At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the background which does it for windows) must have a method to unencrypt the data on the drive, or it wouldn't be able to access it. That being said, I always thought that leaving a windows machine on in hibernate mode in a non-secure place (not at work on a lock) is a security threat, because someone could take the machine, leave it running, hack the windows accounts and use it to encrypt the data and steal the information. When I got to thinking about how I would go about breaking into the windows system without restarting it, I couldn't figure out if it was possible.
I know it is possible to write a program to crack windows passwords once you have access to the appropriate file(s). But is it possible to execute a program from a locked Windows system that would do this? I don't know of a way to do it, but I am not a Windows expert. If so, is there a way to prevent it? I don't want to expose security vulnerabilities about how to do it, so I would ask that someone wouldn't post the necessary steps in details, but if someone could say something like "Yes, it's possible the USB drive allows arbitrary execution," that would be great!
EDIT: The idea being with the encryption is that you can't reboot the system, because once you do, the disk encryption on the system requires a login before being able to start windows. With the machine being in hibernate, the system owner has already bypassed the encryption for the attacker, leaving windows as the only line of defense to protect the data.
Best Answer
Leaving the machine in hibernate is definately not secure, a vulnerabilty has been found where the RAM still contains the key for the bitlocker (and others) in the hibernating memory. There is already a proof of concept attack out there for this vulnerability.
The method of attack is to quickly reboot the PC and read the contents of the RAM (which isn't lost when power is cut) then a program can search the dump for the key.
http://www.eweek.com/c/a/Security/Researchers-Crack-BitLocker-FileVault/
Microsoft may have already fixed this though.
p.s. normal password changing doesn't affect the encryption though, as the encrypted content isn't accesable without the correct password, so simple password changing boot disks aren't security risks.