Join us at hack.lu 2025 — Info & Registration
Duration: 30 min
Type: Talk
Speakers: Edouard D’hoedt, Hayk Gevorgyan
Abstract
How safe is your “encrypted” laptop when someone walks off with it?
Full-disk encryption (in particular BitLocker) is now standard on Windows 11 machines, silently protecting everything from corporate endpoints to personal devices. But in the real world, does it truly hold up against physical access attacks?
This session is for defenders, red teamers, and anyone who’s ever been handed a laptop and told, “Don’t worry, it’s encrypted.”
Description
This talk is a 2025 field guide into practical techniques to bypass BitLocker, drawn from our own hands-on experience during real-world red team engagements, using publicly documented attack techniques.
We will focus on what actually works in the field, setting aside the techniques that are too hardware-specific, outdated and patched, or only achievable under lab conditions.
Along the way, we will break down how BitLocker works under the hood, covering key components like the TPM, boot process, and key management, and give context for the following attacks:
- TPM sniffing
- Direct Memory Access (DMA)
- Bitpixie
We will also take a reality check on more exotic vectors like cold boot attacks and Intel DCI. We will walk through where these techniques worked for us in practice, where they failed, and what challenges we encountered along the way.
Red teamers will learn quick, effective methods for gaining initial access and privilege escalation on end-user devices. This will be supported by insights into tooling, setup requirements, reliability, ease of execution, and post-exploitation considerations.
Blue teamers will come away with a realistic view of the current risks and threat landscape, along with an overview of available mitigations, including those introduced by Microsoft and hardware vendors in recent years.
A live demo will illustrate the practical impact of one of the featured attacks and reinforce the importance of context-aware defenses.
