How to сhoose hard drive?! Introduction in magnetic recording technology that maybe you heard on PMR (CMR) and ePMR, SMR, HAMR and MAMR, TDMR and BPMR
How NOT worth making money on Data Recovery – ANTI Strategy 2020
Show all

How to open (mount) BitLocker-Encrypted Drive

H ow important for us that information we use is confidential? Should our family members and close people have access to our personal data (interesting research from Kaspersky Lab)? What are we willing to sacrifice in order to sleep peacefully if your device remains in public transport or is even worse: fell into the hands of hacker!
Previously, people were limited to the words personal computer, smartphone (do not take into account geeks or the right corporate segment). Just a word "personal" protected us from troubles, and simple password gave us feel that we were in safe. And, apparently, most of us are still used to passwords in the style of: my birthday, the name of the cat, etc. But with increasing number cases of information leakage from hacks or direct access to a storage medium. Manufacturers gradually began to move away from wide-open doors (possibility of upgrading the device), towards mono-devices, both externally and internally. The most obvious example is Apple T2.

What was the problem, according to the client, and what files did we need to get?

Before the final "death" of the operating system (OS), blue screen popped up a couple of times.
File system
Recover all docx and xlsx files from documents folder
Auto recovery mode is not available. Requires 48-digit BitLocker recovery password. There is access to your personal account from Microsoft.

Where to find for 48-bit BitLocker recovery key

C heat sheet for those who have difficulty with BitLocker after system update. And if there is opportunity (drive is working) to connect disk to another computer with operating system Windows 10 Pro, Linux or MAC OS. Or use a bootable USB flash drive. This method will only help if you have Microsoft account on this device, not local account.
In our case, SSD SDAPNUW-512G-1002 (Sandisk, which now WD) had problems with logic, which prevented the OS from recovering.

B itLocker recovery key from an encrypted drive, you can find in your account dashboard.

  1. After logging in, go to the Devices section.
  2. Select the device we need and click Show details.
  3. At the bottom of the page, look for the BitLocker Data Protection heading and click Manage Recovery Key.
  4. Record or save recovery key.

Transferring (recovery) data from a Bitlocker Encrypted drive

B efore proceeding with any actions on encrypted drive. You should make sector-by-sector copy of the entire disk or try to mount it and extract data. This procedure can be done in several ways, which will also be presented below. As usual, we restrict ourselves to the PC3000 hardware and software system from ACELab.
  1. Using bootable flash drive (Kali Linux Live USB or Windows To Go).
  2. Through another computer with a preinstalled system Windows 10 Pro, Linux or MAC OS (need to install the utility Disloсker) via a USB adapter.
  3. PC3000 hardware and software complex (we will use this option).

Installing Dislocker on Kali Linux

  1. Check for fresh updates.:
  2. apt update && apt upgrade -y
  3. Then install Dislocker through the terminal (most likely it already exists):
  4. apt install dislocker
  5. We create 2 directories for the encrypted partition and for mounting:
  6. mkdir /mnt/bitlocker_copy
    mkdir /mnt/bitlocker_open
  7. Find encrypted partition using the disks or fdisk utility through the terminal:
  8. fdisk -l
    In our example, the encrypted BitLocker section (/dev/sdb3) looked like this:
    Disk /dev/sdb: 1.84 TiB, 2000398931968 bytes, 3907029164 sectors
    Disk model: External USB 3.0
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: gpt
    Disk identifier: 891XXXXX-XXXX-XXXX-8695-XXXXXXXXXXXX
    Device         Start        End   Sectors   Size Type
    /dev/sdb1       2048     534527    532480   260M EFI System
    /dev/sdb2     534528     567295     32768    16M Microsoft reserved
    /dev/sdb3     567296  998574734 998007439 475.9G Microsoft basic data
    /dev/sdb4  998576128 1000214527   1638400   800M Windows recovery environment
  9. Trying to decrypt partition with using a Bitlocker recovery key
  10. dislocker -v -V /dev/sdb3 -r -pPASSWORD -- /mnt/bitlocker_copy
    *instead of /dev/sdb3 is your drive or partition, PASSWORD is your recovery key!
  11. Mount the newly decrypted partition into the system:
  12. mount /mnt/bitlocker_copy/dislocker-file /mnt/bitlocker_open -o loop
  13. After saving the necessary files, close the sections through the terminal:
  14. umount /mnt/bitlocker_open
    umount /mnt/bitlocker_copy/dislocker-file
    umount /mnt/bitlocker_copy

Install Dislocker on macOS Catalina

  1. Install Xcode through App Store and run the program. We accept license agreement and close it.
  2. Then install Xcode Command Line Tools through the terminal:
  3. xcode-select --install
  4. Install Homebrew through the terminal:
  5. /usr/bin/ruby -e "$(curl -fsSL"
  6. Checking for updates through the terminal:
  7. brew update
  8. Install Fuse for macOS through the terminal:
  9. brew install Caskroom/cask/osxfuse
  10. Reboot macOS.
  11. Install Dislocker:
  12. brew install dislocker
  13. We connect encrypted disk through adapter to the Mac.
  14. Watching IDENTIFIER desired partition using diskutil through the terminal:
  15. diskutil list
    In our example, encrypted BitLocker partition (disk3s3) looked like this:
    /dev/disk3 (external, physical):
       #:  TYPE NAME              SIZE       IDENTIFIER
       0:  GUID_partition_scheme    *2.0 TB     disk3
       1:  EFI SYSTEM               272.6 MB   disk3s1
       2:  Microsoft Reserved       16.8 MB    disk3s2
       3:  Microsoft Basic Data     511.0 GB   disk3s3
       4:  Windows Recovery         838.9 MB   disk3s4
  16. Trying to decrypt partition with using a Bitlocker recovery key
  17. sudo dislocker -v -V /dev/disk3s3 -r -pPASSWORD /tmp/bitlocker_copy
    *instead of disk3s3 is your disk or partition, PASSWORD is your recovery key!
  18. Mount decrypted section in the explorer:
  19. sudo hdiutil attach /tmp/dislocker_copy/dislocker-file -imagekey diskimage-class=CRawDiskImage -mountpoint /Volumes/bitlocker_open
  20. Having saved the necessary files, unmount decrypted partition:
  21. sudo hdiutil detach /Volumes/bitlocker_open
    sudo hdiutil detach /tmp/dislocker_copy/dislocker-file
    sudo hdiutil detach /tmp/bitlocker_copy

Github to help you:

After the release of the new version of Windows 10 (version 1903 - May 21, 2019), many users started having problems opening partitions encrypted by BitLocker. Partially the functionality has been fixed! To use it, you will have to build Dislocker yourself according to the instructions from GitHub.
On newer versions of Linux and macOS, the libpolarssl-dev package is missing. Therefore,carefully read:
apt install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev