Need help with BitLocker encrypted partition recovery
December 23rd, 2012, 13:29
Hello there! 
So basically my problem is that I've got a 1TB drive that was encrypted with BitLocker, however the partition on it has been accidentally deleted and I really want to be able to recover the data. As far as I'm aware, all data on that hard drive is just sitting there, all encrypted, without the information telling my OS (Windows 7 btw) that it's using NTFS and is bit locker encrypted.
(Disk 2 is the drive I want) Currently showing as RAW and not NTFS (BitLocker Encrypted)
So far through googling about, all I can find is this thread in which someone seems to have had the same problem as me. (http://www.tomshardware.co.uk/forum/239 ... -bitlocker).
Am I going to have to some how manually edit data on the hard drive with a hex editor? If so, how would I go about doing this?
I want to be able to have my drive shown as a bitlocked drive, then I can just unlock it having all my data will be unencrypted and restored.
Extremely grateful for anyone who can help me.
Thanks for reading,
dynikz
So basically my problem is that I've got a 1TB drive that was encrypted with BitLocker, however the partition on it has been accidentally deleted and I really want to be able to recover the data. As far as I'm aware, all data on that hard drive is just sitting there, all encrypted, without the information telling my OS (Windows 7 btw) that it's using NTFS and is bit locker encrypted.
(Disk 2 is the drive I want) Currently showing as RAW and not NTFS (BitLocker Encrypted)
So far through googling about, all I can find is this thread in which someone seems to have had the same problem as me. (http://www.tomshardware.co.uk/forum/239 ... -bitlocker).
Am I going to have to some how manually edit data on the hard drive with a hex editor? If so, how would I go about doing this?
I want to be able to have my drive shown as a bitlocked drive, then I can just unlock it having all my data will be unencrypted and restored.
Extremely grateful for anyone who can help me.
Thanks for reading,
dynikz
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 10:47
Anyone able to help me?
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 13:06
Check this from Microsoft:
http://support.microsoft.com/kb/928201
For example, type the following command, and then press ENTER:
repair-bde D: -RecoveryPassword
How did you delete the partition? im interested so I can replicate it for R&D
Loki
http://support.microsoft.com/kb/928201
For example, type the following command, and then press ENTER:
repair-bde D: -RecoveryPassword
How did you delete the partition? im interested so I can replicate it for R&D
Loki
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 13:42
BitLocker uses special, randomly-generated keys to encrypt/decrypt data. The keys are stored in so-called metadata. There are 3 identical copies of metadata located within encrypted volume(the locations of metadata copies are not predetermined, so they can be anywhere). You need at least one alive copy of metadata to decrypt your volume. The keys in metadata are also encrypted you need one of "protectors" to decrypt the keys. Most popular are RecoveryPassword and user passphrase. Sometimes the keys can be stored externally on a USB drive(as a file). If you have the External key for your volume - you don't need metadata.
repair-bde can search for metadata on the volume and decrypt the volume. It accepts RecoveryPassword and RecoveryKey(external key). Use it to decrypt your volume
ALWAYS WORK WITH A COPY OF YOUR VOLUME
repair-bde can search for metadata on the volume and decrypt the volume. It accepts RecoveryPassword and RecoveryKey(external key). Use it to decrypt your volume
ALWAYS WORK WITH A COPY OF YOUR VOLUME
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 16:36
I forgot to mention in my original post, I do not have the the recovery key which BitLocker created during the original encryption of the drive, neither do I have an external physical key.
These seeming to be my only options from the KB document. I only know the password which was used to unlock the drive.
Just a right click and Delete Volume in Disk Management.
- Code:
-rk or -RecoveryKey
Provide an external key to unlock the volume.
Example: "F:\RecoveryKey.bek".
-rp or -RecoveryPassword
Provide a numerical password to unlock the volume.
Example: "111111-222222-333333-...".
-kp or -KeyPackage
Optional. Provide a key package to unlock the volume.
Example: "F:\ExportedKeyPackage"
These seeming to be my only options from the KB document. I only know the password which was used to unlock the drive.
How did you delete the partition? im interested so I can replicate it for R&D
Just a right click and Delete Volume in Disk Management.
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 17:20
dynikz wrote:These seeming to be my only options from the KB document. I only know the password which was used to unlock the drive.
That's OK as long as you have metadata, there are ways to extract RecoveryPassword from metadata using user passphrase
But your options are very limited now
Do you know how to do binary/text search on drives?
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 17:21
No I don't, what do I need?
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 17:35
Well, in short, you need to search for metadata manually, copy it to a file and post it here and then we would have at least 2 options to recover your volume
But since you don't know how to do that search the task might be impossible for you, so I strongly suggest professional data recovery in your case
If you fell like doing it - may the google guide you in the dark
But since you don't know how to do that search the task might be impossible for you, so I strongly suggest professional data recovery in your case
If you fell like doing it - may the google guide you in the dark
Re: Need help with BitLocker encrypted partition recovery
December 25th, 2012, 18:54
How did you delete the partition? im interested so I can replicate it for R&D
Just a right click and Delete Volume in Disk Management.
Thanks was just confirming which way you did it in case you used some software like Partition Manager
Loki
Powered by phpBB © phpBB Group.