Another Bitlocker woos

[terminator2]

I have got a 500 GB laptop hard disk from a corporate customer .It was having head issues.
After head transplant we have cloned disk using 2-3 heads .But only few bad sectors were skipped.
Disk was having 2 partitions .Bitlocker from C drive has been decrypted easily in PC 3K and data is fully recoverable.
But due to bad sectors partition & bitlocker metadata might have been lost as this partition is not coming in PC3K.
I have tried UFS explorer ( trial version 9.1 64 Bit) .Again UFS explorer has decrypted C drive ( I think UFS explorer is among the few softwares which can decrypt Bitlocker)
But UFS explorer could not find any trace of partition .
Is there any way or any software I can try ? I have attached fist 10000 sectors of this 300GB space. ( start sector - 346218496 )
Download link -- https://drive.google.com/file/d/17b8dx3 ... sp=sharing

Attachments

Screenshot 2022-10-18 090402.png (14.81 KiB) Viewed 8942 times

Screenshot 2022-10-18 090323.png (8.82 KiB) Viewed 8942 times

[Arch Stanton]

Weird partitioning. What's at sector 344303880?

[terminator2]

Weird partitioning. What's at sector 344303880?

Hi Thanks Arch
This sector is blank . May be it is those sectors which are skipped.

Attachments

[DR-Kiev]

Run more recent version of UFS (demo is fine), and run FS scan on 2nd partition. Usually it can find bitlocker partition. FVE metadata data stores in 3 different places, usually within first 6GB

[terminator2]

Run more recent version of UFS (demo is fine), and run FS scan on 2nd partition. Usually it can find bitlocker partition. FVE metadata data stores in 3 different places, usually within first 6GB

I am feeling being privileged by getting expert technical guidance from pro gurus like DR-Kiev ,pepe ,fzabkar ,Arch stanton , digisupport ,Lardman to name a few.
Thank you all of you.
Yes I have run latest demo version (V9.1 Professional X64 ) on entire disk but this particular partition is not getting traced.
Even raw recovery does not yield anything that means all sectors are encrypted. I think all Partition / Bitlocker metadata is missing (all copies) so UFS explorer or PC3K is not able to rebuild it.

[Arch Stanton]

You could do search for "3b d6 67 49 29 2e d8 4a 83 99 f6 a3 39 e3 d0 01" (hex) and note down LBA addresses for occurrences. Or simply FVE-FS (string, uppercase). Then we could match these to partitions TAB of DMDE. Both these are pretty unique to boot sector of encrypted volumes, you can actually see them in the dump of the FVE-FS sector you posted.

I am suggesting because on my disks next partition starts at end LBA + 1 of previous partition and not all partitions seem to follow this in DMDE partitions window. There may of course be legit reasons for this, but it's something I'd look into. If we find occurrences we can dump sectors, decode them and see what that mean for partition tables / cross reference with what we see in partitions TAB. Or we could point our file recovery tools at those, help them a bit so to speak.

But perhaps it is as you say and key sectors needed to decrypt weren't copied. BTW I am no expert on Bitlocker I am just reasoning, if partition tables are off file recovery tools may have trouble finding what they're looking for if we rely on those 'off' partition tables.

[terminator2]

You could do search for "3b d6 67 49 29 2e d8 4a 83 99 f6 a3 39 e3 d0 01" (hex) and note down LBA addresses for occurrences. Or simply FVE-FS (string, uppercase). Then we could match these to partitions TAB of DMDE. Both these are pretty unique to boot sector of encrypted volumes, you can actually see them in the dump of the FVE-FS sector you posted.

I am suggesting because on my disks next partition starts at end LBA + 1 of previous partition and not all partitions seem to follow this in DMDE partitions window. There may of course be legit reasons for this, but it's something I'd look into. If we find occurrences we can dump sectors, decode them and see what that mean for partition tables / cross reference with what we see in partitions TAB. Or we could point our file recovery tools at those, help them a bit so to speak.

But perhaps it is as you say and key sectors needed to decrypt weren't copied. BTW I am no expert on Bitlocker I am just reasoning, if partition tables are off file recovery tools may have trouble finding what they're looking for if we rely on those 'off' partition tables.

I have extensively searched 300GB partition starting from Sector 346218496 but could not find FVE-FS sector though FVE string is there.
Interestingly I tried to run Diskinternal EFS recovery and it has detected Bitlocker encrypted partition.Since both PC3K and UFS explorer could not detect this volume. When I tried to mount this partition it asked for Bitlocker password ( since it has not auto decryption type mechanisam for clear key passwords)
So a tool not only must detect bitlocker partition , mount it and ask for password to enter.
both UFS & diskinternals have one of the feature which are required for this case. ( UFS has decryption capabilities)

I do not know whether Diskinternal EFS recovery has actually traced Boot sector and created virtual Bitlocker partition.
But I have imaged this Recovered bitlocker partition on a SSD and mounted it with the hope this will be valid bitlocker partition, but it is same like actual 300GB
partition.Since C drive is easily get decrypted and is fully accessible is there any way to get Bitlocker Key ( .bek ) or password from windows ?
I think fundamental problem is with boot sector which is altogether missing. Bitlocker might not be the issue as it is having clear key & can get decrypted .

Attachments

Screenshot 2022-10-20 035742.png (7.79 KiB) Viewed 8745 times

Screenshot 2022-10-20 035716.png (8.86 KiB) Viewed 8745 times

[Arch Stanton]

I have extensively searched 300GB partition starting from Sector 346218496 but could not find FVE-FS sector though FVE string is there.

