Hey guys,
I recovered the whole first partition via GetDataBack Pro and checked most of the files. They are in perfect condition and folder structures are preserved. I don’t miss any files. The HDD must have been decrypted 100% before the system was shutdown abruptly. So, no data-loss there. Partition 1 is rescued and copied to the new HDD/partition1. GetDataBack Pro is an amazing tool when you want to rescue a partition that is shown as “Bitlocker-encrypted”. In case there is any good MFT to find (at least partially) you will be able to recover the decrypted files preserving filenames and folder structures if there are any.
With the second partition I had to do some more steps. First, I used “repair-bde” with the Bitlocker-recovery-key and decrypted the partition to the new HDD. Unfortunately, most of the files could not be found after. Via WinHex/X-Ways Forensics I could see some files (like 270GB) but most of the 4TB partition were missing.* (Problem is that files are decrypted but the already-decrypted MFT was also decrypted – so it was encrypted again!) Then I used GetDataBack Pro again on the original Bitlocker-encrypted partition to extract the already-decrypted (!) MFT – you could probably also extract the MFT with other tools like WinHex. This step was crucial! In GetDataBack Pro I could see the correct folder structures and all the files but I wasn’t able to recover them because they would all be corrupted (because they were still encrypted on that partition). So, I recovered the MFT and checked it manually with HxD. When comparing the MFTs on both drives (one original, one bde-repaired) I realized that the MFT on the bde-repaired partition was scrambled/double-decrypted. I used WinHex to overwrite (!) the hex-block of the bde-repaired MFT with the good original MFT. After doing that I instantly could see all the video-files with preserved filenames and folder structures via WinHex/X-Ways Forensics and also GetDataBack Pro on the bde-repaired partition. At this point I started recovering all the files/folders via GetDataBack Pro onto the new HDD/partition2. After checking some files manually, I couldn’t find any errors. To check all files, I downloaded this script which uses ffmpeg to find any data-corruption in video-files: https://github.com/describe19/check-video . Today the file check finished and I can come to the conclusion that all video-files are in the same condition as they were before. So, the partition2 is also rescued.
* To make sure I did not miss a thing I did another “repair-bde” of the original partition2 and scanned it with X-Ways Forensics to recover the ~270GB of files which can always be found without manipulating the MFT. I’ll check these files too and will see if either they were missing on the first run or if they may even be corrupted and I’ve got to recover them from the original partition because they are again double-decrypted. Will check that but now, since I know what filenames they have, I’ll find them.
In conclusion I can say that all my files are recovered without noticeable data-loss and when I read other threads which can be found via Google-search, I think I’m quite lucky that this was even possible. I read of many OTs that were not able to recover any files after getting the error-messages I got. Really happy to have all my data back. From now on I’ll always keep a 1:1-backup of the HDD because this crap was really nerve-wracking and I realize that you always miss what you’ve lost when it’s already too late. ^^
So, thank you very much for your help. I learned a lot. And though my case may be quite exotic, I hope I may help someone who comes into a similar situation.
Thank you!
PS: One more thing. After overwriting the MFT on the bde-repaired partition2 I did a CHKDSK run (as jaclaz told me) and afterwards set the security-permissions to 'everyone', I was able to open the partition in Windows Explorer (containing all files preserving filenames and folderstructures) and I used it to copy/recover the files to the new HDD. So it was not necessary to use GetDataBack Pro or other tools to open the partition. CHKDSK did a good job there. And as I said, afterwards I checked all files via ffmpeg-script and they were all healthy.
Very good.
I am curious about the "270 GB" files.
If the "result" of BDE-REPAIR was double-decrypted=re-encrypted and those "passed through" correct, it should mean that they were the only file that were not decrypted at the time the hard-reset happened (and thus you can find them in encrypted form in the original and correctly unencrypted in the "bde-repair processed copy").
jaclaz
I am curious about the "270 GB" files.
If the "result" of BDE-REPAIR was double-decrypted=re-encrypted and those "passed through" correct, it should mean that they were the only file that were not decrypted at the time the hard-reset happened (and thus you can find them in encrypted form in the original and correctly unencrypted in the "bde-repair processed copy").
