How to сhoose hard drive?! Introduction in magnetic recording technology that maybe you heard on PMR (CMR) and ePMR, SMR, HAMR and MAMR, TDMR and BPMR
27.07.2020
How NOT worth making money on Data Recovery – ANTI Strategy 2020
30.07.2020
Show all
9

How to open (mount) BitLocker-Encrypted Drive

Published by artem On
  • Date25.06.2020
H ow important for us that information we use is confidential? Should our family members and close people have access to our personal data (interesting research from Kaspersky Lab)? What are we willing to sacrifice in order to sleep peacefully if your device remains in public transport or is even worse: fell into the hands of hacker!
Previously, people were limited to the words personal computer, smartphone (do not take into account geeks or the right corporate segment). Just a word "personal" protected us from troubles, and simple password gave us feel that we were in safe. And, apparently, most of us are still used to passwords in the style of: my birthday, the name of the cat, etc. But with increasing number cases of information leakage from hacks or direct access to a storage medium. Manufacturers gradually began to move away from wide-open doors (possibility of upgrading the device), towards mono-devices, both externally and internally. The most obvious example is Apple T2.
How to open (mount) BitLocker-Encrypted Drive

What was the problem, according to the client, and what files did we need to get?

Prologue
Before the final "death" of the operating system (OS), blue screen popped up a couple of times.
File system
NTFS
Task
Recover all docx and xlsx files from documents folder
Note
Auto recovery mode is not available. Requires 48-digit BitLocker recovery password. There is access to your personal account from Microsoft.

Where to find for 48-bit BitLocker recovery key

C heat sheet for those who have difficulty with BitLocker after system update. And if there is opportunity (drive is working) to connect disk to another computer with operating system Windows 10 Pro, Linux or MAC OS. Or use a bootable USB flash drive. This method will only help if you have Microsoft account on this device, not local account.
In our case, SSD SDAPNUW-512G-1002 (Sandisk, which now WD) had problems with logic, which prevented the OS from recovering.
How to open (mount) BitLocker-Encrypted Drive

#1 Microsoft account

B itLocker recovery key from an encrypted drive, you can find in your account dashboard.

  1. After logging in, go to the Devices section.
  2. Select the device we need and click Show details.
  3. At the bottom of the page, look for the BitLocker Data Protection heading and click Manage Recovery Key.
  4. Record or save recovery key.
How to open (mount) BitLocker-Encrypted Drive

#2 Device list

How to open (mount) BitLocker-Encrypted Drive

#3 BitLocker Data Protection

How to open (mount) BitLocker-Encrypted Drive

#4 BitLocker Recovery Keys

Transferring (recovery) data from a Bitlocker Encrypted drive

B efore proceeding with any actions on encrypted drive. You should make sector-by-sector copy of the entire disk or try to mount it and extract data. This procedure can be done in several ways, which will also be presented below. As usual, we restrict ourselves to the PC3000 hardware and software system from ACELab.
How to open (mount) BitLocker-Encrypted Drive
  1. Using bootable flash drive (Kali Linux Live USB or Windows To Go).
  2. Through another computer with a preinstalled system Windows 10 Pro, Linux or MAC OS (need to install the utility Disloсker) via a USB adapter.
  3. PC3000 hardware and software complex (we will use this option).
How to open (mount) BitLocker-Encrypted Drive

#1 Open BitLocker partition in Kali Linux

How to open (mount) BitLocker-Encrypted Drive

#2 Open BitLocker Partition in Windows 10 Pro

How to open (mount) BitLocker-Encrypted Drive

#3 Open Partition Image in PC3000

Installing Dislocker on Kali Linux

  1. Check for fresh updates.:
    2. apt update && apt upgrade -y
  2. Then install Dislocker through the terminal (most likely it already exists):
    3. apt install dislocker
  3. We create 2 directories for the encrypted partition and for mounting:
    4. mkdir /mnt/bitlocker_copy
mkdir /mnt/bitlocker_open
  4. Find encrypted partition using the disks or fdisk utility through the terminal:
    5. fdisk -l
    In our example, the encrypted BitLocker section (/dev/sdb3) looked like this: 
    Disk /dev/sdb: 1.84 TiB, 2000398931968 bytes, 3907029164 sectors
Disk model: External USB 3.0
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 891XXXXX-XXXX-XXXX-8695-XXXXXXXXXXXX