I'd search entire drive. What tool did you use to search then??

But, DiskInternals tool works?

[terminator2]

I have extensively searched 300GB partition starting from Sector 346218496 but could not find FVE-FS sector though FVE string is there.

I'd search entire drive. What tool did you use to search then??

But, DiskInternals tool works?

Yes newer version has Bitlocker recovery feature from damaged volumes. But I don't know about accuracy of recovered volumes shown by it. In few seconds it has shown recovered Bitlocker partition which both bigwigs could not do so this could be false positive.
But I have very limited choice because ideal tool should have intelligence of its own to perform following tasks -

1) Search hard disk to find all encrypted boot sectors .
2) Identify Bitlocker
3) trace and rebuild virtual volume
4) collect bitlocker metadata
5) Provoke Bitlocker password windows
6) Identify type of protectors
7) If clear key found then decrypt volume.

all this must be done automatically . I think this type of tool does not exist ( may be someone has there proprietory tool )
Chances of recovery seems to be slim as this type of cases needs deeper knowledge of file system /encryption and manual work. Commercial tools have lots of limitations.
Currently I am scanning entire disk using diskinternal , I will update results. If diskinternals displays C drive like UFS has shown and decrypt it as well ,then we can conclude its capabilities .
If it succeed then I will try to export C drive or image it and create virtual volume . I will run some forensic demo softwares to scan hibernate and swap file to get recovery key . I want to know what type of key is present in "no key" (suspended state) . Since volume is encrypted even no key must be having some alphabets or numerical values. Is .bek carved files will be of any use ?

Attachments

[terminator2]

I have extensively searched 300GB partition starting from Sector 346218496 but could not find FVE-FS sector though FVE string is there.

I'd search entire drive. What tool did you use to search then??

But, DiskInternals tool works?

Yes you are right Diskinternal does not work on this type of cases as advertised .After complete scan it failed to identify any volume.

Attachments

Screenshot 2022-10-20 085056.png (6.13 KiB) Viewed 8706 times

Screenshot 2022-10-20 085009.png (7.08 KiB) Viewed 8706 times

[DR-Kiev]

What about patient hard drive? Is it kind of wd SMR drive or rosewood cloned without MC ?

[terminator2]

What about patient hard drive? Is it kind of wd SMR drive or rosewood cloned without MC ?

Thanks Dr-Kiev
Its Rosewood Model ST5000LM034 /RPM2 . What Means MC.Heads transplanted 2-3 times for more accurate cloning. Except for few bad sectors entire disk was cloned successfully.

[chipsang]

I am not expert like DR-Kiev but If Bitlocker Boot sector or metadata copies are altogether missing then there may not be anything that can create it. Even if C drive and windows is accessible and you found encryption information ,critical boot sector is missing so this issue is not about bitlocker but about Boot sector.

[DR-Kiev]

What about patient hard drive? Is it kind of wd SMR drive or rosewood cloned without MC ?

Thanks Dr-Kiev
Its Rosewood Model ST5000LM034 /RPM2 . What Means MC.Heads transplanted 2-3 times for more accurate cloning. Except for few bad sectors entire disk was cloned successfully.

Have you noticed SeDU pattern while reading? Usually disk reads but improperly (generated factory pattern)

[terminator2]

What about patient hard drive? Is it kind of wd SMR drive or rosewood cloned without MC ?

Thanks Dr-Kiev
Its Rosewood Model ST5000LM034 /RPM2 . What Means MC.Heads transplanted 2-3 times for more accurate cloning. Except for few bad sectors entire disk was cloned successfully.

Have you noticed SeDU pattern while reading? Usually disk reads but improperly (generated factory pattern)

OK But this is not observed. We tried with 3 brand new heads to minimize read errors but 32 sectors could not be read.
Is it possible only 32 sectors have caused Boot sector and Bitlocker Metadata corruption ?
Considering C drive can be decrypted in seconds , there may not be any issue in cloning. Only D drive boot sector is not getting traced.
Is it possible that customer might have spilt original single partition in 2 ? In that case a virtual partition might be present valid for that windows .I don't know whether a MBR is created or not for spilt partitions.But I have observed that recovery is not possible (logical) from such cases using any software (at least I don't have success ).
Here is disk statistics.

Attachments

Disk statistics.PNG (8.22 KiB) Viewed 8596 times

[DR-Kiev]

It seems you are not aware about Sedu problem on rosewoods.
pc3k de "read" sector fine, but in result content is not fine. Need always apply Sedu/Lod checking on fly on them.

[michael chiklis]

Last MRT version is able to map sEDU sectors with different colors than green in DE:
http://us.mrtlab.com/download/uplist.html

[terminator2]

It seems you are not aware about Sedu problem on rosewoods.
pc3k de "read" sector fine, but in result content is not fine. Need always apply Sedu/Lod checking on fly on them.

Thanks DR-Kiev
I don't know where is Sedu/Lod setting in DE ,but is this problem in this case ? Since only 32 sectors are affected rest of the data is fine , content of C is 100% working. In case of this problem it should have affected to whole disk.
We have done hundreds of successful rosewood transplants but rarely this type of issue has been encountered.
Meantime I have got reply from Dmitri (DMDE ) . I have updated customer that recovery is not possible from D Drive as there is nothing left that I can try.

Attachments

[DR-Kiev]

Run search Sedu pattern in hex on 2nd partition to double check

[vx1]

MRT 2.1.8.1

Attachments