Recovering data fro...
 
Notifications
Clear all

[Solved] Recovering data from a corrupted but decrypted Bitlocker-drive  

Page 2 / 2
  RSS
passcodeunlock
(@passcodeunlock)
Senior Member

Before anything, make an image of the decrypted volume as it is, chkdsk might do more mess then good, then you can start digging again...

ReplyQuote
Posted : 15/10/2020 7:03 am
jaclaz
(@jaclaz)
Community Legend

Very good, so the BDE-REPAIR somehow didn't sense that the $MFT was already decrypted by the previous (interrupted) operation and re-decrypted it (in practice encrypting it).

No idea if this is the case, but it is possible (it would make sense) that when decrypting a volume "normal" bitlocker starts from the $MFT and other NTFS "internal" files and only once they are decrypted starts decrypting files.

If this is the case, the interrupted operation would result in all the metadata valid but possibly some files still encrypted.

But if the BDE-REPAIR does an unconditional decryption, than those files that were still encrypted will result unencrypted after the BDE-REPAIR, so their extents (decrypted) can be recovered from the "other" image and viceversa.

It will probably need some patience and attention, but most probably you can combine the two images also for these files (if any).

jaclaz

ReplyQuote
Posted : 15/10/2020 6:07 pm
deady1000
(@deady1000)
New Member

Guys, it's working!!

 

Again, I started GetDataBack Pro on the first original partition and I was able to extract the MFTs (some corrupted and also some in very good condition). In the program I could already see the folder structures and all my files/folders. I saved all the MFTs the program could find and checked them with HxD (hex-editior). Some looked very promising. I tried to recover some files via GetDataBack Pro and tested them and they WORK 100%.

It's really funny that GetDataBack Pro is like the only program that will try to read a partition that claims to be bitlocker-encrypted. With other programs I had big problems to scan this partition in the first place. Since the files are technically not encrypted it is easy for the program to 'rescue' them.

 

Today I got another 8TB HDD and I created 2 new partitions.

Right now I am recovering the files/folders from first original partition via GetDataBack Pro directly on the new HDD/partition1. When this is finished I'll again check the files manually.

 

After that the CHKDSK from the second partition (video-files) on the other bde-repaired-HDD should be finished. Either the files are accessible and I can copy paste them via the Windows Explorer or I'll go into WinHex again and overwrite the corrupted MFT with the original one (see my last post where I extracted the working MFT with GetDataBack Pro). When the MFT is overwritten (repaired), I'll make another scan with WinHex or GetDataBack Pro (shouldn't make a difference) and I'll find all my files which again I then can copy/recover on the new HDD/partition2.

 

This should be the solution.

I'll have both partitions inclusive folder structures and filenames back and should not have a big data-loss. I currently can't say if there are files that are missing due to unfinished decryption though. I guess I just have to check them manually but on the first look I don't miss a thing.

 

I will keep you updated.

This will take a while now since were talking about ~7 TB.

 

This post was modified 2 months ago 2 times by deady1000
ReplyQuote
Posted : 16/10/2020 1:52 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Good to hear and good luck there!

I tried a small dummy test, hard reset while bitlocker decryption, but nothing bad happened, on the next run, it asked for the password again and opened the container without problems.

If you have time, try to reproduce this! Besides the disaster recovery, I would be interested in finding why this happened and if it will occure, how to deal with it.

I might think that you got some bad sectors on the original harddrive and that is why this happened, but that is only a guess.

ReplyQuote
Posted : 16/10/2020 10:10 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @passcodeunlock

I tried a small dummy test, hard reset while bitlocker decryption, but nothing bad happened, on the next run, it asked for the password again and opened the container without problems.

 

It is possible that the behaviour simply does not "scale".

OP's fileystem (and data in it)  is "queer" (in the sense that it is different from most common ones), it is extremely large (2 TB or more) with an extremely small number of files, but fairly filled up (85%) as the $MFT is extremely small (3 MB, i.e. roughly 3,000 entries if it is a 512 byte/sector device that implies 1.024 bytes per $MFT record or - in the case of a 4 KB sectored devices - 1/4 of those, only 750 files).

A more "common" NTFS filesystem usually has the $MFT 0.1%-0.2 of size (tens or hundreds of MB for the $MFT) or more AFAICR (as the number of file and their average size is much smaller).

