Access Bitlocker encrypted disk after overwriting part of it
October 4th, 2023, 18:09
I encrypted my 2TB NVME system disk with Bitlocker on Windows 11, and saved the password and key.
Later by mistake i choosen that disk in Eraser and started the process.
The OS crashed with bluescreen shortly after that.
Now disk ins't booting to Bitlocker GUI / OS, as no bootable area is found.
So far, i cloned disk using UFS, to have a backup and would like to work on data recovery.
Diskmgmt.msc is showing disk as uninitialized.
in UFS data from 0x0 to 0x13892000 (0.02%?) seems to be overwritten, and the rest till 0x1D1C1115FFF seems to be encrypted.
So far i started searching for partitions in UFS, but it's 65% and nothing is found.
What restoration options i could try?
Later by mistake i choosen that disk in Eraser and started the process.
The OS crashed with bluescreen shortly after that.
Now disk ins't booting to Bitlocker GUI / OS, as no bootable area is found.
So far, i cloned disk using UFS, to have a backup and would like to work on data recovery.
Diskmgmt.msc is showing disk as uninitialized.
in UFS data from 0x0 to 0x13892000 (0.02%?) seems to be overwritten, and the rest till 0x1D1C1115FFF seems to be encrypted.
So far i started searching for partitions in UFS, but it's 65% and nothing is found.
What restoration options i could try?
Re: Access Bitlocker encrypted disk after overwriting part o
October 4th, 2023, 18:47
UHD found the following partitions:
Re: Access Bitlocker encrypted disk after overwriting part o
October 5th, 2023, 0:18
Results as of now:
UFS Explorer Professional Recovery - recognized partitions as above, but not as Bitlocker. If the 1.8TB are opened as virtual disk, it says that virtual disk metadata was not found, and if i open as storage the disks are only 2GB.
OSForsenic - it says device is not encrypted using Bitlocker, most likely due to corrupted partitions.
iBoysoft Bitlocker Recovery (m3datarecovery) - it can't find any partitions, even using find more partitions.
Elcomsoft Forensic Disk Decryptor - if i select the drive, i can't use the next button, it only works if letter is assigned.
Hasleo BitLocker Data Recovery - it asked for Bitlocker key, then found 3 partitions, and on one of these i managed to see some of my files, so there seems to be a chance, but the way of recovering and structure is a complete chaos.
DiskInternals EFS Recovery - scan in progress.
Any advices on how i could proceed to get content of the drive, with proper directories tree?
UFS Explorer Professional Recovery - recognized partitions as above, but not as Bitlocker. If the 1.8TB are opened as virtual disk, it says that virtual disk metadata was not found, and if i open as storage the disks are only 2GB.
OSForsenic - it says device is not encrypted using Bitlocker, most likely due to corrupted partitions.
iBoysoft Bitlocker Recovery (m3datarecovery) - it can't find any partitions, even using find more partitions.
Elcomsoft Forensic Disk Decryptor - if i select the drive, i can't use the next button, it only works if letter is assigned.
Hasleo BitLocker Data Recovery - it asked for Bitlocker key, then found 3 partitions, and on one of these i managed to see some of my files, so there seems to be a chance, but the way of recovering and structure is a complete chaos.
DiskInternals EFS Recovery - scan in progress.
Any advices on how i could proceed to get content of the drive, with proper directories tree?
Re: Access Bitlocker encrypted disk after overwriting part o
October 5th, 2023, 2:52
I am not familiar with W11, what do you call Eraser?
What i know for sure is that if you format a bitlocker partition in a bitlocker-aware OS, it will start with erasing all the bitlocker metadata blocks, then create the new file system. If this is what you used, then you are pretty much screwed if you did not export the metadata itself. Check you Microsoft account what keys are backed up there. However, passwords are not sufficient, you need the backup of the keys as well, coz these are required for decryption.
pepe
What i know for sure is that if you format a bitlocker partition in a bitlocker-aware OS, it will start with erasing all the bitlocker metadata blocks, then create the new file system. If this is what you used, then you are pretty much screwed if you did not export the metadata itself. Check you Microsoft account what keys are backed up there. However, passwords are not sufficient, you need the backup of the keys as well, coz these are required for decryption.
pepe
Re: Access Bitlocker encrypted disk after overwriting part o
October 5th, 2023, 7:21
Eraser is a erasing tool which overwritten initial disk blocks.
I have the Bitlocker key, which successfully worked with Hasleo BitLocker Data Recovery.
Progress:
Stellar Data Recovery - it's not asking about Bitlocker, probably due to no partitions.
EaseUS Data Recovery Wizard - it's not asking about Bitlocker, probably due to no partitions.
DiskInternals EFS Recovery - Open Partition -> Full Efs Recovery found 2 partitions - Recovery 950 Mb, Boot 3 Mb.
Detect BitLocker option immediately found one partition, but fast recovery on it says "Did not find correct FVE" and asking to repeat scan sector by sector which would take ~72 hours, so will skip that for now.
DiskGenius - search lost partitions in the whole disk found only Recovery 950MB and Myasus 260MB partitions.
Im planning yet to try R-Studio, Testdisk, DMDE.
Considering i had some success with Haselo still looking for advices on how to get the files back
Here's a DiskGenius screenshot:
I have the Bitlocker key, which successfully worked with Hasleo BitLocker Data Recovery.
Progress:
Stellar Data Recovery - it's not asking about Bitlocker, probably due to no partitions.
EaseUS Data Recovery Wizard - it's not asking about Bitlocker, probably due to no partitions.
DiskInternals EFS Recovery - Open Partition -> Full Efs Recovery found 2 partitions - Recovery 950 Mb, Boot 3 Mb.
Detect BitLocker option immediately found one partition, but fast recovery on it says "Did not find correct FVE" and asking to repeat scan sector by sector which would take ~72 hours, so will skip that for now.
DiskGenius - search lost partitions in the whole disk found only Recovery 950MB and Myasus 260MB partitions.
Im planning yet to try R-Studio, Testdisk, DMDE.
Considering i had some success with Haselo still looking for advices on how to get the files back
Here's a DiskGenius screenshot:
Re: Access Bitlocker encrypted disk after overwriting part o
October 5th, 2023, 7:46
DMDE found the following partitions:
Re: Access Bitlocker encrypted disk after overwriting part o
October 6th, 2023, 22:02
Can you show us the contents of sector 3904550911? I expect this will be the backup boot sector of the 2TB partition.
I'm a little confused by R-Studio's blog:
https://www.r-studio.com/encrypted-disks-recovery.html
Does this mean that R-Studio cannot mount and recover damaged Bitlocker volumes???
I'm a little confused by R-Studio's blog:
https://www.r-studio.com/encrypted-disks-recovery.html
For data recovery from encrypted disks and images and proprietary file container formats, R-Studio can process these as normal logical volumes after they are mounted in the native software. But in all cases, if the file container format is corrupted to the point that it cannot be mounted, then the chances of recovering any files are very small.
Does this mean that R-Studio cannot mount and recover damaged Bitlocker volumes???
Re: Access Bitlocker encrypted disk after overwriting part o
October 7th, 2023, 4:56
search for all occurences of string '-FVE-FS-' (without quotes). This is the signature of metadata blocks. If you can find at least one of these, there is hope to get it sorted out.
Powered by phpBB © phpBB Group.