Last few weeks I stumbled onto several cases where file recovery software didn’t detect these deleted partitions. And even though these tools can decrypt Bitlocker partitions, they have to be able to find it first. I used DMDE.
In one case DMDE detected the partition straight away, which is boring so I won’t get into that.
- Locate lost Bitlocker partition
- Locate Bitlocker meta data block
- Determine Bitlocked volume size
- Create RAW partition
- Scan RAW partition using R-Studio
1. Locate lost Bitlocker partition (volume header)
Tools > Search for string in object > “-FVE-FS-
” (no quotes) > Sector offset: 3
This wil give us the start sector for the Bitlocker partition, 32768
.
2. Locate Bitlocker meta data block
Tools > Search for string in object > “-FVE-FS-
” > Sector offset: 0
00 00 0A E9 FC E0 00 00
to decimals, divide by sector size => 23437668352
3. Create a partition table entry
Click in ‘unallocated’ > tools > create RAW partition and use these numbers to create a partition (take suggestion to create undo files).
Resulting partition can be scanned using R-Studio or UFS Explorer:
If volume header can’t be found ..
Some times the volume header can’t be found because it’s for example overwritten. We can derive the offset to the partition using the meta data block.
We need the
- LBA address of the block and the
- 8 byte value (reverse order) at offset 32 (offset relative to the start of the volume)
00 00 00 00 D9 50 00 00
to decimals and divide by 512 = 2926592
Then substract from LBA address gets us offset to the Bitlocker volume.
2959360
2926592
------- -
32768
Reference: BitLocker Drive Encryption (BDE) format specification