Scenario: A Windows user with Bitlocker-encrypted OS drive uses Win+L shortcut to lock their computer, but leaves it powered on. At this point, their house is raided (by police, or thieves, or FBI, simply someone with desire to gain access to the data and technical means to mount a proper attempt to do it).
Question: Was there ever a known case, where an attacker with physical access to running computer with Bitlocker turned on was able to bypass the Windows login screen and gain access to Bitlocker-protected data on the computer, while the computer was already running and was only locked, and without powering the device down during the process?
Note: I am aware of DMA and coldboot attacks, or even the method of wiring the TPM to a FPGA board. These attacks usually require the target device to be powered off, at which point any other mounted volumes (for example, through VeraCrypt) would have been lost. My point is that any attacker trying to overcome the Bitlocker is not going to preemptively guess that there's a mounted VeraCrypt volume behind the Bitlocker and will power the device down at some point in an attempt to get through the Bitlocker first. Other questions on this site also pertain to scenarios where sensitive data is stored on the Bitlocker-protected device itself, but my question stems from scenario where data is stored on different disks, using different encryption and Bitlocker-enabled Windows OS is just a gateway.