3

I have a backup drive that is used mostly for that purpose: to backup data from my computer. I did move data onto it temporarily at some point, but I believe and I hope I've moved it back off in the meantime. It's protected by bitlocker. When I was away and someone was house-sitting, they connected their Android tablet to a port replicator that the backup drive was connected to, and inadvertedly told Android to "fix" the drive (because Android doesn't recognize NTFS formatted drives, much less those protected by bitlocker), which formatted it as exFAT. It couldn't have been a deep format, because she didn't have it connected for long. Meaning: it should be possible to recover the data, right?

Here's what I have:

  • The full bitlocker recovery ID
  • The bitlocker recovery key
  • The data on my computer used to automatically unlock the drive - however that could be extracted.
  • The drive itself (obviously)

I've tried scanning the drive with Recuva, which didn't give me anything usable. I didn't have any option to enter any encryption keys, so it honestly couldn't have worked.

I then tried using repair-bde.exe, supplying it with the recovery key and a seperate drive (~twice the size of the original drive) to copy the recovered data to. It gave me this response:

ERROR: The input volume has suffered damages to critical information related to the decryption key. Please try the -KeyPackage option to specify a key package. The volume may not be recoverable.

What other options do I have? (I am also slightly worried about the fact that I currently am not backing up my computer until I get this resolved, because I don't want to overwrite anything that could still be recovered.)

I'm on Windows 10 Enterprise.

Improve this question

3 Answers 3

Reset to default
4

It couldn't have been a deep format, because she didn't have it connected for long. Meaning: it should be possible to recover the data, right?

No, unfortunately not.

The recovery key (as well as the stored auto-unlock key) does not decrypt your disk directly; it only decrypts the real encryption key that's stored in the BitLocker header, which is at the very beginning of the partition.

So if that part of the disk was overwritten (such as by writing a new FAT filesystem on top of it), the rest of the BitLocker volume becomes unrecoverable. Yes, the rest of your data is technically still there on the disk, but you no longer have the key to decrypt it.

Improve this answer
1
  • 1
    OK, makes sense, but... is there really no redundancy? I mean, that essentially means that one bit flip in that sector can kill the entire drive's data. That seems to be a pretty crazy weak point to me... bit rot happens, after all. That would make me question BitLocker in the first place.
    – Benjamin Krausse DB
    Commented Aug 11, 2023 at 13:02
1

The intention of the Bitlocker designers was to make it as resilient as possible to disk problems. Therefore the disk headers are duplicated on the disk. Some products claim being able to recover such disks, but they are very costly. I found only one product that is free as described below. Whether the disk can be recovered or not depends on the amount of destruction that was done.

The article How to Recover Files from Formatted Hard Drive (2023) says that "EaseUS Data Recovery Wizard Free can recover files from formatted drive free on Windows and Mac computers".

Among the features is listed :

Unformat hard drive and repair the RAW drive (BitLocker encrypted drive)

Try this product. It's free and you have nothing to lose.

Improve this answer
4
  • That's mentioning their services, not the software as I read it. And it's not free.
    – Joep van Steen
    Commented Jul 28, 2023 at 12:43
  • @JoepvanSteen: EaseUS Data Recovery Wizard Free is software with a download link. I haven't tried, so I don't know the capabilities of the free version. Other products exist but are very costly. If the poster is interested, I can recommend one with a 2 digits price.
    – harrymc
    Commented Jul 28, 2023 at 13:05
  • 1
    Their claim 'it' can recover bitlocker drives is about their service, not the software.
    – Joep van Steen
    Commented Aug 6, 2023 at 20:57
  • That's how I read it as well. I tried it anyway, but it just gave me some gibberish and a 4TB file (possibly what's left of the drive - even though it only was a 2TB drive). I couldn't find a way to provide a bitlocker key anywhere or any other Bitlocker information.
    – Benjamin Krausse DB
    Commented Aug 7, 2023 at 11:18
0

It's possible that you might have some luck with dislocker (particularly the dislocker-metadata program). There might be multiple copies of the essential blocks.

For instance, you can use something like this:

# Show metadata for a BitLocker volume.  Hopefully it will recognize something.
dislocker-metadata -V /dev/sdd1

# Mount a USB thumbdrive protected by BitLocker.
mkdir ~/bl-data                                 # dislocker puts a virtual decrypted image here.
dislocker --user-password /dev/sdd1 ~/bl-data   # Unlock the volume.

mkdir ~/files                                   # This will be the real mount point.
mount -t ntfs3 ~/bl-data/dislocker-file ~/files # Mount the actual NTFS file system using a loop device.

# Unmount the volume.
umount ~/files                                  # Unmount the file system.
umount ~/bl-data                                # Close dislocker.
Improve this answer
7
  • Hmm, I don't have a Linux machine available at the moment (this being a work computer, unfortunately there are no real Linux options available for us). Is there any Windows equivalent? Or any way to get this running on Windows?
    – Benjamin Krausse DB
    Commented Jul 27, 2023 at 8:12
  • @BenjaminKrausseDB You could try mounting the disk inside WSL: devblogs.microsoft.com/commandline/… learn.microsoft.com/en-us/windows/wsl/wsl2-mount-disk hanselman.com/blog/wsl2-can-now-mount-linux-ext4-disks-directly probably with wsl --mount <DiskPath> --bare
    – Raf
    Commented Jul 27, 2023 at 8:18
  • Right, forgot about WSL... I'll have to check if I can get that to work on this computer.
    – Benjamin Krausse DB
    Commented Jul 27, 2023 at 8:22
  • @BenjaminKrausseDB: If your work policies permit it, you can use a bootable Fedora or Ubuntu USB drive. Note that the dislocker package probably won't be installed on those, so you'll need internet access to install it once you boot up.
    – David A
    Commented Aug 3, 2023 at 12:34
  • Unfortunately, that won't work, everything other than their Windows setup is blocked through the BIOS. But trying to get WSL set up is my next step. Worst case scenario, I could contact some IT colleagues and see if an exception could be made.
    – Benjamin Krausse DB
    Commented Aug 7, 2023 at 11:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .