At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the background which does it for windows) must have a method to unencrypt the data on the drive, or it wouldn't be able to access it. That being said, I always thought that leaving a windows machine on in hibernate mode in a non-secure place (not at work on a lock) is a security threat, because someone could take the machine, leave it running, hack the windows accounts and use it to encrypt the data and steal the information. When I got to thinking about how I would go about breaking into the windows system without restarting it, I couldn't figure out if it was possible.
I know it is possible to write a program to crack windows passwords once you have access to the appropriate file(s). But is it possible to execute a program from a locked Windows system that would do this? I don't know of a way to do it, but I am not a Windows expert. If so, is there a way to prevent it? I don't want to expose security vulnerabilities about how to do it, so I would ask that someone wouldn't post the necessary steps in details, but if someone could say something like "Yes, it's possible the USB drive allows arbitrary execution," that would be great!
EDIT: The idea being with the encryption is that you can't reboot the system, because once you do, the disk encryption on the system requires a login before being able to start windows. With the machine being in hibernate, the system owner has already bypassed the encryption for the attacker, leaving windows as the only line of defense to protect the data.
Leaving the machine in hibernate is definately not secure, a vulnerabilty has been found where the RAM still contains the key for the bitlocker (and others) in the hibernating memory. There is already a proof of concept attack out there for this vulnerability.
The method of attack is to quickly reboot the PC and read the contents of the RAM (which isn't lost when power is cut) then a program can search the dump for the key.
Microsoft may have already fixed this though.
p.s. normal password changing doesn't affect the encryption though, as the encrypted content isn't accesable without the correct password, so simple password changing boot disks aren't security risks.
As was mentioned by workmad3, the best way to attack a machine that's locked without rebooting is to see how vulnerable it is from a network connection.
This will depend on the security policies in place on your network. For instance, do all domain accounts have administrative access to these PCs? If so, check the default share (\pc-name\c$). If the default share has been turned on for any reason, you have access to the entire contents of the PC over the network with your own account. I'm not sure if this works with an encrypted hard drive, but it would be pretty easy to test.
Once you have access to the PC remotely, you can use tools like the Sysinternals PsExec tool to execute programs remotely.
Of course, that's just one vector of attack, and it might not even work with encrypted hard drives, but it gives you an idea of what could be done.
EDIT: If the laptops have an active Firewire Port you could take a look at to this vulnerability. Again, I don't know if this would help with an encrypted machine, since it's based on direct memory access (which should be encrypted).
Obviously, if someone has physical access to the machine, all credentials stored can be considered compromised.
If one can, for example, boot from an USB device or optical drive, one can use point and click tools such as Ophcrack to recover all passwords. Instructions here: USB Ophcrack | Windows Login password cracker
Edit: Yes, I'm aware that you theoretically can't get back into an "encrypted hard drive" if the machine is rebooted. Whether or not that claim holds depends entirely on the software used to access the encrypted partitions. BitLocker seems to do a decent job, but many earlier implementations were basically a joke - and if you can access the machine it's trivially easy to dump the SAM database to the USB stick and perform the cracking offline.
Well, my first thought would be to wake it out of hibernate, get to the password screen and then start seeing what is vulnerable through the network connection. If the actual machines network security isn't up to scratch then you could get access to a lot of the information this way.
I wonder what would transpire if you burned a CD-ROM with an autoplay.ini suitable to the purposes of your experiment, then caused the machine to wake up from hibernate mode. I actually do not know what would happen, but that sort of methodology is what I would explore if trying to attack a hibernating machine -- get it to wake up and introduce an executable into one of its ports. Does it have a firewire port? In theory it is then hackable from that interface.
What kind of encryption are you using? BitLocker? Encrypted filesystem? Without knowing, I can't directly answer your question.
In any case, your security would be as good as the weakest link. You need to ensure all the latest security patches are installed promptly. Otherwise, tools like MetaSploit can be used to test known vulnerabilities and gain user or admin access.
Vista and XP-sp3 are much less vunerable than earlier OSs which stored a simply encrypted password for LANMAN comptibility. You can still crack easy passwords using some very large rainbow tables but it is otherwise pretty secure from tools like ophcrack.
On my harddisk encryption system (PGP) I am required to enter the encryption password when returning from hibernation.
From a Suspend, it is not allowed.
If your using EFS hibernate file is NOT encrypted and should be assumed to contain sensitive keying material needed to decrypt EFS files on disk.
If your using full disk encryption the hibernate file is encrypted with everything else and this risk is mitigated.
There are number of attack vectors for bitlocker/TPM including a number of bus snooping and tempest style attacks. TPM was not designed to protect your information from a determined TLA but is still quite effective in the real world general use case.
EFS can be circumvented by cracking a users password unless meaningful syskey options are enabled to mitigate this risk. EFS is better than nothing but unless your using syskey and an Ub3r ra1nb0w table resistant password your not really presenting a significant barrier to compromise of your EFS data in the first place.