3 Methods for Bitlocker Recovery under Encryption State

Technical Tips
2023-08-02

Overview

BitLocker encryption is a data protection function on Windows Operating System mainly used to solve the data theft or malicious leakage caused by the physical loss of the computer device, which can support the formats of file system including both FAT and NTFS. BitLocker encryption supports not only encrypting the entire system partition of the computer, but also encrypting removable portable storage devices, such as U disk and mobile hard disk, etc.

BitLocker adopts AES  (Advanced Encryption Standard) 128-bit or 256-bit encryption algorithm for encryption with high security and reliability. Usually, this encryption is difficult to crack if the password is strong enough. Therefore, when the computer, u drive,etc… involved in the case are encrypted by BitLocker encryption, it is particularly important to have the BitLocker recovery and obtain the data involved in the case.

Decryption Ideas

BitLocker Encryption

Before we start to display the decryption, we need to encrypt a disk by BitLocker encryption first.

1.Open the “file explorer”, then right-click on the disk partition the investigator wants to encrypt. Finally select “Turn on BitLocker”.  (The encryption can be done in another way: “control panel”-“system and security”-“BitLocker drive encryption”)

turn-on-bitlocker2. Set the password for encryption in the new pop-up window,click “next” and then select a location to save the BitLocker recovery key.

bitlocker-recovery-key

3. Generally, it is more secure to store the BitLocker recovery key on a USB flash drive or print it out. Because in this way, the encrypted drive and the recovery key are kept separately so that the recovery key is not easy to obtain. But actually, sometimes for convenience, the recovery key will be saved in the hard disk, which also gives us the possibility to decrypt.

store-recovery-key

4. Then the BitLockerstarts encrypting the entire drive which willtake a long time. After the encryption is complete, a lock icon will display on the original disk icon, which means that the drive has been encrypted.

BitLocker Decryption Methods

After we encrypt a disk by BitLocker encryption, now we can decrypt it by 3 methods:

Method 1  Decryption by finding password

Obtain password-related data from all storage medium involved in the case, organize these data into a dictionary, then perform the Bitlocker decryption operation or brute force cracking through the corresponding decryption tool. Because there is a lot of uncertainty in this method, depending on the specific situation to select.

Method 2  Decryption by recovery key

bitlocker-encryption-process

Through the BitLocker encryption process, we can know that the recovery key will be generated during the encryption settings, usually investigators will store the BitLocker recovery key in the way of “save to a file”. In this way, the recovery key will be stored in the storage medium in “txt” file format.

When “txt” text data is stored in the storage medium, the bottom layer is stored in plain text. Even if the “txt” is deleted , as long as the bottom layer data is not overwritten, it is recommended to use the bottom layer keywords to search and the regular expression method to find the BitLocker recovery key for decryption.This is also an answer about how to find the BitLocker recovery key.

how-to-find-the bitlocker-recovery-key

recovery-key-file

bitlocker-recovery-key-file

Method 3  Decryption by turn on auto-unlock

In some cases, for specific storage medium involved such as: encrypted u disk or mobile hard disk, we only need to connect the involved storage medium to the corresponding computer and click the “turn on auto-unlock” to decrypt the encrypted device.

turn-on-auto-unlock

Case Study

A partition of  one computer involved in the case was encrypted by BitLocker, it is necessary to decrypt the partition to obtain the data involved in the case. The hard disk image of the computer involved in the case has now been completed.

Inspection material: 001.DD

Software used: winhex, DRS Data Recovery System

Decryption method: Decryption by BitLocker recovery key

  1. Obtain the image file and load it into winhex,perform a full-disk search for the keyword “Recovery Key”( alsocan retrieve other keywords in the key text or perform regular expression match). The steps are as follows :

Step 1. In order to improve the search accuracy, hexadecimal search is suggested to adopt, writing the “recovery key” into a new “txt” file, and save it as “txt” text in UTF -16 LE encoded format. Also available through the corresponding operating system version of the involved computer to generate a txt file of the BitLocker recovery key (normally the recovey key txt files will be stored in UTF-16 LE encoding).

utf-16leStep 2. Open the text which stores the “Recovery Key” via winhex, and copy the hexadecimal number corresponding to the “Recovery Key”.

recovery-key-textStep 3. Open the image file “001.DD” via winhex, and interpret it to disk.

image-file-001dd-interface

disk-interface

Step 4.  Through the copied hexadecimal number corresponding to ” Recovery Key”, perform the full-disk retrieval of the opened “001.DD” image file. Find the records related to the recovery key, and proceed to verify the BitLocker recovery key decryption.

records-related-to-recovery-key

recovery-key-decryption

  1. Decryption by verifying the recovery key BitLocker found in the previous steps, and enter the data recovery module of DRS Data Recovery System, load “001.DD” image file, right click on the encrypted partition in the image file, select “Unlock BitLocker”, After entering the recovery key to decrypt, select Quick Scan to get the data of the encrypted partition.

drs-data-recovery-system

unlock-bitlocker-interface

recovery-key-interface