Recovering Bitlocker partition
The Problem:
During the week, one of the work laptops had its HD fail. I got called through as the machine was trying to to a system recovery / restore, and my colleague was worried.
After disabling the auto reboot on system crash, I got a nice BSOD, and figured that it was going to need some work. After providing a pool laptop so he could get emails and such like I got to work on the broken one
Data Recovery
I pulled the disk out of the laptop, and put it in my desktop. Windows recognised the volume, and requested the bitlocker key. As the machine had no TPM, the key was on a usb stick, so didnt have to type in the recovery key *phew*
The key worked and was able to recover a few files that were needed immediately (key proposals needed in next few days etc), but didnt take the whole lot (mistake 1?)
Total Failure:
The disk then started acting up, and I couldnt read anything due to windows seeing CRC errors and giving up. This signalled that it was time to see what linux could do!
After finding 2 usb caddies and a spare hd, I set about imaging the disk, so I could have a snapshot of the data in as good a state on a drive that wouldnt cause errors. Because the volume was about 300GB, I formated it to ext3 as I didnt trust linux with ntfs! I added the other disk to the linux box and set to work.
Try and try again:
I tried using DD to image the partition initialy, but that suffered the same problems as windows, giving up after a CRC error.
DDRescue was the next tool I used. This will skip over blocks that error, then revisit them later, having kept a log of all the problems. After about 30 hours, all bar 6 MB of the 300 GB disk had been recovered. With windows being the thing that seemed to be failing, and most of the bad blocks being at the start of the drive, I hope that means that its mostly system files!
Using the image:
As the data on the partition is encrypted, just mounting the partition in linux as ntfs was never going to work, so I had to get the image accessible to a windows machine.
Windows can only natively mount VHD images, but the file was a raw dump without those headers. Also the disk was ext3 formatted.
With the disk plugged into my win7 desktop, I tried to use the ext2fsd driver to mount the partition. This worked fine, and I was able to browse the disk, and read the log file
OS forensics provide a tool for mounting dd images called OSFMount. Setting the image to mount as the dd image, I waited... and waited... I think there were too many layers of abstraction between the image file and the osfmount program.
So using a samba/cifs share from a netgear ReadyNAS, I mounted and shared the USB disk, and accessed it over the lan. This time OSFMount read the image file immediately, and windows recognised that the disk was there straight away. However, windows didnt see it as a bitlocker partition, and therefore, thought it was containing any valid data, and offered to format.
VDTool
Microsoft provide a program called VHDTool to convert raw dd images into vhd files. I ran this against the ddimage, and it added the required details to the front of the file to be a vhd file. It doesnt however change the extension, which caught me out!
Once I'd ran this on the image, doing this with the external disk mounted on the nas via the cifs share, I then mounted it. The option to mount it is in the action menu on the computer managment mmc, when the disk management is selected.
Success!
it recognised that the disk was encrypted, requested the usb token / recovery key, and I was able to browse the files and recover any additional ones that were needed.