Is there a way of “bitwise” decrypting a corrupt Bitlocker encrypted raw HDD-image
I'm facing a situation, where I'd like to decrypt a "corrupted" Bitlocker protected drive (Windows 10 Partition) by using the known 48-digit recovery key. Corrupt means, I executed a restore (Windows internal restore of a System Image) procedure that got stuck, leaving me with an, as it seems, unusable Bitlocker header, so that the Microsoft tools repair-bde or manage-bde -status don't recognize the drive as a Bitlocker-protected one.*
Does anybody know how to decrypt the encrypted raw disk image by using the recovery key, to get another (but decrypted) raw disk image (with which I could perform further data restore steps)?
* As this is not directly relevant to the question (but the topic may occur) I'm going to describe my situation for those interested in more detailed here:
Notebook without TPM. Two fixed drives, one with Windows 10, Bitlocker protected, and a secondary (data) drive, Bitlocker protected as well. The second one was set-up for auto-unlock when booting up the OS. System Image (Windows internal Back up and restore function) existent on the Second drive, which I tried to restore two the primary drive. That restore process crashed, leaving me with an unusable system. Three obvious mistakes (yep, I learned my lesson...): 1. I don't have another backup on an independent (external) drive, 2. I didn't create an raw-image of the intact system drive before using the fragile Windows restore, 3. I only have the user-defined password for this second drive and not the recovery key (48-digit or .bek file). Unfortunately the password by itself takes me nowhere without the OS that I just killed, respectively switching to auto-unlock seems to change the "keychain", so at the moment accessing the backup of the first drive is impossible.
The last two approaches I had in mind are to see what I can rescue from the primary drive, and to see, whether I can extract the stored auto-unlock key (further reading on this here), to unlock the secondary drive, with the intact system image on it.
encryption bitlocker
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
migrated from crypto.stackexchange.com Dec 31 '18 at 0:43
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
I'm facing a situation, where I'd like to decrypt a "corrupted" Bitlocker protected drive (Windows 10 Partition) by using the known 48-digit recovery key. Corrupt means, I executed a restore (Windows internal restore of a System Image) procedure that got stuck, leaving me with an, as it seems, unusable Bitlocker header, so that the Microsoft tools repair-bde or manage-bde -status don't recognize the drive as a Bitlocker-protected one.*
Does anybody know how to decrypt the encrypted raw disk image by using the recovery key, to get another (but decrypted) raw disk image (with which I could perform further data restore steps)?
* As this is not directly relevant to the question (but the topic may occur) I'm going to describe my situation for those interested in more detailed here:
Notebook without TPM. Two fixed drives, one with Windows 10, Bitlocker protected, and a secondary (data) drive, Bitlocker protected as well. The second one was set-up for auto-unlock when booting up the OS. System Image (Windows internal Back up and restore function) existent on the Second drive, which I tried to restore two the primary drive. That restore process crashed, leaving me with an unusable system. Three obvious mistakes (yep, I learned my lesson...): 1. I don't have another backup on an independent (external) drive, 2. I didn't create an raw-image of the intact system drive before using the fragile Windows restore, 3. I only have the user-defined password for this second drive and not the recovery key (48-digit or .bek file). Unfortunately the password by itself takes me nowhere without the OS that I just killed, respectively switching to auto-unlock seems to change the "keychain", so at the moment accessing the backup of the first drive is impossible.
The last two approaches I had in mind are to see what I can rescue from the primary drive, and to see, whether I can extract the stored auto-unlock key (further reading on this here), to unlock the secondary drive, with the intact system image on it.
encryption bitlocker
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
migrated from crypto.stackexchange.com Dec 31 '18 at 0:43
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
I'm facing a situation, where I'd like to decrypt a "corrupted" Bitlocker protected drive (Windows 10 Partition) by using the known 48-digit recovery key. Corrupt means, I executed a restore (Windows internal restore of a System Image) procedure that got stuck, leaving me with an, as it seems, unusable Bitlocker header, so that the Microsoft tools repair-bde or manage-bde -status don't recognize the drive as a Bitlocker-protected one.*
Does anybody know how to decrypt the encrypted raw disk image by using the recovery key, to get another (but decrypted) raw disk image (with which I could perform further data restore steps)?
