Another Bitlocker woos

[terminator2]

Run search Sedu pattern in hex on 2nd partition to double check

Hi DR-Kiev & vx1 , Thanks a lot.
Is this MRT specific function ? I could not find it in PC3K (V7.1XX). I have reread F3 manual also but could not find this settings.

[DR-Kiev]

Run search Sedu pattern in hex on 2nd partition to double check

Hi DR-Kiev & vx1 , Thanks a lot.
Is this MRT specific function ? I could not find it in PC3K (V7.1XX). I have reread F3 manual also but could not find this settings.

sEDU = @508\x73\x45\x44\x55
btTEC = @507\x62\x74\x54\x45\x43

In recent versions it should already be added

[terminator2]

Run search Sedu pattern in hex on 2nd partition to double check

Hi DR-Kiev & vx1 , Thanks a lot.
Is this MRT specific function ? I could not find it in PC3K (V7.1XX). I have reread F3 manual also but could not find this settings.

sEDU = @508\x73\x45\x44\x55
btTEC = @507\x62\x74\x54\x45\x43

In recent versions it should already be added

OK that means its already there in my PCK3K and this may not be the issue in my case

[terminator2]

I have run "eleconsoft forensic disk decryptor" on hibernet.sys file to extract bitlocker keys but it did not find anything.
I was keen to know what are actual keys in "No key" type of protectors.
Here is intresting article on Bilocker and windows hibernet file
https://arsenalrecon.com/insights/the-i ... -bitlocker

Attachments

Screenshot 2022-10-23 210204.png (10.9 KiB) Viewed 8474 times

[DR-Kiev]

Run search Sedu pattern in hex on 2nd partition to double check

Hi DR-Kiev & vx1 , Thanks a lot.
Is this MRT specific function ? I could not find it in PC3K (V7.1XX). I have reread F3 manual also but could not find this settings.

sEDU = @508\x73\x45\x44\x55
btTEC = @507\x62\x74\x54\x45\x43

In recent versions it should already be added

OK that means its already there in my PCK3K and this may not be the issue in my case

It doesn't use it by default, you should add additional map.
I bet it is an issue. Half of the rosewoods generate that pattern from buffer, especially after heads swap.
Just look with your eyes in hex first 3GB of second partition, tracking that pattern.

[terminator2]

Oh . Thanks a ton DR-Kiev.
I will perform cloning again with these commands & post outcome.

[DR-Kiev]

Can you check/search for these kind of sectors somewhere in the beginning of 2nd partition ?

Attachments

[terminator2]

Can you check/search for these kind of sectors somewhere in the beginning of 2nd partition ?

Thanks DR-Kiev
Yes eaxctly same hex pattern is been observed starting from sector 346218496 (300 GB partition start)
I have made video of these sectors.
Unfortunately patient disk is returned to customer for warranty replacement so I can't clone it again using SEDU scripts .

Video --
https://www.youtube.com/watch?v=qZfma6gpD8A

Attachments

[DR-Kiev]

Can you check/search for these kind of sectors somewhere in the beginning of 2nd partition ?

Thanks DR-Kiev
Yes eaxctly same hex pattern is been observed starting from sector 346218496 (300 GB partition start)
I have made video of these sectors.
Unfortunately patient disk is returned to customer for warranty replacement so I can't clone it again using SEDU scripts .

Video --
https://www.youtube.com/watch?v=qZfma6gpD8A

Try to return it, otherwise - game over with decryption.
You only need to read again few kb from that drive.

[terminator2]

Can you check/search for these kind of sectors somewhere in the beginning of 2nd partition ?

Thanks DR-Kiev
Yes eaxctly same hex pattern is been observed starting from sector 346218496 (300 GB partition start)
I have made video of these sectors.
Unfortunately patient disk is returned to customer for warranty replacement so I can't clone it again using SEDU scripts .

Video --
https://www.youtube.com/watch?v=qZfma6gpD8A

Try to return it, otherwise - game over with decryption.
You only need to read again few kb from that drive.

Yes Thanks DR-Kiev.
Fortunately disk is still with customer and he has agreed to resend again. I will completely clone disk again and I am hopeful to give justice to this case.
Thank you so much all credit for this valuable learning and success goes to you.

[DR-Kiev]

Can you check/search for these kind of sectors somewhere in the beginning of 2nd partition ?

Thanks DR-Kiev
Yes eaxctly same hex pattern is been observed starting from sector 346218496 (300 GB partition start)
I have made video of these sectors.
Unfortunately patient disk is returned to customer for warranty replacement so I can't clone it again using SEDU scripts .

Video --
https://www.youtube.com/watch?v=qZfma6gpD8A

Try to return it, otherwise - game over with decryption.
You only need to read again few kb from that drive.

Yes Thanks DR-Kiev.
Fortunately disk is still with customer and he has agreed to resend again. I will completely clone disk again and I am hopeful to give justice to this case.
Thank you so much all credit for this valuable learning and success goes to you.

