Hi,
I was asked to recover files from a NTFS partition after an accidental reinstall of Windows via the network.
The issue is not how to recover the files – Outlook's .pst archives in this case –, which is relatively easy, but as the partition was encrypted with Bitlocker, if there is possibility to convert the ciphered raw image to a unciphered one, to allow file carving in a second step.
I received the key that was used to access the NTFS partition before the reinstall of Windows. I read on Wikipedia that BitLocker uses per sector AES encryption and this gives me hope to decipher all the sectors sequentially and create a new image.
But on Wikipedia, is also written that in BitLocker, AES encryption is "combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES".
I'm unaware about what this Elephant diffuser does.
I heard about the dislocker Linux command.
Would it do the job?
I assume I would have to decipher the whole partition to an image file, or possibly directly to another partition of the same size. Correct?
As every expert here can understand, I don't want to mount the deciphered partition, because it was overwritten by the reinstall of Windows, but the partition must be deciphered (with the old key) for the data recovery tools to work.
I also need to know if in the case of a Windows reinstall through the network an image is cloned from the network (possibly overwriting all data), or if such resinstall works exactly like when installing from a DVD, with the hope to still have some areas not overwritten.
The computer was running Windows 7.
Thanks a lot for any useful advice.
What do you mean by saying you have the "key to access the NTFS partition"? In BitLocker, there are two types of keys. First, the Recovery Key (the long sequence of numbers one can generally obtain from http//
@v.katalov
Thank you for your fast answer.
I was now aware that they were two kinds of keys.
What I received is the "Mot de passe de récupération", so the Recovery key I assume.
The key is done of 8 blocks of numbers, 6-digit each, which are separated by hyphens.
Could you suggest some tool(s) to derive the actual decryption key from that sequence of numbers ?
Or alternavively is there a relatively easy way to obtain the key extracted from the computer RAM image ?
Thank a lot.
The search function on the site must be defective 😯 roll
http//www.forensicfocus.com/Forums/viewtopic/t=12904/
You need not any other software if you have the Bitlocker Recovery Key (the sequence of "8 blocks of numbers, 6-digit each, which are separated by hyphens") ) , you will be prompted to type them in when you mount the image.
jaclaz
… you will be prompted to type them in when you mount the image
@jaclaz Thank you for your answer and the link, but this time I'm not totally sure that you correctly understood my issue I will not be able to mount the image, because the image was seriously – but still partlially I hope – overwritten by a new installation of Windows.
This mean that I need to uncrypt all bytes from the drive, using the Bitlocker Recovery key, in order to later apply a file scalping tool (think like photorec or scalpel) like on an uncrypted image.
Of course, the deciphering would give some random data in the parts of the disk where the new Windows was installed, but this is not important, because these areas will simply be sterile during the file carving (or possible producing a few false positives).
Do you think that if provide the old Bitlocker Recovery key inside Windows, softwares like GetDataBack could then scan the drive (externally attached) as an unencrypted image ?
Hi Zul22,
What I would suggest in this scenario is probably to get a small thumb drive or create FAT32 image that is small enough just for the test.
You can later mount the image or USB Thumbdrive using something like OSFmount in Windows, and put a single file in. Put a bitlocker encryption against this mounted partition.
You can then copy the VBR or first few sectors on the image, and copy these to another blank image file or thumbdrive. See if you can still do a bitlocker mount using these copied sectors as VBR+ to the blank image.
Should prior test succeed, raw search afterwards on these bitlocker hexes signatures remnants can potentially be performed on your original drive. I believe NTFS puts a backup VBR on few places or at end of partition, I am surprised to see if bitlocker had not performed similar.
However, this is just my two cents. I have not personally tried the method but thought to see if it can help in any way.
Good luck with your digging Zul22!
Bitlocker is a volume encryption technology.
If a disk drive partition or volume is encrypted, it is encrypted.
If a partition or volume is mounted it is unencrypted (or accessible) on the fly, as such it is not encrypted anymore (to the OS that accesses it).
Writes (from the OS) will be encrypted on the fly.
You have to see it as an "encrypted container", let' say for the sake of an example, as a password protected WinRAR archive.
If you access the archive and provide the password you can access its contents.
If the archive is damaged the archiver may (or may not) be able to access its contents, and the archive may (or may not) be repaired, partially or totally.
If in your situation the container was partially overwritten the issue may be with a damaged container rather than with encryption, in which case what you want to try is the Bitlocker Repair Tool
https://
obviously on an image or possibly even better a clone.
jaclaz
What you probably need is Microsoft's BitLocker Repair Tool from https://
After running the tool, you may find this information useful
https://
Basically, it's a matter of downloading the tool and using it in the command line like
repair-bde e d -rp xxxx-xxxxx-xxxxxx-xxxxx -f -lf c\log.txt
where "xxxxx" is your Recovery Key. If the beginning of the partition is encrypted with a different key (as per new Windows installation), you may need to strip that part of the image before passing it to the repair tool. Hope that helps!
you may need to strip that part of the image before passing it to the repair tool. Hope that helps!
Correct, I have to strip it.
How many Gigas do you suggest stripping?
How many Gigas do you suggest stripping?
That *really* depends on how much data was used up by the new Windows installation. Can be anything from about 1.5GB to pretty much the whole disk.