BitLocker is a Windows security feature that encrypts entire drives to protect data from theft or exposure. It is included in all Windows Pro versions, starting with Windows Vista. It is not included in Windows Home.
BitLocker encrypts the entire drive to make data inaccessible without a decryption key. This recovery key is a unique 48-digit number that is required to unlock the drive. If the drive is connected to a different device, the user must provide the key to access the data. In addition to the key, the drive can also be protected with a password, which can be used along with the recovery key.
When using GetDataBack on a Bitlocker-encrypted drive, it sees the drive in its encrypted state when you access it as a physical drive. Only after unlocking the drive by entering the password or recovery key is the decrypted drive accessible as a logical volume (e.g., E:) and can be scanned by GetDataBack.
We will show how to recover data from a Bitlocker-encrypted drive using an 8 GB USB drive as an example. That USB drive is no longer accessible, and Windows offers to format it, which we better not do.
Inaccessible Bitlocker Drive: Windows does not even recognize it.
The following instructions are intended for tech-savvy users. Act cautiously, especially when using the low-level disk tool "DriveDoppel."
1 - Identify Bitlocker Drive
Download DiskExplorer X. Install and start the software.
DiskExplorer X: Available Disks
DISK2 is our Bitlocker-encrypted disk that we want to recover. Note that the size of this drive is 15730688 sectors (we will need this number later). Our first task is to locate the Bitlocker partition on this disk. We will take advantage of the fact that -FVE-FS- is a signature for Bitlocker partitions.
2. - Locate Bitlocker Partition
Click on the entry for DISK2, and DiskExplorer X will show you this drive's first sector (sector 0). Press F3 or click "HEX" to change the view of the sector to hexadecimal. Press CTRL-F to bring up the search window.
DiskExplorer X: Search dialog
Click on the field next to "Text" and write -FVE-FS-, then click "OK".
3. - Calculate Boot Record
After a brief search we have successfully located the Bitlocker partition at sector 2048.
DiskExplorer X: Bitlocker Boot Sector
To force Windows to see the Bitlocker partition again, we will restore the partition table of the Master Boot Record so that it points to the Bitlocker partition. The start of the Bitlocker partition is 2048. We will set the size of this partition to the size of the drive minus 2048, which is 15730688-2048=15728640.
4. - Prepare Tools
Download our tool DriveDoppel. Open a command prompt window and issue the command:
dd /dl.
Warning Please be careful when using DriveDoppel. With a wrong input you can easily destroy your data.
DriveDoppel: Show drive list with dd /dl
5. - Write Boot Record
Make sure DISK2 is the USB drive we are working on.
Then type:
dd boot(fs=ntfs,start=2048,count=15728640): disk2:.
This command will write a partition table with one entry to sector 0 of DISK2. This entry will point to sector 2048 which is the start of the Bitlocker partition.
DriveDoppel: Show drive list with dd /dl
Carefully read the confirmation dialog, then type y and press "Enter"
6. - Force Bitlocker Drive Recognition
We unplug the drive and plug it back in. This time, Windows recognizes the Bitlocker drive.
Bitlocker: New encrypted drive has been found
7. - Enter Password
Click on the message and enter your password. If you do not know the password, click "More options" and enter the recovery key.
Bitlocker: Enter password
8. - Locate Recovery Key
Windows displays the first part of the identifier, AAB60757, which is helpful when trying to locate your recovery key.
Bitlocker: Enter recovery key
There are three possible locations where you can find this key:
1) On a sheet of paper, if you printed it out when you created the Bitlocker encryption.
2) In your Microsoft account, if you chose that option.
3) Most likely, you saved the recovery key on your system drive. In the user Documents folder are indeed two key files, the correct one being "BitLocker Recovery Key AAB60757-492B-4D7F-9EC6-7086F888CF34.TXT." The first part of the identifier, AAB60757, matches the information on the screen where you need to enter your recovery key, so we know this is the correct key file.
Windows Explorer: Bitlocker key files in the Documents folder
9. - Extract Recovery Key
Open the recovery key file:
Bitlocker Recovery Key: Content of a key file
10. - Unlock Bitlocker Drive
Copy and paste the recovery key
631818-354101-129888-609345-451836-034903-172436-465806
into the respective Windows dialog:
Bitlocker Recovery Key: Enter the recovery key
Click "Unlock," and Windows will mount the Bitlocker-encrypted drive. You can now access your files.
11. - Low-Level Search For Recovery Key
If you can not unlock the Bitlocker drive with any of the methods above, you can try to find the recovery key on your system drive (or any drive) by searching for the identifier AAB60757 on a sector level.
Start DiskExplorer X again and navigate to sector 0 of your system drive. Set the view type to "HEX".
DiskExplorer X: Searching for identifier AAB60757
Press CTRL-F and type the identifier AAB60757 into the "Unicode text" field. Start the search. If the recovery key is anywhere on the drive, this search will locate it for you. The first hit at sector 5996020 references the file name but does not contain the key.
DiskExplorer X: Searching for identifier AAB60757 - result
Press CTRL-L to continue the search. You might get some more false alarms, all referencing the file name but not the actual file's content. Looking at a sample key file, we see a TAB precedes the identifier. Let's do the same with our search term. Press CTRL-F, right-click the yellow data field, and copy it into the clipboard.
DiskExplorer X: Searching for identifier AAB60757
Right-click the "Hex" field and paste. On the left side add the Unicode TAB character, 0900.
DiskExplorer X: Searching for identifier TAB-AB60757
Click "Ok" to continue the search.
DiskExplorer X: Found recovery key 631818-354101-129888-609345-451836-034903-172436-465806
Finally, in our example, we find the identifier at sector 288591824 and the key at the following sector. As in 10., copy and paste the recovery key 631818-354101-129888-609345-451836-034903-172436-465806 into the respective Windows dialog. Click "Unlock," and Windows will mount the Bitlocker-encrypted drive. You can now access your files.
12. - Run GetDataBack for Bitlocker Drive
If the file system is damaged or you want to recover deleted files from the Bitlocker drive, you can run GetDataBack on the drive. Download GetDataBack Pro, install and start it.
For GetDataBack to work on the Bitlocker drive, you must scan the logical volume, not the physical drive. In this example, do not click on the tile for DISK2. Instead, click on TOOLS->Settings->Miscellaneous->Debug->Show logical drives. Click "Close". Click on the blue "Logical drives..." tile.
GetDataBack Pro: Logical drives after they were enabled
Select the blue tile for drive E: and continue as if this were a typical GetDataBack recovery job . It might also be a good idea to create an image of the unlocked Bitlocker drive E: at this point.
Let us know if you have any questions about this article. Email to support@runtime.org.