All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 16 posts ] 
Author Message
 Post subject: Bitlocker encrypted drive
PostPosted: October 14th, 2018, 14:40 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
Hello everyone,

I need help with regards to recovering deleted data from bitlocker enabled HDD. I made couple of clones, leaving original intact.

When i connect drive to my Win10 machine, it can access the partitions without problem. So i assume that access from OS level is ok. When i try to scan with R-Studio, File Scavenger, it does not recognize the OS partition. If i try connecting the drive to Win7 machine, i can't access partition because it's locked. (picture in attachment)

I enabled Bitlocker on the drive (through Win10), and then performed decryption, however, no deleted data is visible after scan.
When i compare the sectors on the original and decrypted hdd, there is difference, since some targeted sectors on the decrypted clone are empty, and on original drive are not.

Is there a way to make a bit-to-bit image/clone of the drive through Windows10 (since the drive is normally accessible from OS), or any other suggestions how to solve this problem?

Apologies if my question is not 100% correctly written, but i would appreciate any help with regards to the problem above.

Thank you!


Attachments:
bitlocker.PNG
bitlocker.PNG [ 26.66 KiB | Viewed 10282 times ]
Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 14th, 2018, 15:15 
Offline

Joined: December 12th, 2017, 4:27
Posts: 48
Location: Poland, Warsaw
Is it ssd drive? You can use DMDE fir example to clone the drive over the W10

_________________
Backup is Your best friend. Still learning English. Sorry for language bugs. My websites: Centrum Odzyskiwania Danych


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 14th, 2018, 21:57 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Won't DMDE make a sector-level clone, which will be encrypted and won't be recognized either, just like with R-Studio & File Scavenger ?

On the other hand, it may be possible that doing a full backup with something like Acronis True Image or Macrium Reflect would reproduce the contents as they are seen from within the Win10 system, and then, after mounting the backup, recovery softwares could run a scan successfully and retrieve the wanted data. The problem is that, based on a few tests I've made with Macrium Reflect, even in “exact copy” mode, which is supposed to preserve all the data from the source including the free space and deleted files, there can be discrepancies between the source volume and the mounted backup (some areas identified as free space appear different when examined side by side in WinHex), based on the fact that such backup softwares rely on shadow copies (apparently even for non-system drives, for which that shouldn't be necessary, and there doesn't seem to be an option to control that behaviour). Here is a reply I got from Macrium support on the subject :
“An image is created from a VSS snapshot. When VSS takes a snapshot it modifies your file system a little bit and this is why you're seeing small differences when comparing the structure. For a different result please create an image from the Rescue Media without the use of VSS.”

Otherwise, I'd be curious to know if there's a possibility to retrieve the encryption key from within the system used to encrypt the volume, and use that to decrypt it with a third-party tool.


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 2:52 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
COD wrote:
Is it ssd drive? You can use DMDE fir example to clone the drive over the W10


Hello COD,

Thank you for reply. It is WD5000LPLX, so it's not SSD :(


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 3:32 
Offline

Joined: January 8th, 2008, 5:21
Posts: 925
Location: uk
So who enabled bitlocker on the original drive?

Do you have the user account password?

Do you have a copy of the recovery key which was generated when the original drive was encrypted?

A copy of the recovery key is stored in the user Microsoft account (if they have one).


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 4:41 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
dick wrote:
So who enabled bitlocker on the original drive?

Do you have the user account password?

Do you have a copy of the recovery key which was generated when the original drive was encrypted?

A copy of the recovery key is stored in the user Microsoft account (if they have one).


Hi D,

Thank you for reply.

This drive is a part of a forensic investigation. It is most possible that end user enabled bitlocker before handing over the laptop.

And the IT department is not enforcing encryption on the company drives. They are not using MBAM at all.
I can put clone inside the laptop and put it back/login to domain, if you think that would help?

Thanks


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 4:42 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
abolibibelot wrote:
Won't DMDE make a sector-level clone, which will be encrypted and won't be recognized either, just like with R-Studio & File Scavenger ?

