The Bitlocker Blues
479 views
Skip to first unread message
Fraser Corrance
Aug 21, 2023, 2:28:59 PM8/21/23
to DataRecoveryCertification
Hello all!
I have a strange Bitlocker issue that I would like to run by the group here to see if anyone else has come across anything like this.
A client brought in an HP Elitebook that is no longer booting to Windows. When trying to boot it gives an error saying that Windows is trying to repair itself then boots to the recovery console. I pulled the NVMe SSD and imaged every single sector with no issues. I put the SSD back in the laptop and ran the short test on the drive using the HP hardware test which indicated the drive is failing.
I have tried mounting the drive in both Windows 10 and in the latest updated version of Windows 11. In both versions of Windows I tried unlocking it by double clicking the volume in the Windows file explorer only to get an error message saying that the drive is encrypted with a newer version of Bitlocker.
In both versions of Windows I ran the manage-bde -status on the drive and this is the result I get:
C:\WINDOWS\system32>manage-bde -status e:
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume E: [Label Unknown]
[Data Volume]
Size: Unknown GB
BitLocker Version: None
Conversion Status: Unknown
Percentage Encrypted: Unknown%
ERROR: An error occurred (code 0x80070057):
The parameter is incorrect.
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume E: [Label Unknown]
[Data Volume]
Size: Unknown GB
BitLocker Version: None
Conversion Status: Unknown
Percentage Encrypted: Unknown%
ERROR: An error occurred (code 0x80070057):
The parameter is incorrect.
I put the drive back in the HP laptop booted into the recovery console, opened command prompt, and ran diskpart and list vol and I get the response 'there are no volumes'. This seems a bit odd considering that there has to be a volume for the repair console to be running from.
I have also tried opening up the volume in Data Extractor, R-Studio, and UFS explorer and none of them were able to access the volume either.
Any ideas???
Fraser
Data Recovery Guru
Aug 21, 2023, 4:25:09 PM8/21/23
to datarecovery...@googlegroups.com
Do DE, R-Studio and UFS detect the Bitlcoker for the main volume? If not, then there is some kind of encryption/file system damage.
--
Data Recovery Certification Group / for issue with google group please email sc...@myharddrivedied.com
---
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/3b499dd2-85f0-4342-bdfe-13416baa90e9n%40googlegroups.com.
Claude Barras
Aug 21, 2023, 4:29:27 PM8/21/23
to datarecovery...@googlegroups.com
Did they mess up with BIOS config or did a BIOS update occurred before the problem ?
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAHoXmqn8x7VBifKn4zT0EJjkom67KWhALhAf_DnvKfyG7VmfEg%40mail.gmail.com.
wayne horner
Aug 21, 2023, 6:35:23 PM8/21/23
to datarecovery...@googlegroups.com
is there an hpa situation
where you cant see then entire volume?
some hidden area?
Alandata Data Recovery - (949)287-3282
"Cleanroom Data Recovery of RAID, VMware, Network Attached Storage, Linux, Tape, Disk, Forensics"
"Cleanroom Data Recovery of RAID, VMware, Network Attached Storage, Linux, Tape, Disk, Forensics"
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAJQ9nFOkpk509qUpkBOYXSDRZjJRHDM9BVRboh2C4rDVLKXftg%40mail.gmail.com.
Fraser Corrance
Aug 21, 2023, 8:40:12 PM8/21/23
to DataRecoveryCertification
A couple more details that I should add which I am not really sure if they matters or not,....
When I right click on the volume and select 'decrypt encrypted storage' in UFS Explorer Pro it does not ask for a key but instead opens a volume called *aes256-xts-plain64::567296-998799359. The volume name is Windows, as expected, but the volume contains only one folder called Program Files which contains one single file called 'wlidsvconfig.xml'.
When I try to decrypt the volume using R-Studio it gives me an error message saying that it's an unknown encryption type and gives you the option to make a 'file system snapshot' that you can send to the R-Studio develpers. I have seen this message before when using an old version of R-studio on a drive with the latest version of Windows.
@Wayne
When looking at the drive using data recovery tools and when looking at it through disk management in windows, they all see the drive as a bitlocker drive and the partitions all look normal with no HPAs as far as I can tell.
@Claude
The laptop's main battery is failing so the client disconnected the battery. There is no secondary bios battery. The date and time need to be set every time it is plugged back in. I am unaware of anybody doing a bios update but I can ask.
@Labtech
Yes, all my tools see the bitlocker volume as a bitlocker volume. I also downloaded the trial version of Elcomsoft's Forensic Disk Decryptor and it also sees it as a bitlocker encrypted volume.
Data Recovery Guru
Aug 21, 2023, 9:00:58 PM8/21/23
to datarecovery...@googlegroups.com
If you have support, I would ask Iiuri from UFS explorer to check it out remotely.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/a54f297d-13de-4f82-bce9-11abe3009da4n%40googlegroups.com.
Alandata Recovery
Aug 21, 2023, 10:16:16 PM8/21/23
to datarecovery...@googlegroups.com
whats the drive look like in rstudios device screen
should have other visible parseable partitions like
windows booter 99mb partition
then a large windows data partition that is bitlocked
then a recovery partition
should give some clues as to whats what....
send some screenshots
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAHoXmqk%2B0MC7WbZZnJQcFRKZ9AeUMYpLvLj91HMuxQnN2b-uog%40mail.gmail.com.
Alandata Data Recovery -
(949)287-3282
"Cleanroom Data Recovery of RAID, VMware, NAS, Linux, Tape, Disk, Forensics"
Fraser Corrance
Aug 22, 2023, 12:35:04 PM8/22/23
to DataRecoveryCertification
Here's a screen shot what the drive partitions look like in both PC3K DE and R-studio. As you see, it all looks like what you would expect to see. One thing I did notice is that the ID in DE is different than the one in Azure. Their remote 'IT Guy' does not know anything about the laptop having the OS reinstalled and could not find the ID that comes up in DE in Azure. I am going to try and get some more info out of the client because I strongly feel that I have not been given the entire story about everything that has happened with this laptop.
t...@desertdatarecovery.com
Aug 22, 2023, 12:39:32 PM8/22/23
to datarecovery...@googlegroups.com
As you say that’s a different ID. That key is not for that drive.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/c661e25c-3807-4ba1-9366-9446a990fe9cn%40googlegroups.com.
Alandata Recovery
Aug 22, 2023, 12:59:22 PM8/22/23
to datarecovery...@googlegroups.com
if you run rstudio on the other partitions
you may find logs and timestamps that validate or not the clients story
I think if you use MS tools to delete or reformat a bitlocker partition
that MS goes through and remove the disk side half of the keys
I vaguely recall that it has 5ish secret spots across the drive where it hides that info
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/046201d9d517%2437e3cb60%24a7ab6220%24%40desertdatarecovery.com.
Reply all
Reply to author
Forward
0 new messages