Windows 11 and the dawn of the TPM - a forensically sound way to beat it

Abstract

ABSTRACT As technology evolves so do challenges faced by the digital forensic examiner. An increasingly frequent obstacle appearing now is the BitLocker encryption in conjunction with the Trusted Platform Module (TPM). The roll out of Windows 11 made having an initialised TPM (2.0) a mandatory prerequisite before being able to install Windows 11. Tackling the TPM is going to be one of the major issues encountered by the digital forensic computer examiner in the future as Windows 10 support ends in 2025 (Microsoft, 2024). This paper describes a method for accessing the BitLocker protected partition of a windows computer in a short time using minimal equipment in a forensically sound manner. As a result BitLocker encrypted partitions of physical images can be decrypted using recovery keys obtained via compliance or brute force of the users password or pin.