Device         Start        End   Sectors   Size Type
/dev/sdb1       2048     534527    532480   260M EFI System
/dev/sdb2     534528     567295     32768    16M Microsoft reserved
/dev/sdb3     567296  998574734 998007439 475.9G Microsoft basic data
/dev/sdb4  998576128 1000214527   1638400   800M Windows recovery environment
  5. Trying to decrypt partition with using a Bitlocker recovery key
    6. dislocker -v -V /dev/sdb3 -r -pPASSWORD -- /mnt/bitlocker_copy
    *instead of /dev/sdb3 is your drive or partition, PASSWORD is your recovery key!
  6. Mount the newly decrypted partition into the system:
    7. mount /mnt/bitlocker_copy/dislocker-file /mnt/bitlocker_open -o loop
  7. After saving the necessary files, close the sections through the terminal:
    8. umount /mnt/bitlocker_open
umount /mnt/bitlocker_copy/dislocker-file
umount /mnt/bitlocker_copy

Install Dislocker on macOS Catalina

  1. Install Xcode through App Store and run the program. We accept license agreement and close it.
  2. Then install Xcode Command Line Tools through the terminal:
    3. xcode-select --install
  3. Install Homebrew through the terminal:
    4. /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  4. Checking for updates through the terminal:
    5. brew update
  5. Install Fuse for macOS through the terminal:
    6. brew install Caskroom/cask/osxfuse
  6. Reboot macOS.
  7. Install Dislocker:
    8. brew install dislocker
  8. We connect encrypted disk through adapter to the Mac.
  9. Watching IDENTIFIER desired partition using diskutil through the terminal:
    10. diskutil list
    In our example, encrypted BitLocker partition (disk3s3) looked like this: 
    /dev/disk3 (external, physical):

   #:  TYPE NAME              SIZE       IDENTIFIER

   0:  GUID_partition_scheme    *2.0 TB     disk3

   1:  EFI SYSTEM               272.6 MB   disk3s1

   2:  Microsoft Reserved       16.8 MB    disk3s2

   3:  Microsoft Basic Data     511.0 GB   disk3s3

   4:  Windows Recovery         838.9 MB   disk3s4
  10. Trying to decrypt partition with using a Bitlocker recovery key
    11. sudo dislocker -v -V /dev/disk3s3 -r -pPASSWORD /tmp/bitlocker_copy
    *instead of disk3s3 is your disk or partition, PASSWORD is your recovery key!
  11. Mount decrypted section in the explorer:
    12. sudo hdiutil attach /tmp/dislocker_copy/dislocker-file -imagekey diskimage-class=CRawDiskImage -mountpoint /Volumes/bitlocker_open
  12. Having saved the necessary files, unmount decrypted partition:
    13. sudo hdiutil detach /Volumes/bitlocker_open
sudo hdiutil detach /tmp/dislocker_copy/dislocker-file
sudo hdiutil detach /tmp/bitlocker_copy

Github to help you:

After the release of the new version of Windows 10 (version 1903 - May 21, 2019), many users started having problems opening partitions encrypted by BitLocker. Partially the functionality has been fixed! To use it, you will have to build Dislocker yourself according to the instructions from GitHub.
On newer versions of Linux and macOS, the libpolarssl-dev package is missing. Therefore,carefully read: 
apt install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev
Segmentation fault with Windows 10 Pro 19.03 fixed-in-develop
#185 opened on 5 Jul by Tom9876
Dependency from libpolarssl-dev to libmbedtls-dev
#200 opened 27 days ago by goetzk