Recover data from a...
 
Notifications
Clear all

Recover data from a ciphered NTFS after reinstall of Windows

16 Posts
5 Users
0 Likes
670 Views
Zul22
(@zul22)
Posts: 53
Trusted Member
Topic starter
 

Hi,

I was asked to recover files from a NTFS partition after an accidental reinstall of Windows via the network.

The issue is not how to recover the files – Outlook's .pst archives in this case –, which is relatively easy, but as the partition was encrypted with Bitlocker, if there is possibility to convert the ciphered raw image to a unciphered one, to allow file carving in a second step.

I received the key that was used to access the NTFS partition before the reinstall of Windows. I read on Wikipedia that BitLocker uses per sector AES encryption and this gives me hope to decipher all the sectors sequentially and create a new image.

But on Wikipedia, is also written that in BitLocker, AES encryption is "combined with the Elephant diffuser for additional disk encryption-specific security not provided by AES".
I'm unaware about what this Elephant diffuser does.

I heard about the dislocker Linux command.
Would it do the job?
I assume I would have to decipher the whole partition to an image file, or possibly directly to another partition of the same size. Correct?

As every expert here can understand, I don't want to mount the deciphered partition, because it was overwritten by the reinstall of Windows, but the partition must be deciphered (with the old key) for the data recovery tools to work.

I also need to know if in the case of a Windows reinstall through the network an image is cloned from the network (possibly overwriting all data), or if such resinstall works exactly like when installing from a DVD, with the hope to still have some areas not overwritten.

The computer was running Windows 7.

Thanks a lot for any useful advice.

 
Posted : 17/06/2015 3:21 pm
v.katalov
(@v-katalov)
Posts: 51
Trusted Member
 

What do you mean by saying you have the "key to access the NTFS partition"? In BitLocker, there are two types of keys. First, the Recovery Key (the long sequence of numbers one can generally obtain from http//windows.microsoft.com/recoverykey ). Then, there is the actual binary encryption key extracted from the computer's RAM image. If what you have is the actual binary encryption key, then you can use tools such as Elcomsoft Forensic Disk Decryptor (https://www.elcomsoft.com/efdd.html) to attempt using that key to mount and/or decrypt the volume. If, however, you received the Recovery Key, you'll have to use a tool that can derive the actual decryption key from that sequence of numbers.

 
Posted : 17/06/2015 4:47 pm
Zul22
(@zul22)
Posts: 53
Trusted Member
Topic starter
 

@v.katalov
Thank you for your fast answer.
I was now aware that they were two kinds of keys.

What I received is the "Mot de passe de rΓ©cupΓ©ration", so the Recovery key I assume.
The key is done of 8 blocks of numbers, 6-digit each, which are separated by hyphens.

Could you suggest some tool(s) to derive the actual decryption key from that sequence of numbers ?

Or alternavively is there a relatively easy way to obtain the key extracted from the computer RAM image ?

Thank a lot.

 
Posted : 17/06/2015 7:06 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

The search function on the site must be defective 😯 roll

http//www.forensicfocus.com/Forums/viewtopic/t=12904/

You need not any other software if you have the Bitlocker Recovery Key (the sequence of "8 blocks of numbers, 6-digit each, which are separated by hyphens") ) , you will be prompted to type them in when you mount the image.

jaclaz

 
Posted : 18/06/2015 1:01 am
Zul22
(@zul22)
Posts: 53
Trusted Member
Topic starter
 

… you will be prompted to type them in when you mount the image

@jaclaz Thank you for your answer and the link, but this time I'm not totally sure that you correctly understood my issue I will not be able to mount the image, because the image was seriously – but still partlially I hope – overwritten by a new installation of Windows.

This mean that I need to uncrypt all bytes from the drive, using the Bitlocker Recovery key, in order to later apply a file scalping tool (think like photorec or scalpel) like on an uncrypted image.

Of course, the deciphering would give some random data in the parts of the disk where the new Windows was installed, but this is not important, because these areas will simply be sterile during the file carving (or possible producing a few false positives).

Do you think that if provide the old Bitlocker Recovery key inside Windows, softwares like GetDataBack could then scan the drive (externally attached) as an unencrypted image ?

 
Posted : 18/06/2015 2:36 am
SurferDisk
(@surferdisk)
Posts: 2
New Member
 

Hi Zul22,

What I would suggest in this scenario is probably to get a small thumb drive or create FAT32 image that is small enough just for the test.

You can later mount the image or USB Thumbdrive using something like OSFmount in Windows, and put a single file in. Put a bitlocker encryption against this mounted partition.

You can then copy the VBR or first few sectors on the image, and copy these to another blank image file or thumbdrive. See if you can still do a bitlocker mount using these copied sectors as VBR+ to the blank image.

Should prior test succeed, raw search afterwards on these bitlocker hexes signatures remnants can potentially be performed on your original drive. I believe NTFS puts a backup VBR on few places or at end of partition, I am surprised to see if bitlocker had not performed similar.

However, this is just my two cents. I have not personally tried the method but thought to see if it can help in any way.

Good luck with your digging Zul22!

 
Posted : 18/06/2015 6:41 am
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

@Zul22

Bitlocker is a volume encryption technology.
If a disk drive partition or volume is encrypted, it is encrypted.
If a partition or volume is mounted it is unencrypted (or accessible) on the fly, as such it is not encrypted anymore (to the OS that accesses it).
Writes (from the OS) will be encrypted on the fly.

You have to see it as an "encrypted container", let' say for the sake of an example, as a password protected WinRAR archive.

If you access the archive and provide the password you can access its contents.

