Recover deleted files from a bitlocker’ed drive or partition

This uses dislocker, testdisk and photorec

You **WILL** need the recovery key for the bitlocker drive, this cannot get around that, but the drive will be unharmed in the process.

It’s a multistep process to be able to recover, this was accomplished with MX Linux 9.2  (a debian dervative), but anything new should be ok

I recommend making a Ventoy USB drive, copy the iso’s to it, boot up and select the OS/ISO to boot from.

Links: Ventoy MX Linux UltimateBootCD Windows 10 Kaspersky Live CD ESET Live CD (You can put whatever you want into the root of a Ventoy USB drive, it scans and lets you select them on bootup, very, very slick!)

Use a distro to clone the disk to your server first, so you can always restore it back to ground zero (such as it is) (Ultimate Boot CD recommended), then clone the drive FIRST I used Clonezilla to clone the disk to my server.

Pre-requisites:

You’ll need to mount a server drive or external disk to recover to!

Boot via USB Ventoy, Choose Ultimate Boot CD, Choose Clonezilla

Prep #
Open a terminal and run:
# like: sudo mount //HOST/SHARE mountpoint -o username=username,password=password
mkdir /mnt/server
sudo mount //192.168.0.253/backup /mnt/server -o username=brad,password=password
mkdir /mnt/decrypted-image
mkdir /mnt/decrypted-filesystem

# Use Clonezilla to back up the entire disk to your server

(Beyond the scope of this particular article, but there are may ways of doing it. Restoring can be difficult, so pay attention to how you backed it up.)

Recover deleted files from the free space on the disk
# Pre requisites (I switched to the MX Linux Distro for this part, again, using the Ventoy USB):
open a terminal
apt update
apt install dislocker testdisk photorec mc

# decrypt the partition and mount it as a loopback image (that’s the way it works):
dislocker /dev/sda2 -p111111-222222-333333-444444-555555-666666 -- /mnt/decrypted-image
# NOTE NO SPACE   after the -p and your Bitlocker key. You may have to play around with what sdX letter you use, but it is usually sda.
mount -o loop /mnt/decrypted-image/dislocker.file /mnt/decrypted-filesystem

you should now be able to see your regular Windows files in /mnt/decrypted-filesystem

testdisk has to be run with the disk as a parameter or it gets confused and you won’t be successful:

testdisk /mnt/decrypted-image/dislocker.file

Use testdisk to copy deleted files to /mnt/server/wherever:
Choose the Disk
Choose NONE as the partition type (I know, I know, just go with it)
Advanced
It should show NTFS
now Choose List
It should chug for a bit and then show your drive listing, if so, you’re good to proceed
Arrow right to Undelete
Press A to select all files
Press c to copy them
Select your destination (/mnt/server/wherever) and wait for it to copy

The recovered files are probably kinda underwhelming and disheartening, don’t freak out yet, go to the next phase of recovery below:

Recover LOTS MORE files! photorec is a lot better:

photorec /mnt/decrypted-image/dislocker.file

copy files to /mnt/server/wherever:
photorec /mnt/decrypted/dislocker.file
Choose the disk
Select the Partition (NTFS) Filesystem
choose Other FAT/NTFS/HFS+/ReiserFS
Choose free space or whole partition, your case may vary
Navigate to the directory you want to save files into
Press C when correct
WAIT. For a Very Long Time… 500GB spinning rust took about 36 hours over wifi , the wifi was not the bottleneck here, it takes a lot of overhead to reassemble the files.

Backup the regular files from disk:
copy the normal files out:
rsync -avx --progress /mnt/decrypted-filsystem /mnt/server/directory

You will want wired ethernet here, wifi chokes hard on sustained throughput (220MB/min vs. 1.5GB/min, do the math on how big your drive is and how long it will take)

Reset Windows password on Bitlocker drive

I was not able to reset the password using chgntpw or 0phtcrack on a Windows 8 box, but it can be done with a Windows boot CD (from Ventoy even!)

This does come with a bunch of caveats though…

  1. You will have to decrypt the drive. This takes a long time, SSD is your friend here.
  2. By decrypting the drive, you WILL (probably) lose any chance of recovering anything from the free space on the disk because the freespace is encrypted too, and will be decrypted, but the leftover data will very likely not be there. In theory, the bitlocker is whole disk, so when it decrypts every block, you should be able to recover, but if you can’t, it’s too late!
  • Boot up to the Windows 10 installer screen
  • DON’T GO THROUGH THE SETUP, LEAVE IT ON THE STARTUP SCREEN
  • press Shift + F10
  • At that command prompt run:

cd d:\windows\system32
move utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
wpeutil reboot

Note: once it starts back up, you have about 1 minute to do the next step or the utility will get replace and you have to do the commands above again (ask me how I know)

At the login screen, click the Utility manager in the corner, you should get another command prompt within your normal system now.

Run: net user [ENTER]

to see the usernames

To reset a password, assuming your username is brad, run:

net user brad my_new_password

To set up a new admin user, ignoring any local users:

net user bob /add
net localgroup administrators bob /add

exit

You should now be able to log in using the credentials/password you set above. You may have to reboot once for it to take effect. If you added a new admin user, log in as that user, and you can use the manage local users utilities to reset any user passwords on the box.