* As this is not directly relevant to the question (but the topic may occur) I'm going to describe my situation for those interested in more detailed here:
Notebook without TPM. Two fixed drives, one with Windows 10, Bitlocker protected, and a secondary (data) drive, Bitlocker protected as well. The second one was set-up for auto-unlock when booting up the OS. System Image (Windows internal Back up and restore function) existent on the Second drive, which I tried to restore two the primary drive. That restore process crashed, leaving me with an unusable system. Three obvious mistakes (yep, I learned my lesson...): 1. I don't have another backup on an independent (external) drive, 2. I didn't create an raw-image of the intact system drive before using the fragile Windows restore, 3. I only have the user-defined password for this second drive and not the recovery key (48-digit or .bek file). Unfortunately the password by itself takes me nowhere without the OS that I just killed, respectively switching to auto-unlock seems to change the "keychain", so at the moment accessing the backup of the first drive is impossible.
The last two approaches I had in mind are to see what I can rescue from the primary drive, and to see, whether I can extract the stored auto-unlock key (further reading on this here), to unlock the secondary drive, with the intact system image on it.
encryption bitlocker
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
I'm facing a situation, where I'd like to decrypt a "corrupted" Bitlocker protected drive (Windows 10 Partition) by using the known 48-digit recovery key. Corrupt means, I executed a restore (Windows internal restore of a System Image) procedure that got stuck, leaving me with an, as it seems, unusable Bitlocker header, so that the Microsoft tools repair-bde or manage-bde -status don't recognize the drive as a Bitlocker-protected one.*
Does anybody know how to decrypt the encrypted raw disk image by using the recovery key, to get another (but decrypted) raw disk image (with which I could perform further data restore steps)?
* As this is not directly relevant to the question (but the topic may occur) I'm going to describe my situation for those interested in more detailed here:
Notebook without TPM. Two fixed drives, one with Windows 10, Bitlocker protected, and a secondary (data) drive, Bitlocker protected as well. The second one was set-up for auto-unlock when booting up the OS. System Image (Windows internal Back up and restore function) existent on the Second drive, which I tried to restore two the primary drive. That restore process crashed, leaving me with an unusable system. Three obvious mistakes (yep, I learned my lesson...): 1. I don't have another backup on an independent (external) drive, 2. I didn't create an raw-image of the intact system drive before using the fragile Windows restore, 3. I only have the user-defined password for this second drive and not the recovery key (48-digit or .bek file). Unfortunately the password by itself takes me nowhere without the OS that I just killed, respectively switching to auto-unlock seems to change the "keychain", so at the moment accessing the backup of the first drive is impossible.
The last two approaches I had in mind are to see what I can rescue from the primary drive, and to see, whether I can extract the stored auto-unlock key (further reading on this here), to unlock the secondary drive, with the intact system image on it.
encryption bitlocker
encryption bitlocker
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
edited Jan 1 at 16:36
Twisty Impersonator
18.3k146599
18.3k146599
asked Dec 30 '18 at 23:54
ThomasThomas
62
asked Dec 30 '18 at 23:54
ThomasThomas
62
asked Dec 30 '18 at 23:54
ThomasThomas
62
62
migrated from crypto.stackexchange.com Dec 31 '18 at 0:43
This question came from our site for software developers, mathematicians and others interested in cryptography.
migrated from crypto.stackexchange.com Dec 31 '18 at 0:43
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Update on this: it seems that the Microsoft restore process first wipes the drive, and then restores the image unencrypted (at least to the point where it crashed) probably before encrypting it again.
Therefore I am now able to restore the relevant User Data on the primary OS drive with conventional recovery tools.
As I wrote beforehand the computer has a fixed second Bitlocker encrypted drive, which was set to auto-unlock before the faulty Windows restore process.
With the recovery of the primary drive I was able to get the Data Key stored in the registry at
HKLMSYSTEMCurrentControlSetControlFVEAutoUnlock
which starts with 70 00 00 00 09 00 00 00 14 aa 47 e0 89 4e 0e 4c ...
I've read that it is a DPAPI encrypted key, which should be decryptable with DataProtectionDecryptor, but it doesnt start with the standard DPAPI sequence 01 00 00 00 D0 8C 9D ... . So at the moment I don't know which information(keys) to use and where they come from to transform this key to the valid Bitlocker recovery key?
answered Dec 31 '18 at 5:23
ThomasThomas
62
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389112%2fis-there-a-way-of-bitwise-decrypting-a-corrupt-bitlocker-encrypted-raw-hdd-ima%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Update on this: it seems that the Microsoft restore process first wipes the drive, and then restores the image unencrypted (at least to the point where it crashed) probably before encrypting it again.
Therefore I am now able to restore the relevant User Data on the primary OS drive with conventional recovery tools.
As I wrote beforehand the computer has a fixed second Bitlocker encrypted drive, which was set to auto-unlock before the faulty Windows restore process.
With the recovery of the primary drive I was able to get the Data Key stored in the registry at
HKLMSYSTEMCurrentControlSetControlFVEAutoUnlock
which starts with 70 00 00 00 09 00 00 00 14 aa 47 e0 89 4e 0e 4c ...
I've read that it is a DPAPI encrypted key, which should be decryptable with DataProtectionDecryptor, but it doesnt start with the standard DPAPI sequence 01 00 00 00 D0 8C 9D ... . So at the moment I don't know which information(keys) to use and where they come from to transform this key to the valid Bitlocker recovery key?
answered Dec 31 '18 at 5:23
ThomasThomas
62
add a comment |
Update on this: it seems that the Microsoft restore process first wipes the drive, and then restores the image unencrypted (at least to the point where it crashed) probably before encrypting it again.
Therefore I am now able to restore the relevant User Data on the primary OS drive with conventional recovery tools.
As I wrote beforehand the computer has a fixed second Bitlocker encrypted drive, which was set to auto-unlock before the faulty Windows restore process.
With the recovery of the primary drive I was able to get the Data Key stored in the registry at
HKLMSYSTEMCurrentControlSetControlFVEAutoUnlock
which starts with 70 00 00 00 09 00 00 00 14 aa 47 e0 89 4e 0e 4c ...
I've read that it is a DPAPI encrypted key, which should be decryptable with DataProtectionDecryptor, but it doesnt start with the standard DPAPI sequence 01 00 00 00 D0 8C 9D ... . So at the moment I don't know which information(keys) to use and where they come from to transform this key to the valid Bitlocker recovery key?
answered Dec 31 '18 at 5:23
ThomasThomas
62
add a comment |
Update on this: it seems that the Microsoft restore process first wipes the drive, and then restores the image unencrypted (at least to the point where it crashed) probably before encrypting it again.
Therefore I am now able to restore the relevant User Data on the primary OS drive with conventional recovery tools.
As I wrote beforehand the computer has a fixed second Bitlocker encrypted drive, which was set to auto-unlock before the faulty Windows restore process.
With the recovery of the primary drive I was able to get the Data Key stored in the registry at
HKLMSYSTEMCurrentControlSetControlFVEAutoUnlock
which starts with 70 00 00 00 09 00 00 00 14 aa 47 e0 89 4e 0e 4c ...
I've read that it is a DPAPI encrypted key, which should be decryptable with DataProtectionDecryptor, but it doesnt start with the standard DPAPI sequence 01 00 00 00 D0 8C 9D ... . So at the moment I don't know which information(keys) to use and where they come from to transform this key to the valid Bitlocker recovery key?
answered Dec 31 '18 at 5:23
ThomasThomas
62
Update on this: it seems that the Microsoft restore process first wipes the drive, and then restores the image unencrypted (at least to the point where it crashed) probably before encrypting it again.
Therefore I am now able to restore the relevant User Data on the primary OS drive with conventional recovery tools.
As I wrote beforehand the computer has a fixed second Bitlocker encrypted drive, which was set to auto-unlock before the faulty Windows restore process.
With the recovery of the primary drive I was able to get the Data Key stored in the registry at
HKLMSYSTEMCurrentControlSetControlFVEAutoUnlock
which starts with 70 00 00 00 09 00 00 00 14 aa 47 e0 89 4e 0e 4c ...
I've read that it is a DPAPI encrypted key, which should be decryptable with DataProtectionDecryptor, but it doesnt start with the standard DPAPI sequence 01 00 00 00 D0 8C 9D ... . So at the moment I don't know which information(keys) to use and where they come from to transform this key to the valid Bitlocker recovery key?
answered Dec 31 '18 at 5:23
ThomasThomas
62
answered Dec 31 '18 at 5:23
ThomasThomas
62
answered Dec 31 '18 at 5:23
ThomasThomas
62
answered Dec 31 '18 at 5:23
ThomasThomas
62
62
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389112%2fis-there-a-way-of-bitwise-decrypting-a-corrupt-bitlocker-encrypted-raw-hdd-ima%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
