I did something stu...
 
Notifications
Clear all

I did something stupid. Help me I am stupid.

4 Posts
2 Users
1 Likes
568 Views
(@datalozer)
Posts: 3
Active Member
Topic starter
 

Dear all,

My physical disk has 3 partitions

----------------------------

549 MB NTFS system reserve Primary partition
C: 86 GB NTFS [Bitlocker encrypted] Primary partition
D: 200 GB NTFS [Bitlocker encrypted separate unique key] Primary partition
E: 412 GB NTFS [Bitlocker encrypted separate unique key] Primary partition

----------------------------

Using dd (dc3dd), I tried to back up my Bitlocker encrypted C: as an external disk image.
I backed up /dev/sda1 on an external disk but it turned out to be the system reserve partition.

So, I backed up /dev/sda2 which gave me my entire 86 GB C: (encrypted), perfect copy. I decided to restore it back to /dev/sda2 BUT somehow now my F: which was a primary partition of 200GB which also was bitlocker encrypted with a separate key, has gotten overwritten !! How did that happen?

So my problem is that one 200GB Bitlocker partition has gotten somehow gotten overwritten by my C:'s encrypted partition. When I mount it I see contents of C:, not my F: 🙁
What can I do to salvage this situation?
I have the keys for my 200GB partition.

In case I cannot get anything back, where can I at least find a list of the files/folders if they were logged by Windows?
I can at least know what I have lost.
Please help. 🙁

 
Posted : 25/11/2023 12:26 am
(@tic-tac)
Posts: 23
Eminent Member
 

Aww man! There is nothing you can do to recover the files but you could be able to see the list of files and folders that were on the F:\ drive by exploring the shellbags on your system drive C:\ with Eric Zimmerman's shellbag explorer tool:

https://www.sans.org/tools/shellbags-explorer/

 
Posted : 25/11/2023 8:41 pm
(@datalozer)
Posts: 3
Active Member
Topic starter
 

Hi I was wondering if I could change the keytype and/or the GUID of the encrypted partition to thr original one and forcefully try to mount using dislocker or something.
Not sure how bitlocker actually encrypts the drive.. since I have only overwritten 86 GB..I was hoping it would mount it if I reset the bitlocker index with size and GUID to it's original settings. I have the Bitlocker recovery file.

Anyways I will use shellbags and see if it helps .. Thank you.

 
Posted : 27/11/2023 9:50 am
(@datalozer)
Posts: 3
Active Member
Topic starter
 

Hello there, I was able to copy the file and retrieved the file list. Thankfully it was just movies and TV shows.. nothing sensitive or important.. but lesson learnt (both in terms of what not to do and also in terms of knowledge). Thank you once again.

This post was modified 3 months ago by datalozer
 
Posted : 27/11/2023 10:14 am
Tic-Tac reacted
Share: