H
ow important for us that information we use is confidential? Should our family members and close people have access to our personal data (interesting research from Kaspersky Lab)? What are we willing to sacrifice in order to sleep peacefully if your device remains in public transport or is even worse: fell into the hands of hacker!
Previously, people were limited to the words personal computer, smartphone (do not take into account geeks or the right corporate segment). Just a word "personal" protected us from troubles, and simple password gave us feel that we were in safe. And, apparently, most of us are still used to passwords in the style of: my birthday, the name of the cat, etc. But with increasing number cases of information leakage from hacks or direct access to a storage medium. Manufacturers gradually began to move away from wide-open doors (possibility of upgrading the device), towards mono-devices, both externally and internally. The most obvious example is Apple T2.
Previously, people were limited to the words personal computer, smartphone (do not take into account geeks or the right corporate segment). Just a word "personal" protected us from troubles, and simple password gave us feel that we were in safe. And, apparently, most of us are still used to passwords in the style of: my birthday, the name of the cat, etc. But with increasing number cases of information leakage from hacks or direct access to a storage medium. Manufacturers gradually began to move away from wide-open doors (possibility of upgrading the device), towards mono-devices, both externally and internally. The most obvious example is Apple T2.

What was the problem, according to the client, and what files did we need to get?
- Prologue
- Before the final "death" of the operating system (OS), blue screen popped up a couple of times.
- File system
- NTFS
- Task
- Recover all docx and xlsx files from documents folder
- Note
- Auto recovery mode is not available. Requires 48-digit BitLocker recovery password. There is access to your personal account from Microsoft.
Where to find for 48-bit BitLocker recovery key
C
heat sheet for those who have difficulty with BitLocker after system update. And if there is opportunity (drive is working) to connect disk to another computer with operating system Windows 10 Pro, Linux or MAC OS. Or use a bootable USB flash drive. This method will only help if you have Microsoft account on this device, not local account.
In our case, SSD SDAPNUW-512G-1002 (Sandisk, which now WD) had problems with logic, which prevented the OS from recovering.
In our case, SSD SDAPNUW-512G-1002 (Sandisk, which now WD) had problems with logic, which prevented the OS from recovering.
B
itLocker recovery key from an encrypted drive, you can find in your account dashboard.
- After logging in, go to the Devices section.
- Select the device we need and click Show details.
- At the bottom of the page, look for the BitLocker Data Protection heading and click Manage Recovery Key.
- Record or save recovery key.
Transferring (recovery) data from a Bitlocker Encrypted drive
B
efore proceeding with any actions on encrypted drive. You should make sector-by-sector copy of the entire disk or try to mount it and extract data. This procedure can be done in several ways, which will also be presented below. As usual, we restrict ourselves to the PC3000 hardware and software system from ACELab.

- Using bootable flash drive (Kali Linux Live USB or Windows To Go).
- Through another computer with a preinstalled system Windows 10 Pro, Linux or MAC OS (need to install the utility Disloсker) via a USB adapter.
- PC3000 hardware and software complex (we will use this option).
Installing Dislocker on Kali Linux
- Check for fresh updates.:
- Then install Dislocker through the terminal (most likely it already exists):
- We create 2 directories for the encrypted partition and for mounting:
- Find encrypted partition using the disks or fdisk utility through the terminal:
- Trying to decrypt partition with using a Bitlocker recovery key
- Mount the newly decrypted partition into the system:
- After saving the necessary files, close the sections through the terminal:
apt update && apt upgrade -y
apt install dislocker
mkdir /mnt/bitlocker_copy mkdir /mnt/bitlocker_open
fdisk -lIn our example, the encrypted BitLocker section (/dev/sdb3) looked like this:
Disk /dev/sdb: 1.84 TiB, 2000398931968 bytes, 3907029164 sectors Disk model: External USB 3.0 Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 891XXXXX-XXXX-XXXX-8695-XXXXXXXXXXXX Device Start End Sectors Size Type /dev/sdb1 2048 534527 532480 260M EFI System /dev/sdb2 534528 567295 32768 16M Microsoft reserved /dev/sdb3 567296 998574734 998007439 475.9G Microsoft basic data /dev/sdb4 998576128 1000214527 1638400 800M Windows recovery environment
dislocker -v -V /dev/sdb3 -r -pPASSWORD -- /mnt/bitlocker_copy*instead of /dev/sdb3 is your drive or partition, PASSWORD is your recovery key!
mount /mnt/bitlocker_copy/dislocker-file /mnt/bitlocker_open -o loop
umount /mnt/bitlocker_open umount /mnt/bitlocker_copy/dislocker-file umount /mnt/bitlocker_copy
Install Dislocker on macOS Catalina
- Install Xcode through App Store and run the program. We accept license agreement and close it.
- Then install Xcode Command Line Tools through the terminal:
- Install Homebrew through the terminal:
- Checking for updates through the terminal:
- Install Fuse for macOS through the terminal:
- Reboot macOS.
- Install Dislocker:
- We connect encrypted disk through adapter to the Mac.
- Watching IDENTIFIER desired partition using diskutil through the terminal:
- Trying to decrypt partition with using a Bitlocker recovery key
- Mount decrypted section in the explorer:
- Having saved the necessary files, unmount decrypted partition:
xcode-select --install
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
brew update
brew install Caskroom/cask/osxfuse
brew install dislocker
diskutil listIn our example, encrypted BitLocker partition (disk3s3) looked like this:
/dev/disk3 (external, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk3 1: EFI SYSTEM 272.6 MB disk3s1 2: Microsoft Reserved 16.8 MB disk3s2 3: Microsoft Basic Data 511.0 GB disk3s3 4: Windows Recovery 838.9 MB disk3s4
sudo dislocker -v -V /dev/disk3s3 -r -pPASSWORD /tmp/bitlocker_copy*instead of disk3s3 is your disk or partition, PASSWORD is your recovery key!
sudo hdiutil attach /tmp/dislocker_copy/dislocker-file -imagekey diskimage-class=CRawDiskImage -mountpoint /Volumes/bitlocker_open
sudo hdiutil detach /Volumes/bitlocker_open sudo hdiutil detach /tmp/dislocker_copy/dislocker-file sudo hdiutil detach /tmp/bitlocker_copy
Github to help you:
After the release of the new version of Windows 10 (version 1903 - May 21, 2019), many users started having problems opening partitions encrypted by BitLocker. Partially the functionality has been fixed! To use it, you will have to build Dislocker yourself according to the instructions from GitHub.On newer versions of Linux and macOS, the libpolarssl-dev package is missing. Therefore,carefully read:
apt install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev
Dependency from libpolarssl-dev to libmbedtls-dev
#200
opened 27 days ago by
goetzk