[GTP]

My only doubt about YellowKey is, does it require having access to an already unlocked machine (i.e., the user is logged in) to copy the required files?

[Borealid]

It does not. The files are copied to the recovery image, not the machine's encrypted drives.

[GTP]

My concern isn't where they are copied to, but where they are copied from.

[Borealid]

They are copied from a thumb drive the person applying the exploit creates.

[GTP]

Yes, but my question was where the files on the thumb drive are coming from. At first, my understanding was that you needed to get them from the victim's machine. But, after watching a LowLevel video on YouTube, it seems those are universal files that you can get from the exploit's repo.