BitLocker is often treated as the last line of defense for Windows devices: if the laptop is lost, the disk is encrypted, case closed.

In this live, demo-driven session, I will show how a logical flaw in the Windows Recovery Environment (WinRE) can be abused to expose the BitLocker recovery key for an encrypted system drive. With that recovery material, I will demonstrate how an attacker with physical access can unlock the drive offline and escalate to local administrator turning “encrypted at rest” into a false sense of safety.

This is not a talk about “breaking crypto.” It is a talk about the uncomfortable reality that strong cryptography can still be undermined by weak recovery workflows, misconfigurations, and misplaced assumptions about physical access.

If you build, deploy, or defend Windows endpoints, this is the kind of gap you need to understand before an attacker forces the lesson on you.

You will walk away with:

A practical understanding of the WinRE security model and how recovery tooling can shift (or break) the real trust boundary around BitLocker.

Concrete, actionable mitigation guidance you can apply in your own environment.

A reinforced perspective on risk. Strong cryptography is essential, but it does not compensate for flawed implementation details, or unsafe configuration choices.

No deep BitLocker expertise required—just curiosity and a willingness to be challenged.

About the presenter

Sune is a cybersecurity consultant, penetration tester, and security researcher with a strong focus on secure infrastructure architecture and implementation. He combines hands-on adversarial testing with defensive engineering and advisory work bridging offensive insight and practical mitigation, translating technical findings into concrete hardening actions that engineering and operations teams can implement and verify.

‍