On the other hand, it may be possible that doing a full backup with something like Acronis True Image or Macrium Reflect would reproduce the contents as they are seen from within the Win10 system, and then, after mounting the backup, recovery softwares could run a scan successfully and retrieve the wanted data. The problem is that, based on a few tests I've made with Macrium Reflect, even in “exact copy” mode, which is supposed to preserve all the data from the source including the free space and deleted files, there can be discrepancies between the source volume and the mounted backup (some areas identified as free space appear different when examined side by side in WinHex), based on the fact that such backup softwares rely on shadow copies (apparently even for non-system drives, for which that shouldn't be necessary, and there doesn't seem to be an option to control that behaviour). Here is a reply I got from Macrium support on the subject :
“An image is created from a VSS snapshot. When VSS takes a snapshot it modifies your file system a little bit and this is why you're seeing small differences when comparing the structure. For a different result please create an image from the Rescue Media without the use of VSS.”

Otherwise, I'd be curious to know if there's a possibility to retrieve the encryption key from within the system used to encrypt the volume, and use that to decrypt it with a third-party tool.


Hi abolibibelot, thank you for reply.

I will definitely give a try with Acronis and Macrium Reflect.

Will post results.

Thank you


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 8:16 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
Hi everyone, i tried to quote and reply, but my messages need to be authorized.

@COD
Thank you for reply. It's not an SSD drive, it is WD5000LPLX. I will try with DMDE. Thank you.

@abolibibelot
Thank you for reply. I don't think Acronis is doing anything different, since i need exactly bit-to-bit clone if i want to look for deleted data. Anyway, i'll try both Acronis and Macrium Reflect, won't hurt :) Thank you for suggestion.

@dick
Thank you for reply. This is part of forensic investigation. I suspect that end user enabled encryption. However, i can access the drive without problems on my Windows 10 machine.
IT Department of the client told me that they are not enforcing encryption, or advising users for that. They don't have MBAM installed.
I will put a clone of the drive back into machine and try booting and accessing. But anyway, when i decrypt the drive, i am not able to pick any deleted data with any software.


Thank you everyone, any other suggestions in meantime?


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 15th, 2018, 19:46 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
something doesn't add up
firrs, when you can access the bitlocker partition
Voji wrote:
When i connect drive to my Win10 machine, it can access the partitions without problem

the drive is decrypted on the fly
then why can't you get A sector by sector clone

second, forensically speaking
Voji wrote:
This drive is a part of a forensic investigation

I think you should have a sector by sector clone as is
I.e. encrypted and not Decrypted


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 16th, 2018, 3:27 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
Hi Jermy, thank you for reply.

jermy wrote:
something doesn't add up
firrs, when you can access the bitlocker partition
Voji wrote:
When i connect drive to my Win10 machine, it can access the partitions without problem

the drive is decrypted on the fly
then why can't you get A sector by sector clone


When i took out the drive from the laptop, and plugged it in first time on Win7 machine, i got initial error (look at my 1st post).
Then, i plugged it on Win10 and i accessed the drive/letter without any problem.

jermy wrote:
second, forensically speaking
Voji wrote:
This drive is a part of a forensic investigation

I think you should have a sector by sector clone as is
I.e. encrypted and not Decrypted


I am able to do a full sector-by-sector clone, and i can do a forensic on my Win10 machine. The only thing i can't do is recover deleted files, since the drive is "encrypted"


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 16th, 2018, 3:48 
Offline

Joined: January 8th, 2008, 5:21
Posts: 925
Location: uk
We are still unclear!
When mounted on the win10 machine can you browse the system folders and user data?

I'm not a forensics guy but surely you would mount a sector cloned copy of the drive in a pc and unlock it with the known password or the recovery key. If you don't have either then the data is lost!

I think it would be a good idea to check the partition information with a hex editor to see if it really is a Bitlocker partition. You can use Dmde to do that.

Or is it a Bitlocker protected folder?

Or is it using some other method of protection?

Also in your first post you mentioned....
Quote:
I enabled Bitlocker on the drive (through Win10), and then performed decryption, however, no deleted data is visible after scan.
What are you trying to do here? It makes no forensic sense!!!


