Hey guys,
Currently working on a data retrieval job for a client. I "think" what she did was update the bio's while the drive was encrypted with BitLocker, rather than suspending BitLocker before updating the BIOS, suspect TPM encryption key got wiped.
What is confusing me is, i actually have the recovery key, but every time the device boots, it comes up with an error code with the QRCode scanner. And it does not ask for the recovery key, so maybe the TPM is still active, and decrypts but then this error gets generated? Iv seen that error before on un-encrypted devices and managed to fix it by booting in to safemode and then rebooting again, but it didnt work for this job.
The client just needs her files, its on an x 4 M.2 PCIe SSD (waiting on delivery of the adapter needed in order to plug this directly in to a desktop and "hopefully" be able to use it and boot the SSD and use the Recovery Key to decrypt it and retrieve her information.
While i am waiting, iv tried using Raptor to take an image of the file and then put that image in to Autoposy (didnt retrieve much since the drive is encrypted), in the morning i hope to set up and configure Live Wire (read somewhere it is good for these types of things) to boot the Raptor made image within a VM and hopefully retrieve the data.
Also looking on figuring out how to make a raw (dd) disk image in to a bootable image and do the above.
I am relying on the adapter to arrive and hoping its a simple plug and play scenario where W10 detects it as a new drive, and i can Decrypt it with the recovery key by simply opening BitLocker Manager and clicking it.
Anyone have any sound advice for me while i continue reading up on this and waiting for images to index?
Regards
Nirnias
Currently working on a data retrieval job for a client. I "think" what she did was update the bio's while the drive was encrypted with BitLocker, rather than suspending BitLocker before updating the BIOS, suspect TPM encryption key got wiped.
What is confusing me is, i actually have the recovery key, but every time the device boots, it comes up with an error code with the QRCode scanner.
From a BIOS update causing a boot error, I'd expect either the boot mode (UEFI/BIOS) or SATA mode (legacy/AHCI/RAID) to be reset (especially the first). Under the default platform validation profile, you should be able to change these settings back without triggering Bitlocker's recovery mode.
Connecting the encrypted drive directly to a windows box is the solution here. you will be prompted for the key.
If you get anything other than a key prompt likely errors suggests something is wrong with the device itself or the data.
Thanks for the advice, i am just waiting on the adapter needed to plug the SSD in. Am used to working with 2.5 or 3.5 Inch SSD/HDD's, need to wait for my order to arrive for a PCIe SSD adapter to do just this )
Currently working on a data retrieval job for a client. I "think" what she did was update the bio's while the drive was encrypted with BitLocker, rather than suspending BitLocker before updating the BIOS, suspect TPM encryption key got wiped.
What is confusing me is, i actually have the recovery key, but every time the device boots, it comes up with an error code with the QRCode scanner.
From a BIOS update causing a boot error, I'd expect either the boot mode (UEFI/BIOS) or SATA mode (legacy/AHCI/RAID) to be reset (especially the first). Under the default platform validation profile, you should be able to change these settings back without triggering Bitlocker's recovery mode.
I will have another look but in the BIOS i could not see a method of rolling back the changes that were made. Here for the day now so going to try any method.