penetrate turned-off laptop

i need starting ideas how to penetrate a laptop. In the scenario, i have physical possession of the laptop, and can buy equipment up to 10000 euros. I was looking at rootkits, but they seem to work only if previous root level is gained.

I would guess that the starting point would be to do changes in the booting process, but what and where?(flush with new modified bios, firmware...)

I know there are tools that replace the admin password in windows, but if this password is used for encrypting files, then the whole purpose of the hacking is lost.  So, my question would be:

What is the attack surface at a turned-off laptop, (which might or might not have TPM and byte encrypted hard drive)?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
if the entire disk is're pretty much toast without the password...

If only parts of it are may be able to recover a user password from password history by hashing the ntuser.dat file with the right software...the file is in the user's profile folder and stores IE passwords / saved passwords...often times people tend to use one password for everything.

Aside from that....  You can reset a bios password by either flashing the bios, or pulling the bios battery and changing the jumper pin, put the battery back in and move the pin back.  As you said, the windows password can be reset using the proper boot disk and a windows cd.  You can also buy laptop HD adapters to use the hdd as an external usb drive on another machine.

Whether or not the machine is ecrypted, would be the greatest hinderence of penetrating it.

Even if the disk is ecrypted however....if you can get it to boot to windows logon screen.., you may be able to run shell code against it from another machine on your lan.  Essentially the idea would be to launch a command line in the "runas" context of the user who encrypted it, using command line switches for cipher.exe to unencrypt or add access for another user to the encrypted files.  The only way this would work is if you were able to get the password for the user's who ecrypted it... or at least script a brute force/dictionary attack against it remotely.  This would obviously take alot of practice, time, patience, and dedication.
DimkovAuthor Commented:
>This would obviously take a lot of practice, time, patience, and dedication.
This I have :)

I read some materials, and I found that rootkits can be implemented in firmware of the ROMs in any of the external devices, and the kernel can be compromised offline.

But as you mentioned, if there is full drive encryption, which would probubbly be the case, i must have a tool to break it. My first idea is: how are the forensics doing it? can the government do it?
Ron MalmsteadInformation Services ManagerCommented:
nothing short of a CIA supercomputer, electron microscopy forensics, and thousands if not millions of dollars of equipment and man-hours would be required to decrypt an encrypted laptop.  If a government agency were attempting to penetrate...the drive would first be duplicated multiple times, using electon microscope and bit replication hardware....then multiple attack methods would be employed simultaneously.

Password guessing would be the first shot...  gather information about the owner.  Family names, birthdates, birth cities, pets, pet names, car they drive, their address, their favorite sports team, favorite player, music they listen to, hobbies, etc.....compile all keywords into a database.  Also, examine the keyboard to see worn keys, which would indicate a password combination that was typed repetitiously over a long period of time.  Run algorithms against those keys to develop feasible password combinations.  Script a remote attack starting with the most likely combinations that correspond/contain any of the keywords you gathered previously.  

While rootkits will get you root access to the system, they will not provide the necessary certificate to unencrypt a drive....which is only attained by user specific authentication.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

DimkovAuthor Commented:
if i understood correctly, with rootkits i might gain root level access to the laptop(admin rights). Can i have a perfectly normal computer system, but i can not read encrypted data. (it there is full drive encryption, i guess I can't get even to this stage??)

Then I need a completely different attack at the authentication or encryption systems that protect the (partially?) encrypted data?
Ron MalmsteadInformation Services ManagerCommented:
"Then I need a completely different attack at the authentication or encryption systems that protect the (partially?) encrypted data?"

The attack would be directed at authentication first.

Ron MalmsteadInformation Services ManagerCommented:
Ron MalmsteadInformation Services ManagerCommented:
In regards to the above link,

Secret Service Agent Matthew Fasvlo testified at a court hearing in 2007 that it is "nearly impossible" to access the encrypted files without the password.

"There are no 'back doors' or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords," Magistrate Judge Jerome Niedermeier, who was presiding over the case, wrote. "According to the government, the process to unlock drive Z could take years."


This is where electon microscopy bit replication technology would come in handy...  the drive could be duplicated several times over...  in combination with simultaneous automated password guessing attacks against all instances of the replicated drive, would reduce the amount of time to break it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

First of all, you have to look on the hard drive type and find out is it HW FDE or software FDE. HW FDE currently implemented on Seagate and Hitachi drives. If I understood you correctly, your case is HW FDE. Than you will need SATA host emulator. Current FDE solutions are using ATA security commands and passing password over SATA line in open form. So, using host emulator you can run brute force or dictionary attack. As you may know, users are lazy and easily trade security for less hassle with paswords.

Another way (smarter) is deception. You can try to get master password from integrator.

Forced accept.

EE Admin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.