Data recovery from ...
 
Notifications
Clear all

Data recovery from bitlocker encrypted drive

19 Posts
7 Users
0 Likes
1,113 Views
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
Topic starter
 

I've got a feeling the answer to this is there is no way, but I'll give it a try anyway.

I have a SSD from a company laptop where the SATA controller failed. The SSD is encrypted using bitlocker and, naturally, there is some critical data on the drive and no backup. The recovery key is also missing. The drive is normally opened with a PIN and the TPM in the laptop.

Is there any way to use the TPM from the laptop with the failed controller to open the drive?

I think that without the recovery key, we're out of luck, but if anyone knows a way around this, I'd appreciate the help.

 
Posted : 06/08/2012 11:10 pm
(@joachimm)
Posts: 181
Estimable Member
 

Are you able to get a copy off the encrypted data of the SSD, e.g. an image?
You could try booting the laptop with Windows, and see if the system picks up when mounting the image.

As far as I know, how BDE interacts with the TPM is not publicly known.
But if you could find out, libbde (http//code.google.com/p/libbde/) could be altered to deal with that.

 
Posted : 06/08/2012 11:30 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

If it is just the SATA controller that is dead, can you remove the drive from the laptop, place it into an external USB enclosure and boot from USB (on the same machine with the same TPM)?

Needless to say, I have never tried this & have no real idea if it would work.

 
Posted : 07/08/2012 5:30 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Is this standalone implementation of BitLocker, or enterprise version?

If enterprise and it was set up correctly, the key is in the AD, and you can even make a VHD, and boot it with the key, TPM or not.

 
Posted : 07/08/2012 8:19 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
Topic starter
 

It is enterprise, but since we can't find the recovery key in the AD, I assume it's not set up correctly.

For the method you describe, what "key" do we need? Can you provide a link to instructions on how to use this method?

 
Posted : 07/08/2012 7:08 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Having no recovery protectors (key or numeric password), there is no cheaper way than to replace the SATA controller.

 
Posted : 07/08/2012 11:28 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
Topic starter
 

Having no recovery protectors (key or numeric password), there is no cheaper way than to replace the SATA controller.

This is a laptop, so that would have to be a PCMCIA SATA card. I'm not sure if the BIOS could handle booting off that, but it is worth a try. Now, we just have to get the original laptop back from the hardware depot… roll

 
Posted : 08/08/2012 2:34 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

It is enterprise, but since we can't find the recovery key in the AD, I assume it's not set up correctly.

For the method you describe, what "key" do we need? Can you provide a link to instructions on how to use this method?

The information is in ms-FVE-RecoveryInformation under the machine object. If you have the machine name you can find this object. The RecoveryPassword contains the string that when a drive or VHD is slaved, is asked for.

 
Posted : 08/08/2012 7:24 am
(@c-r-s)
Posts: 170
Estimable Member
 

This is a laptop, so that would have to be a PCMCIA SATA card. I'm not sure if the BIOS could handle booting off that, but it is worth a try.

That probably won't work. I meant on-board replacement and a prayer to pass the trusted-boot integrity check afterwards.

 
Posted : 08/08/2012 12:14 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You could try JTAG or worst case chip off reading…

 
Posted : 09/08/2012 3:05 am
Page 1 / 2
Share: