I have a Windows 7 Bitlockered drive that won't boot. It's from an HP with TPM.
According to my customer, his laptop automatically installed some HP-related system updates and upon restart booted to Startup Repair. He attempted some limited recovery and poked around with Diskpart of all things, but I could not get specifics of what was tried.
For comparison, I've installed a tester drive on the laptop, installed Windows 7, and bitlockered it the same way the patient drive would have been set up.
The Bitlockered partition on the patient drive has zero instances of the –FVE-FS- anywhere in the hex data. There are several on the intact test installation.
The only "unlockers" I have are the short password normally entered upon boot and the 64-character recovery key. The “repair-bde” functions don’t work because all the Metadata also appears to be missing. I've compared the sections of hex data of the intact Bitlocker drive where it appears the “keyholes” for the password, encryption key, etc are with the patient drive and on the patient drive these sections do not exist.
I can insert a FVE-FS volume header into the beginning of the partition and Windows then detects it as a Bitlocker volume but I know it's not that easy– it says the unlock credentials are corrupt.
Though I've done a massive amount of research on Bitlocker since I've acquired this recovery, my business is data recovery of physically failed hard drives and this is beyond my ability.
I'm really just querying this group of forensic professionals to possibly get a consensus, considering the information provided, whether a recovery is even possible, if I've provided enough information for that to be determined, or if a forensic professional would even be willing to take a shot at this (and possibly a referral).
Thanks!
Sam
When you run the repair-bde, does it find the key package?
A really far far stretch, but you can attempt to get donor sectors for the encrypted volume, then try repair-bde again.
It might be quicker to image it and make it into a VHD, and attempt repair, instead of doing it from the HDD. Making it into a VHD may also eliminate Reserved Partition issues.
Thanks for your reply!
The repair-bde tool does not find anything. It makes the suggestion of running the tool using the key package AND the encryption key credentials together but I only have the 64 char encryption key.
I do have the ability to edit the drive's hex data… can you suggest what to insert as donor material?
I am of course working with a sector-to-sector copy of the patient HD. I like your idea of making a virtual drive to speed things up.
Luckily, I do not have an issue with reserved partitions (like the extra 10 tiny weird partitions that Windows 8 creates). There are only 2 partitions on the drive the Bitlockered one and the NTFS Recovery partition which, it may be worth mentioning, does have 2 instances of the -FVE-FS- Bitlocker partition header. But in comparison with the NTFS Recovery partition on the intact tester Bitlockered installation I created, they are identical.