penetrate turned-off laptop

i need starting ideas how to penetrate a laptop. In the scenario, i have physical possession of the laptop, and can buy equipment up to 10000 euros. I was looking at rootkits, but they seem to work only if previous root level is gained.

I would guess that the starting point would be to do changes in the booting process, but what and where?(flush with new modified bios, firmware...)

I know there are tools that replace the admin password in windows, but if this password is used for encrypting files, then the whole purpose of the hacking is lost.  So, my question would be:

What is the attack surface at a turned-off laptop, (which might or might not have TPM and byte encrypted hard drive)?

Who is Participating?
Ron MalmsteadConnect With a Mentor Information Services ManagerCommented:
In regards to the above link,

Secret Service Agent Matthew Fasvlo testified at a court hearing in 2007 that it is "nearly impossible" to access the encrypted files without the password.

"There are no 'back doors' or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords," Magistrate Judge Jerome Niedermeier, who was presiding over the case, wrote. "According to the government, the process to unlock drive Z could take years."


This is where electon microscopy bit replication technology would come in handy...  the drive could be duplicated several times over...  in combination with simultaneous automated password guessing attacks against all instances of the replicated drive, would reduce the amount of time to break it.
Ron MalmsteadInformation Services ManagerCommented:
if the entire disk is're pretty much toast without the password...

If only parts of it are may be able to recover a user password from password history by hashing the ntuser.dat file with the right software...the file is in the user's profile folder and stores IE passwords / saved passwords...often times people tend to use one password for everything.

Aside from that....  You can reset a bios password by either flashing the bios, or pulling the bios battery and changing the jumper pin, put the battery back in and move the pin back.  As you said, the windows password can be reset using the proper boot disk and a windows cd.  You can also buy laptop HD adapters to use the hdd as an external usb drive on another machine.

Whether or not the machine is ecrypted, would be the greatest hinderence of penetrating it.

Even if the disk is ecrypted however....if you can get it to boot to windows logon screen.., you may be able to run shell code against it from another machine on your lan.  Essentially the idea would be to launch a command line in the "runas" context of the user who encrypted it, using command line switches for cipher.exe to unencrypt or add access for another user to the encrypted files.  The only way this would work is if you were able to get the password for the user's who ecrypted it... or at least script a brute force/dictionary attack against it remotely.  This would obviously take alot of practice, time, patience, and dedication.
DimkovAuthor Commented:
>This would obviously take a lot of practice, time, patience, and dedication.
This I have :)

I read some materials, and I found that rootkits can be implemented in firmware of the ROMs in any of the external devices, and the kernel can be compromised offline.

But as you mentioned, if there is full drive encryption, which would probubbly be the case, i must have a tool to break it. My first idea is: how are the forensics doing it? can the government do it?
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Ron MalmsteadInformation Services ManagerCommented:
nothing short of a CIA supercomputer, electron microscopy forensics, and thousands if not millions of dollars of equipment and man-hours would be required to decrypt an encrypted laptop.  If a government agency were attempting to penetrate...the drive would first be duplicated multiple times, using electon microscope and bit replication hardware....then multiple attack methods would be employed simultaneously.

Password guessing would be the first shot...  gather information about the owner.  Family names, birthdates, birth cities, pets, pet names, car they drive, their address, their favorite sports team, favorite player, music they listen to, hobbies, etc.....compile all keywords into a database.  Also, examine the keyboard to see worn keys, which would indicate a password combination that was typed repetitiously over a long period of time.  Run algorithms against those keys to develop feasible password combinations.  Script a remote attack starting with the most likely combinations that correspond/contain any of the keywords you gathered previously.  

While rootkits will get you root access to the system, they will not provide the necessary certificate to unencrypt a drive....which is only attained by user specific authentication.
DimkovAuthor Commented:
if i understood correctly, with rootkits i might gain root level access to the laptop(admin rights). Can i have a perfectly normal computer system, but i can not read encrypted data. (it there is full drive encryption, i guess I can't get even to this stage??)

Then I need a completely different attack at the authentication or encryption systems that protect the (partially?) encrypted data?
Ron MalmsteadInformation Services ManagerCommented:
"Then I need a completely different attack at the authentication or encryption systems that protect the (partially?) encrypted data?"

The attack would be directed at authentication first.

Ron MalmsteadInformation Services ManagerCommented:
eRescuerConnect With a Mentor Commented:

First of all, you have to look on the hard drive type and find out is it HW FDE or software FDE. HW FDE currently implemented on Seagate and Hitachi drives. If I understood you correctly, your case is HW FDE. Than you will need SATA host emulator. Current FDE solutions are using ATA security commands and passing password over SATA line in open form. So, using host emulator you can run brute force or dictionary attack. As you may know, users are lazy and easily trade security for less hassle with paswords.

Another way (smarter) is deception. You can try to get master password from integrator.

Forced accept.

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.