If the archive is damaged the archiver may (or may not) be able to access its contents, and the archive may (or may not) be repaired, partially or totally.

If in your situation the container was partially overwritten the issue may be with a damaged container rather than with encryption, in which case what you want to try is the Bitlocker Repair Tool
https://support.microsoft.com/en-us/kb/928201
obviously on an image or possibly even better a clone.

jaclaz

 
Posted : 18/06/2015 1:59 pm
v.katalov
(@v-katalov)
Posts: 51
Trusted Member
 

What you probably need is Microsoft's BitLocker Repair Tool from https://support.microsoft.com/en-us/kb/928201

After running the tool, you may find this information useful
https://social.technet.microsoft.com/Forums/windows/en-US/2d8e7c78-3c2b-41e7-98ec-b6bec65b6b08/how-can-i-open-the-image-file-generated-by-bitlocker-repair-tool?forum=w7itprosecurity

Basically, it's a matter of downloading the tool and using it in the command line like
repair-bde e d -rp xxxx-xxxxx-xxxxxx-xxxxx -f -lf c\log.txt

where "xxxxx" is your Recovery Key. If the beginning of the partition is encrypted with a different key (as per new Windows installation), you may need to strip that part of the image before passing it to the repair tool. Hope that helps!

 
Posted : 18/06/2015 4:30 pm
Zul22
(@zul22)
Posts: 53
Trusted Member
Topic starter
 

you may need to strip that part of the image before passing it to the repair tool. Hope that helps!

Correct, I have to strip it.
How many Gigas do you suggest stripping?

 
Posted : 24/06/2015 2:57 pm
v.katalov
(@v-katalov)
Posts: 51
Trusted Member
 

How many Gigas do you suggest stripping?

That *really* depends on how much data was used up by the new Windows installation. Can be anything from about 1.5GB to pretty much the whole disk.

 
Posted : 27/06/2015 2:19 am
Zul22
(@zul22)
Posts: 53
Trusted Member
Topic starter
 

As repair-bde failed to recover the overwritten partition when not stripped at the beginning, I did this

1. Accessed the partition using BitLocker's Password from the new installation of Windows
2. Checked how much data were written from the new installation of Windows (including it).
67'525'283'840 Bytes
3. Erased the first 67'525'283'840 bytes of the partition, using 4K blocks
dd if=/dev/zero of=/dev/sdb1 bs=4096 count=164856654. Have runrepair-bde tool again, using the old BitLocker Password
(The total partition size is ~128 GB, the first 68 GB being blank.)
repair-bde F D -rp xxxxxx-xxxxxx-...-xxxxxx -f -lf C\logFile.txt
But it fails.
ERROR The input volume has suffered damages to critical information related to the decryption key.
Please try the -KeyPackage option to specify a key package. The volume may not be recoverable.

So, I assume that I should now ask the customer if he saved the important informations of the KeyPackage on some external drive …

 
Posted : 29/06/2015 7:25 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

Well 67 Gb is not "an installation of windows".
A typical install size of XP is less than 2 Gb.
A typical install of Vista/7/8/8.1 is usually between 16 and 20 Gb or maybe 22 including updates.

If 67 Gb were rewritten it was more like a deployed image or the restore of a full backup of an existing windows install (including all programs and also data).

My guess is that it "simply too much" has been overwritten to be able - even if you somehow manage to decrypt it to recover anything meaningful (you would need to be sure that the data you are looking for was actually beyond those 67 Gb).

What you could try ? could be to create a new image, same exact length in bytes as the original disk, partition/format it, etc. then bitlocker protect it and set it to have the same "old" password as the original
http//www.itsupportguides.com/windows-7/windows-7-change-bitlocker-recovery-key/
then dd to it the last part (beyound the 67 Gb mark) of the original and see if the BDE repair tool can manage it.

jaclaz

 
Posted : 29/06/2015 8:54 pm
v.katalov
(@v-katalov)
Posts: 51
Trusted Member
 

jaclaz,

As far as I know, BitLocker full disk encryption does not use passwords (and does not ask for a password) if it's encrypting the system volume, the computer is equipped with a TPM module, and the administrative user is logged in with a Microsoft Account (as opposed to using a local Windows account). BitLocker To Go, on the other hand, does use a password.

 
Posted : 29/06/2015 9:44 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

jaclaz,

As far as I know, BitLocker full disk encryption does not use passwords (and does not ask for a password) if it's encrypting the system volume, the computer is equipped with a TPM module, and the administrative user is logged in with a Microsoft Account (as opposed to using a local Windows account). BitLocker To Go, on the other hand, does use a password.

I meant "recovery key", as in the given link
http//www.itsupportguides.com/windows-7/windows-7-change-bitlocker-recovery-key/

where key and password (like BTW in MS original documentation) are often exchanged but meaning the same thing, the sequence of "8 blocks of numbers, 6-digit each, which are separated by hyphens".

There is AFAIK no such thing as "full disk" encryption with bitlocker, the encryption is always applied to the volume(s) or to the drive (if you prefer to the *whatever that gets a drive letter*), for once the MS official documentation call it properly "drive encryption"
https://technet.microsoft.com/en-us/library/cc766295(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd835565(v=ws.10).aspx
While as said "recovery password" and "recovery key" are often "mixed up"
https://technet.microsoft.com/en-us/library/cc766295(v=ws.10).aspx#BKMK_S6
https://technet.microsoft.com/en-us/library/ee523219(v=ws.10).aspx

jaclaz

 
Posted : 29/06/2015 11:18 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

It is only a volume encryption. It does not even encrypt any volume slack.

 
Posted : 29/06/2015 11:50 pm
Page 1 / 2
Share:
Share to...