For all we know this behaviour may be repeatable only on a similar filesytem with the hard reset happening at an exact (unknown) moment.

jaclaz

 

ReplyQuote
Posted : 17/10/2020 9:15 am
deady1000
(@deady1000)
New Member

Hey guys,

I recovered the whole first partition via GetDataBack Pro and checked most of the files. They are in perfect condition and folder structures are preserved. I don’t miss any files. The HDD must have been decrypted 100% before the system was shutdown abruptly. So, no data-loss there. Partition 1 is rescued and copied to the new HDD/partition1. GetDataBack Pro is an amazing tool when you want to rescue a partition that is shown as “Bitlocker-encrypted”. In case there is any good MFT to find (at least partially) you will be able to recover the decrypted files preserving filenames and folder structures if there are any.

With the second partition I had to do some more steps. First, I used “repair-bde” with the Bitlocker-recovery-key and decrypted the partition to the new HDD. Unfortunately, most of the files could not be found after. Via WinHex/X-Ways Forensics I could see some files (like 270GB) but most of the 4TB partition were missing.* (Problem is that files are decrypted but the already-decrypted MFT was also decrypted – so it was encrypted again!) Then I used GetDataBack Pro again on the original Bitlocker-encrypted partition to extract the already-decrypted (!) MFT – you could probably also extract the MFT with other tools like WinHex. This step was crucial! In GetDataBack Pro I could see the correct folder structures and all the files but I wasn’t able to recover them because they would all be corrupted (because they were still encrypted on that partition). So, I recovered the MFT and checked it manually with HxD. When comparing the MFTs on both drives (one original, one bde-repaired) I realized that the MFT on the bde-repaired partition was scrambled/double-decrypted. I used WinHex to overwrite (!) the hex-block of the bde-repaired MFT with the good original MFT. After doing that I instantly could see all the video-files with preserved filenames and folder structures via WinHex/X-Ways Forensics and also GetDataBack Pro on the bde-repaired partition. At this point I started recovering all the files/folders via GetDataBack Pro onto the new HDD/partition2. After checking some files manually, I couldn’t find any errors. To check all files, I downloaded this script which uses ffmpeg to find any data-corruption in video-files: https://github.com/describe19/check-video . Today the file check finished and I can come to the conclusion that all video-files are in the same condition as they were before. So, the partition2 is also rescued.

* To make sure I did not miss a thing I did another “repair-bde” of the original partition2 and scanned it with X-Ways Forensics to recover the ~270GB of files which can always be found without manipulating the MFT. I’ll check these files too and will see if either they were missing on the first run or if they may even be corrupted and I’ve got to recover them from the original partition because they are again double-decrypted. Will check that but now, since I know what filenames they have, I’ll find them.

In conclusion I can say that all my files are recovered without noticeable data-loss and when I read other threads which can be found via Google-search, I think I’m quite lucky that this was even possible. I read of many OTs that were not able to recover any files after getting the error-messages I got. Really happy to have all my data back. From now on I’ll always keep a 1:1-backup of the HDD because this crap was really nerve-wracking and I realize that you always miss what you’ve lost when it’s already too late. ^^

So, thank you very much for your help. I learned a lot. And though my case may be quite exotic, I hope I may help someone who comes into a similar situation.

 

Thank you!

 

PS: One more thing. After overwriting the MFT on the bde-repaired partition2 I did a CHKDSK run (as jaclaz told me) and afterwards set the security-permissions to 'everyone', I was able to open the partition in Windows Explorer (containing all files preserving filenames and folderstructures) and I used it to copy/recover the files to the new HDD. So it was not necessary to use GetDataBack Pro or other tools to open the partition. CHKDSK did a good job there. And as I said, afterwards I checked all files via ffmpeg-script and they were all healthy.

This post was modified 1 month ago 2 times by deady1000
ReplyQuote
Posted : 17/10/2020 9:58 am
jaclaz
(@jaclaz)
Community Legend

Very good.

I am curious about the "270 GB" files.

If the "result" of BDE-REPAIR was double-decrypted=re-encrypted and those "passed through" correct, it should mean that they were the only file that were not decrypted at the time the hard-reset happened (and thus you can find them in encrypted form in the original and correctly unencrypted in the "bde-repair processed copy").

jaclaz

ReplyQuote
Posted : 17/10/2020 12:30 pm
deady1000
(@deady1000)
New Member
Posted by: @jaclaz

 

I am curious about the "270 GB" files.

