero days and can they pay for them? I think zero days are for the most part bought by governments for their cybersecurity organizations and police agencies like NSA in the US. I wouldn’t be surprised if the NSA had a zero day for BitLocker we don’t yet know of but they won’t advertize that to us common folk.

I specifically avoid storing encryption recovery keys in places like my MS accounts for this reason alone. Even tho this isn’t anything illegal, it’s just my source code for my apps I’m developing but I still don’t want my privacy broken by my country’s government (I’m not from the US). This has been a lesson learnt however, and you’re absolutely right

3 Spice ups
18

So you want to hire someone who exploits zero days and you’re willing to pay them ‘bank’ for their services?

And they’re unlikely to as this means it’s out in the wild where anyone can abuse it.

Unless you specify what it’s for, it;s just a code, it should mean something to you but nothing to anyone else.

You should consider using vaults moving forward, to store your sensitive data and consider whether encryption of the VM is necessary.

Get a code signing certificate and sign your code, so if someone did access it, it’s signed.

Do you not see the irony here.

You want someone to break in, and made a claim that governments do this, but you don’t want your government doing it. Who decides which governments can break in then?

I am also not from the US.

I would look in to signing your code and storing keys and sensitive data in vaults (digital vaults, not those in banks).

3 Spice ups
19

I would pay them for it but I can’t afford it as I’m sure they’d really expect “bank” for it which is understandable.

I don’t think that means anybody can abuse it, as think about how expensive it is to get the zero days. You think cybercriminal groups like Black Basta have the funds to get it? Doubt it. But what about a government? Surely they can afford it.

When you say vaults, do you mean stuff like OneDrive’s “personal vault” (I think that’s what it’s called)?

I can’t afford a code signing certificate lol, it’d cost me thousands. I can self sign it, but that’s only meaningful to me I think.

By the way beside onedrive’s personal vault, do you have any other recommendations for “FOSS” vaults that work, get the job done securely but don’t cost money?

3 Spice ups
20

Vault | HashiCorp Developer

A code signing cert can be had for around €200-€300

Why don’t you want to pay for a vault, but you would pay to recover your data, don’t these amount to the same thing - your data is valuable?

I think your buying of 0-day exploits may be a little under-estimating.

3 Spice ups