Wuuf. Just create map based on pattern of bTec sectors and read only them . Especially, need beginning of 2nd partition,

[chipsang]

Thank you DR-kiev
We are currently cloning a rosewood disk after head transplant .Cloning is very slow. This post is very useful for us and has came at right time as drive is having bitlocker encryption.

[Rudra]

Run search Sedu pattern in hex on 2nd partition to double check

Hi DR-Kiev & vx1 , Thanks a lot.
Is this MRT specific function ? I could not find it in PC3K (V7.1XX). I have reread F3 manual also but could not find this settings.

sEDU = @508\x73\x45\x44\x55
btTEC = @507\x62\x74\x54\x45\x43

In recent versions it should already be added

Hi DR-Kiev
I have several cloned copies of failed Bitlocker cloned copies. Can I run DE on cloned copies to search both patterns ? On one drive I have found 2946 such sectors. Whether this needs to be applied while cloning post head transplant or can run on cloned copies as well.

[Amarbir[CDR-Labs]]

Hello Everyone ,
What angel data recovery is trying to explain to you all is as following ....

1 : There is a Feature in PC 3K 7.1X were Acelab has added a additional MAP grep so what if you clone a seagate drive you can see on the fly if Seagate btTEC and sEDU issue is there in reading ,What this problem is that Seagate Rosewood drives instead of returning you the data in the patient drive sector returns a factory data sector that has the signature in which you will find a Signature btTEC and sEDU ,Are you folks getting it into your head now please

2 : So if you replace rosewood heads and you are cloning some weak sections of the drive this drive can return you these factory data filled sectors ,You are thinking you are getting the sectors but the case is you are not ,In the end you will need to make a map of all these sectors and then you need to clear it or change it back to non read and read it again .Due to these sectors the guy is not able to see bitlocked data imho

PS : To Angel Data Recovery ,Can you please explain why these sectors are generated and how we can solve this issue .I had added this facility myself to Ver 6.9 of PC3K UDMA i have but the same ability got destroyed in Ver 7.0 update ,I am on 7.0 Currently so need to add it again .

[Rudra]

Hello Everyone ,
What angel data recovery is trying to explain to you all is as following ....

1 : There is a Feature in PC 3K 7.1X were Acelab has added a additional MAP grep so what if you clone a seagate drive you can see on the fly if Seagate btTEC and sEDU issue is there in reading ,What this problem is that Seagate Rosewood drives instead of returning you the data in the patient drive sector returns a factory data sector that has the signature in which you will find a Signature btTEC and sEDU ,Are you folks getting it into your head now please

2 : So if you replace rosewood heads and you are cloning some weak sections of the drive this drive can return you these factory data filled sectors ,You are thinking you are getting the sectors but the case is you are not ,In the end you will need to make a map of all these sectors and then you need to clear it or change it back to non read and read it again .Due to these sectors the guy is not able to see bitlocked data imho

PS : To Angel Data Recovery ,Can you please explain why these sectors are generated and how we can solve this issue .I had added this facility myself to Ver 6.9 of PC3K UDMA i have but the same ability got destroyed in Ver 7.0 update ,I am on 7.0 Currently so need to add it again .

Thank You Amarbir for detailed explanation.

[Arch Stanton]

Fun part is, this was already visible in very first post

Attachments

[Amarbir[CDR-Labs]]

Fun part is, this was already visible in very first post

Well,
Of course but they are new into recovery we need to explain them

[Arch Stanton]

Fun part is, this was already visible in very first post

Well,
Of course but they are new into recovery we need to explain them

Yes, sure. Was also slap on my own head because I missed it while answer was there from the start.

Anyone know where it comes from? Or "m.o.L.D." or "sEDU"? Can those be found in the firmware or something, is it part from a command block like "USBC" is part of 'USB command block' and ends up being inserted into a read buffer?

[Amarbir[CDR-Labs]]

Fun part is, this was already visible in very first post

Well,
Of course but they are new into recovery we need to explain them

Yes, sure. Was also slap on my own head because I missed it while answer was there from the start.

Anyone know where it comes from? Or "m.o.L.D." or "sEDU"? Can those be found in the firmware or something, is it part from a command block like "USBC" is part of 'USB command block' and ends up being inserted into a read buffer?

Uff ,
Why are people calling 1 type of problem with so many different name huhhhh like

1 : Seagate 241A is Same as Seagate mo.L.D is same as Seagate btTEC Damn

PS : Please point me to USBC Thread i did briefly see that once here i think it was you who started it ,Do you have other such kind of sectors thrown by HDDs on our face ,I would like to add all addition Maps For These Too in My PC3K

[Arch Stanton]

Fun part is, this was already visible in very first post

PS : Please point me to USBC Thread i did briefly see that once here i think it was you who started it ,Do you have other such kind of sectors thrown by HDDs on our face ,I would like to add all addition Maps For These Too in My PC3K

Erm, maybe better not as it's unrelated and will make this thread a mess, or bigger mess