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 16th, 2018, 8:23 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
Voji wrote:
Is there a way to make a bit-to-bit image/clone of the drive through Windows10 (since the drive is normally accessible from OS), or any other suggestions how to solve this problem?

repair-bde will make whole volume decryption, including sectors that were not used by fs
if you can't find deleted data after that it means that the data is overwritten

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 16th, 2018, 12:28 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Quote:
It is WD5000LPLX, so it's not SSD :(

The fact that it's not a SSD is actually a good thing for your purposes : deleted data would be wiped quickly on a SSD because of the “trim” feature, whereas on a HDD it stays in place until it's been overwritten. In other words, if it had been a SSD it would have been game over right over.

Quote:
Thank you for reply. I don't think Acronis is doing anything different, since i need exactly bit-to-bit clone if i want to look for deleted data. Anyway, i'll try both Acronis and Macrium Reflect, won't hurt :) Thank you for suggestion.

I don't have much experience with that, but (to anyone who may have some insight) is there a backup software which would be able to create a forensically sound image by not relying on VSS on a drive which does not contain the running system, and which would “see” the data as it appears from within the Windows 10 session, i.e. decrypted ? Or would a “rescue media” created on Windows 10 be able to somehow decrypt the data on the fly ? (Don't think so...)

Have you tried more basic recovery softwares, like Recuva, Handy Recovery ?
What do you see when examining the whole volume with an hexadecimal editor, encrypted or decrypted data ? With WinHex or equivalent, can you browse the current data, as in files and folders ?
To others : do empty sectors appear always the same when encrypted with BitLocker ? (In a topic I created some months ago, “fzabkar” said that AES-encrypted empty sectors would always have the same pattern with a given encryption key, although he didn't know about BitLocker.)

What I don't get here is : how useful is a BitLocker encryption if anyone running Windows 10 can access the drive's contents ?


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 16th, 2018, 13:29 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
dick wrote:
We are still unclear!
Quote:
When mounted on the win10 machine can you browse the system folders and user data?

I can browse drive without a problem. Check attachment(hdd2.PNG)
Attachment:
hdd2.PNG
hdd2.PNG [ 7.58 KiB | Viewed 10011 times ]

On windows 7, this is the case(hdd3.PNG)
Attachment:
hdd3.PNG
hdd3.PNG [ 5.44 KiB | Viewed 10011 times ]

Quote:
I'm not a forensics guy but surely you would mount a sector cloned copy of the drive in a pc and unlock it with the known password or the recovery key. If you don't have either then the data is lost!

I don't need to unlock the drive on my Windows10, because Bitlocker is not currently activated (as shown in settings).

Quote:
I think it would be a good idea to check the partition information with a hex editor to see if it really is a Bitlocker partition. You can use Dmde to do that.

Thank you for advice, i will try it as soon as possible.

Quote:
Or is it a Bitlocker protected folder?

Nope. The whole partition. (hdd1.PNG)
Attachment:
hdd1.PNG
hdd1.PNG [ 4.01 KiB | Viewed 10011 times ]

Quote:
Or is it using some other method of protection?

Nope. No other methods.

Quote:
Also in your first post you mentioned....
Quote:
I enabled Bitlocker on the drive (through Win10), and then performed decryption, however, no deleted data is visible after scan.
What are you trying to do here? It makes no forensic sense!!!

I am trying to recover deleted data from the drive. For forensic investigation purposes, i am using another intact clone which i can access.


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 17th, 2018, 3:56 
Offline

Joined: January 8th, 2008, 5:21
Posts: 925
Location: uk
Thanks for the updated info!

So you are able to scan the mounted volume with recovery tools but you don't find any user deleted files?

You mention about connecting to a domain so maybe you are looking in the wrong place. I don't know what type of user files you are looking for but maybe they are/were on the server?


Top
 Profile  
 
 Post subject: Re: Bitlocker encrypted drive
PostPosted: October 18th, 2018, 9:24 
Offline

Joined: October 11th, 2018, 6:37
Posts: 8
Location: South Africa
dick wrote:
Thanks for the updated info!

So you are able to scan the mounted volume with recovery tools but you don't find any user deleted files?


Exactly. And i can access the volumes and data normally without problems.

dick wrote:
You mention about connecting to a domain so maybe you are looking in the wrong place. I don't know what type of user files you are looking for but maybe they are/were on the server?

I had to login again just to archive emails. No other purpose of getting it back to domain.

So far, no luck with deleted data recovery... Still have to try couple of things from suggestions in this thread.

Anyone else have some ideas? :lol:


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot], ludespeedny and 54 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group