I checked that now and no, all the files are already recovered. They are also healthy there but no need to recover them too because I already got them.I tried copying them into the new folder and the output was that every file was skipped because it was already existing. I double checked that both versions of the file were healthy and they were. So, everything is ok.
I guess I'm really lucky that both partitions were interrupted in each a 100% state of decryption/encryption because I used "manage-bde pause" on the second partition when I decrypted them to let the first partition decrypt undisturbed in full speed. The system shutdown must have occurred when partition1 was decrypted and partition2 was still encrypted.
Currently I am wiping the 10TB drive and the original 8TB drive with DD (zero) in Linux. The other 8TB drive on which I recovered all the files is now standing in the shelf until I can make a 1:1 backup with the other 8TB drive. Of course I double checked not to wipe the recovered drive - lol.
Where we're at drive-encryption, what do you think about Bitlocker-Drive-Encryption? Should I do it again, keeping the recovery-password and key-packages? I mean it's quite comfortable and I'm used to it but would you recommend it?
And second question is, would you recommend to format a drive in full-format-mode (not fast format) to check for bad sectors? Or is this unnecessary when I already used dd-zero and maybe "CHKDSK /f"?
Greetings!
Well - personally - (and most probably I wiil be crucifixed for this statement) I find that encryption represents mainly a good way to - before or later - lose data without any actual practical advantage for *any* common user.
So what I would recommend is to not encrypt anything or - if really-really needed (which I believe it is rare) - encrypt only the bare minimum for which encryption is actually a real necessity.
This said, I don't think bitlocker is worse (or better) than other tools like truecrypt/veracrypt, though these latter ones seem to me like more "flexible".
No need to format "full" a 00ed disk, only I would not have used dd to 00 it, but rather the internal secure erase functions (as they are usually faster and more than that "self-standing") particularly for such huge disks.
As well, no real need to CHKDSK a freshly formatted volume (which is essentially empty of data and with brand-new, just initialised metadata).
Then again - personally - I wouldn't even think of having such huge volumes, personally I would make more smaller volumes and use mountpoints on a "central volume" to access them.
I will risk quoting myself (general advice given some time ago to someone who had a corrupted disk -that luckily was also recovered ):
Now, general advice:
1) on a disk up to 2.2TB use MBR style (it is simply simpler and has worked just fine in the last 30+ years )
2) on a disk greater than 2.2 TB use GPT style
3) use NTFS (forget about exFAT if not for exchanging data), again it simply worked just fine for the last 25+ years and it is (even if incompletely) far more known than ExFAT and it already contains several (complex) mechanisms that do help both in data recovery and in integrity of data
4) make MORE (smaller) volumes (personally I wouldn't even think of making volumes bigger than - say - 500 GB, but this may depend), the more you make the less issues you will have (or - to be more exact - the same issues will make less damages or more easy to recover ones (or more easy to give up on) definitely easier to copy/backup/recover/etc.
The classical (BTW completely wrong) objections to this approach are usually:
a. but if I make more than 4 partitions they will be logical volumes inside extended and they are more difficult to ... <put here something either senseless or that can be done just fine (knowing how)> (now this was bul***** before, but now in GPT all volumes are primary partitions and you can have up to 128 of them, and don't come telling me they are not enough)
b. but this way I will have many drive letters and there are only 24 of them available (it is since Windows 2000 that we have mountpoints, that is NOT a problem)Basically what you (like everyone else BTW) did was to take an enormous warehouse and fill it with file cabinets (directories) full of data (files) without ANY idea on the actual physical location of each file cabinet as you rely on a gigantic robotic arm that can automagically find them file cabinets.
What I propose you is to fill the warehouse with a number of 40 feet containers, each one filled with file cabinets.
At least you know where a given file cabinet is physically and should one of the file cabinet catch fire, it will likely only affect the container it is in but not the other container next to it in the warehouse.
Of course this approach is more difficult to implement, and requires (a little bit) more work/dedication.
5) keep files contiguous, while you ponder on this advice, defrag your filesystem
jaclaz