If the "result" of BDE-REPAIR was double-decrypted=re-encrypted and those "passed through" correct, it should mean that they were the only file that were not decrypted at the time the hard-reset happened (and thus you can find them in encrypted form in the original and correctly unencrypted in the "bde-repair processed copy").

I checked that now and no, all the files are already recovered. They are also healthy there but no need to recover them too because I already got them.I tried copying them into the new folder and the output was that every file was skipped because it was already existing. I double checked that both versions of the file were healthy and they were. So, everything is ok.

 

I guess I'm really lucky that both partitions were interrupted in each a 100% state of decryption/encryption because I used "manage-bde pause" on the second partition when I decrypted them to let the first partition decrypt undisturbed in full speed. The system shutdown must have occurred when partition1 was decrypted and partition2 was still encrypted.

 

Currently I am wiping the 10TB drive and the original 8TB drive with DD (zero) in Linux. The other 8TB drive on which I recovered all the files is now standing in the shelf until I can make a 1:1 backup with the other 8TB drive. Of course I double checked not to wipe the recovered drive - lol.

 

Where we're at drive-encryption, what do you think about Bitlocker-Drive-Encryption? Should I do it again, keeping the recovery-password and key-packages? I mean it's quite comfortable and I'm used to it but would you recommend it?

And second question is, would you recommend to format a drive in full-format-mode (not fast format) to check for bad sectors? Or is this unnecessary when I already used dd-zero and maybe "CHKDSK /f"?

 

Greetings!

ReplyQuote
Posted : 17/10/2020 5:10 pm
jaclaz
(@jaclaz)
Community Legend

Well - personally - (and most probably I wiil be crucifixed for this statement) I find that encryption represents mainly a good way to - before or later - lose data without any actual practical advantage for *any* common user.

So what I would recommend is to not encrypt anything or - if really-really needed (which I believe it is rare) - encrypt only the bare minimum for which encryption is actually a real necessity.

This said, I don't think bitlocker is worse (or better) than other tools like truecrypt/veracrypt, though these latter ones seem to me like more "flexible".

No need to format "full" a 00ed disk, only I would not have used dd to 00 it, but rather the internal secure erase functions (as they are usually faster and more than that "self-standing") particularly for such huge disks.

As well, no real need to CHKDSK a freshly formatted volume (which is essentially empty of data and with brand-new, just initialised metadata).

Then again - personally - I wouldn't even think of having such huge volumes, personally I would make more smaller volumes and use mountpoints on a "central volume" to access them.

I will risk quoting myself (general advice given some time ago to someone who had a corrupted disk -that luckily was also recovered ):

Now, general advice:
1) on a disk up to 2.2TB  use MBR style (it is simply simpler and has worked just fine in the last 30+ years )
2) on a disk greater than 2.2 TB use GPT style
3) use NTFS (forget about exFAT if not for exchanging data), again it simply worked just fine for the last 25+ years and it is (even if incompletely) far more known than ExFAT and it already contains several (complex) mechanisms that do help both in data recovery and in integrity of data
4) make MORE (smaller) volumes (personally I wouldn't even think of making volumes bigger than - say - 500 GB, but this may depend), the more you make the less issues you will have (or - to be more exact - the same issues will make less damages or more easy to recover ones (or more easy to give up on) definitely easier to copy/backup/recover/etc.
The classical (BTW completely wrong) objections to this approach are usually:
a. but if I make more than 4 partitions they will be logical volumes inside extended and they are more difficult to ... (now this was bul***** before, but now in GPT all volumes are primary partitions and you can have up to 128 of them, and don't come telling me they are not enough)
b. but this way I will have many drive letters and there are only 24 of them available (it is since Windows 2000 that we have mountpoints, that is NOT a problem)

Basically what you (like everyone else BTW) did was to take an enormous warehouse and fill it with file cabinets (directories) full of data (files) without ANY idea on the actual physical location of each file cabinet as you rely on a gigantic robotic arm that can automagically find them file cabinets.

What I propose you is to fill the warehouse with a number of 40 feet containers, each one filled with file cabinets.

At least you know where a given file cabinet is physically and should one of the file cabinet catch fire, it will likely only affect the container it is in but not the other container next to it in the warehouse.

Of course this approach is more difficult to implement, and requires (a little bit) more work/dedication.

5) keep files contiguous, while you ponder on this advice, defrag your filesystem

jaclaz

 

ReplyQuote
Posted : 17/10/2020 6:24 pm
Page 2 / 2
Share: