Bitlocker Data Recovery

Recover Files from an Encrypted Drive

Data Recovery from a Bitlocker-Encrypted Drive

BitLocker is a Windows security feature that encrypts entire drives to protect data from theft or exposure. It is included in all Windows Pro versions, starting with Windows Vista. It is not included in Windows Home.

BitLocker encrypts the entire drive to make data inaccessible without a decryption key. This recovery key is a unique 48-digit number that is required to unlock the drive. If the drive is connected to a different device, the user must provide the key to access the data. In addition to the key, the drive can also be protected with a password, which can be used along with the recovery key.

When using GetDataBack on a Bitlocker-encrypted drive, it sees the drive in its encrypted state when you access it as a physical drive. Only after unlocking the drive by entering the password or recovery key is the decrypted drive accessible as a logical volume (e.g., E:) and can be scanned by GetDataBack.

Software we will use:

DiskExplorer X  Low-level Disk Viewer

DriveDoppel  Command line drive cloner

GetDataBack Pro  Data Recovery

Example: Recovering Files from a Locked USB Drive

We will show how to recover data from a Bitlocker-encrypted drive using an 8 GB USB drive as an example. That USB drive is no longer accessible, and Windows offers to format it, which we better not do. 

DiskExplorer X

Inaccessible Bitlocker Drive: Windows does not even recognize it.

The following instructions are intended for tech-savvy users. Act cautiously, especially when using the low-level disk tool "DriveDoppel."

  • 1 - Identify Bitlocker Drive.  
    Download DiskExplorer X. Install and start the software.

    DiskExplorer X

    DiskExplorer X: Available Disks

    DISK2  is our Bitlocker-encrypted disk that we want to recover. Note that the size of this drive is 15730688 sectors (we will need this number later). Our first task is to locate the Bitlocker partition on this disk. We will take advantage of the fact that -FVE-FS- is a signature for Bitlocker partitions. 

  • 2. - Locate Bitlocker Partition
    Click on the entry for DISK2, and DiskExplorer X will show you this drive's first sector (sector 0). Press F3 or click "HEX" to change the view of the sector to hexadecimal. Press CTRL-F to bring up the search windows. 

    DiskExplorer X

    DiskExplorer X: Search dialog

    Click on the field next to "Text" and write -FVE-FS-, then click "OK". 

  • 3. - Calculate Boot Record  
    After a brief search we have successfully located the Bitlocker partition at sector 2048.

    DiskExplorer X

    DiskExplorer X: Bitlocker Boot Sector

    To force Windows to see the Bitlocker partition again, we will restore the partition table of the Master Boot Record so that it points to the Bitlocker partition. The start of the Bitlocker partition is 2048. We will set the size of this partition to the size of the drive minus 2048, which is 15730688-2048=15728640.

  • 4. - Prepare Tools  
    Download our tool DriveDoppel. Open a command prompt window and issue the command:

    dd /dl.

    Warning Please be careful when using DriveDoppel. With a wrong input you can easily destroy your data.

    DriveDoppel in Command Prompt

    DriveDoppel: Show drive list with dd /dl

  • 5. - Write Boot Record  
    Make sure DISK2 is the USB drive we are working on. 

    Then type:

    dd boot(fs=ntfs,start=2048,count=15728640) disk2:.

    This command will write a partition table with one entry to sector 0 of DISK2. This entry will point to sector 2048 which is the start of the Bitlocker partition.

    DriveDoppel in Command Prompt

    DriveDoppel: Show drive list with dd /dl

    Carefully read the confirmation dialog, then type y and press "Enter" 

  • 6. - Force Bitlocker Drive Recognition  
    We unplug the drive and plug it back in. This time, Windows recognizes the Bitlocker drive.

    Bitlocker

    Bitlocker: New encrypted drive has been found

  • 7. - Enter Password  
    Click on the message and enter your password. If you do not know the password, click "More options" and enter the recovery key.

    WinPE Boot Medium

    Bitlocker: Enter password

  • 8. - Locate Recovery Key  
    Windows displays the first part of the identifier, AAB60757, which is helpful when trying to locate your recovery key.

    WinPE Boot Medium

    Bitlocker: Enter password

    There are three possible locations where you can find this key:

    1) On a sheet of paper, if you printed it out when you created the Bitlocker encryption.

    2) In your Microsoft account, if you chose that option.

    3) Most likely, you saved the recovery key on your system drive. In the user Documents folder are indeed two key files, the correct one being "BitLocker Recovery Key AAB60757-492B-4D7F-9EC6-7086F888CF34.TXT." The first part of the identifier, AAB60757, matches the information on the screen where you need to enter your recovery key, so we know this is the correct key file.

    Windows Explorer: Bitlocker key files in the Documents folder

    Windows Explorer: Bitlocker key files in the Documents folder

  • 9. - Extract Recovery Key  
    Open the recovery key file:

    Windows Explorer: Bitlocker key files in the Documents folder

    Bitlocker Recovery Key: Content of a key file

  • 10. - Unlock Bitlocker Drive  
    Copy and paste the recovery key

    631818-354101-129888-609345-451836-034903-172436-465806

    into the respective Windows dialog:

    Windows Explorer: Bitlocker key files in the Documents folder

    Bitlocker Recovery Key: Enter the recovery key

    Click "Unlock," and Windows will mount the Bitlocker-encrypted drive. You can now access your files.

  • 11. - Low-Level Search For Recovery Key  
    If you can not unlock the Bitlocker drive with any of the methods above, you can try to find the recovery key on your system drive (or any drive) by searching for the identifier AAB60757 on a sector level.

    Start DiskExplorer X again and navigate to sector 0 of your system drive. Set the view type to "HEX". 

    DiskExplorer X: Search

    DiskExplorer X: Searching for identifier AAB60757

    Press CTRL-F and type the identifier AAB60757 into the "Unicode text" field. Start the search. If the recovery key is anywhere on the drive, this search will locate it for you. The first hit at sector 5996020 references the file name but does not contain the key.

    DiskExplorer X: Search

    DiskExplorer X: Searching for identifier AAB60757 - result

    Press CTRL-L to continue the search. You might get some more false alarms, all referencing the file name but not the actual file's content. Looking at a sample key file, we see a TAB precedes the identifier. Let's do the same with our search term. Press CTRL-F, right-click the yellow data field, and copy it into the clipboard. 

    DiskExplorer X: Search

    DiskExplorer X: Searching for identifier AAB60757

    Right-click the "Hex" field and paste. On the left side add the Unicode TAB character, 0900.

    DiskExplorer X: Search

    DiskExplorer X: Searching for identifier TAB-AB60757

    Click "Ok" to continue the search.

    DiskExplorer X: Search

    DiskExplorer X: Found recovery key 631818-354101-129888-609345-451836-034903-172436-465806

    Finally, in our example, we find the identifier at sector 288591824 and the key at the following sector. As in 10., copy and paste the recovery key 631818-354101-129888-609345-451836-034903-172436-465806 into the respective Windows dialog. Click "Unlock," and Windows will mount the Bitlocker-encrypted drive. You can now access your files.

  • 12. - Run GetDataBack for Bitlocker Drive  
    If the file system is damaged or you want to recover deleted files from the Bitlocker drive, you can run GetDataBack on the drive. Download GetDataBack Pro, install and start it.

    For GetDataBack to work on the Bitlocker drive, you must scan the logical volume, not the physical drive. In this example, do not click on the tile for DISK2. Instead, click on TOOLS->Settings->Miscellaneous->Debug->Show logical drives. Click "Close". Click on the blue "Logical drives..." tile.

    DiskExplorer X: Search

    GetDataBack Pro: Logical drives after they were enabled

    Select the blue tile for drive E: and continue as if this were a typical GetDataBack recovery job . It might also be a good idea to create an image of the unlocked Bitlocker drive E: at this point.

Troubleshooting and Support 

Let us know if you have any questions about this article. Email to support@runtime.org.

© 2024 Runtime Software