Recover deleted Bitlocker partition using DMDE

By | January 1, 2025

Last few weeks I stumbled onto several cases where file recovery software didn’t detect these deleted partitions. And even though these tools can decrypt Bitlocker partitions, they have to be able to find it first. I used DMDE.

In one case DMDE detected the partition straight away, which is boring so I won’t get into that.

  1. Locate lost Bitlocker partition
  2. Locate Bitlocker meta data block
  3. Determine Bitlocked volume size
  4. Create RAW partition
  5.  Scan RAW partition using R-Studio

1.  Locate lost Bitlocker partition (volume header)

Tools > Search for string in object > “-FVE-FS-” (no quotes) > Sector offset: 3

This wil give us the start sector for the Bitlocker partition, 32768.

2. Locate Bitlocker meta data block

Tools > Search for string in object > “-FVE-FS-” > Sector offset: 0

This will give FVE meta data blocks (if any), max three copies but we need one.
At offset 16 we find the 8 byte (in reverse order)  volume size in bytes, so divide by 512.
00 00 0A E9 FC E0 00 00  to decimals, divide by sector size =>  23437668352

3. Create a partition table entry

Click in ‘unallocated’ > tools > create RAW partition and use these numbers to create a partition (take suggestion to create undo files).

Resulting partition can be scanned using R-Studio or UFS Explorer:

 

If volume header can’t be found ..

Some times the volume header can’t be found because it’s for example overwritten. We can derive the offset to the partition using the meta data block.

We need the

  1. LBA address of the block and the
  2. 8 byte value (reverse order) at offset 32 (offset relative to the start of the volume)

 

00 00 00 00 D9 50 00 00 to decimals and divide by 512 = 2926592

Then substract from LBA address gets us offset to the Bitlocker volume.

2959360
2926592
-------  -
  32768

 

Reference: BitLocker Drive Encryption (BDE) format specification

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *