Use BitLocker Repair Tool to Recover Encrypted Drive in Windows  

Darkane said:

it didnt work and other apps that work need like 150 $ i can't afford that
i was trying to make the chkdsk work you think it is possible?

It doesn't seem like it will if corrupted.

I had performed option 2 on OS drive, but User files are not on the target drive.

My Bitlocker encrypted computer shut down a few times by itself when I was away from the keyboard. Every time when I came back to it from another room, the power was off, but there were no power surges in my house, so I don't know the cause for it shutting down by itself. The next time I tried booting up, the computer attempted to boot into Automatic Repair, but asked never succeeded, it just asking my for Bitlocker password and going into a loop. Couldn't go into safe mode either.

I connected OS NVMe SSD via external enclosure to a laptop and recovered the data to another drive via option 2. After performing chkdsk D: /f, everything seems to be on that new drive except my User folder. There are only 2 folders under X:\Users\ that are called Default and Public. I had copied all the output I could grab from CMD (6 thousands lines) and this did grab my attention:

Code:

...
2 thousands lines of "Failed to read sector X at offset Y" Lines
...


Failed to read sector at offset 1783707142656. (0x00000017)
LOG ERROR: 0xc0000037
Failed to read sector at offset 1783707143168. (0x00000017)
LOG ERROR: 0xc0000037
Failed to read sector at offset 1783707143680. (0x00000017)
Decrypting: 100% Complete.
Finished decryption.


ACTION REQUIRED: Run 'chkdsk D: /f' before viewing decrypted data.


C:\Users\Laptop>chkdsk D: /f
The type of the file system is NTFS.


Stage 1: Examining basic file system structure ...
Deleted corrupt attribute list entry
with type code 30 in file 6A7F.
Deleted corrupt attribute list entry


...
3 thousands lines later
...


CHKDSK discovered free space marked as allocated in the bitmap for index $I30 for file 5C8.
Sorting index $I30 in file 5C8.
Deleting index entry mpcache-7DC74330A002CFBA30F88A5F1241607B94D5DC12.bin.7C in index $I30 of file 5C8.
Deleting index entry mpcache-7DC74330A002CFBA30F88A5F1241607B94D5DC12.bin.7E in index $I30 of file 5C8.
Deleting index entry MPCACH~1.7C in index $I30 of file 5C8.
Deleting index entry MPCACH~1.7E in index $I30 of file 5C8.
Deleting index entry MP2CF5~1.BIN in index $I30 of file 5C9.
Deleting index entry MPDeviceControl-20210804-133053.log in index $I30 of file 5C9.
Deleting index entry MPDEVI~1.LOG in index $I30 of file 5C9.
Deleting index entry MPLog-20211118-080721.log in index $I30 of file 5C9.
Deleting index entry MPLOG-~1.LOG in index $I30 of file 5C9.
Deleting index entry MpWppTracing-20211123-151417-00000003-ffffffff.bin in index $I30 of file 5C9.
Deleting index entry SH3A3E~1.ETL in index $I30 of file 5DF.
Deleting index entry SHS-11232021-151440-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl in index $I30 of file 5DF.
Deleting index entry UP8384~1.ETL in index $I30 of file 5EB.
Deleting index entry UpdateSessionOrchestration.82448e79-70da-4606-a58d-c32ebbd2f579.1.etl in index $I30 of file 5EB.
Deleting index entry UpdateSessionOrchestration.af0e84b4-56ef-4ae9-b69b-75eb25b73f25.1.etl in index $I30 of file 5EB.
Deleting index entry UPE46B~1.ETL in index $I30 of file 5EB.
Deleting index entry WU95E6~1.ETL in index $I30 of file 5EB.
Deleting index entry WUAD56~1.ETL in index $I30 of file 5EB.
Deleting index entry WuProvider.54c17b44-665f-4c59-8edc-1cc4ff5e2538.1.etl in index $I30 of file 5EB.
Deleting index entry WuProvider.a7dc25f8-325d-4570-991c-12b91aacc49f.1.etl in index $I30 of file 5EB.
Deleting index entry NO64F8~1.ETL in index $I30 of file 5EC.
Deleting index entry NO8272~1.ETL in index $I30 of file 5EC.
Deleting index entry NODD86~1.ETL in index $I30 of file 5EC.
Deleting index entry NotificationUx.159cf477-7bf8-4017-8386-ec0dbcce5da6.1.etl in index $I30 of file 5EC.
Deleting index entry NotificationUx.6e6a3b0d-ab51-4e3f-93dd-16c3de9e12f4.1.etl in index $I30 of file 5EC.
Deleting index entry NotificationUx.fa963793-0f95-4409-ae7e-0ce9c3186daf.1.etl in index $I30 of file 5EC.
Deleting index entry Boss in index $I30 of file 5EF.
Correcting error in index $I30 for file 628.
CHKDSK discovered free space marked as allocated in the bitmap for index $I30 for file 628.
Sorting index $I30 in file 628.
Deleting index entry gdrv3.sys in index $I30 of file 628.
Deleting index entry Amcache.hve in index $I30 of file 62D.
Deleting index entry Amcache.hve.tmp.LOG1 in index $I30 of file 62D.
Deleting index entry Amcache.hve.tmp.LOG2 in index $I30 of file 62D.
Deleting index entry AMCACH~3.LOG in index $I30 of file 62D.
Deleting index entry AMCACH~4.LOG in index $I30 of file 62D.
Deleting index entry NativeImages_v2.0.50727_32 in index $I30 of file 635.
Deleting index entry NATIVE~2.507 in index $I30 of file 635.
Deleting index entry DE4EB0~1 in index $I30 of file 671.
Deleting index entry Devolutionse2b1e0ad# in index $I30 of file 671.
Correcting error in index $I30 for file 6E1.
CHKDSK discovered free space marked as allocated in the bitmap for index $I30 for file 6E1.
Sorting index $I30 in file 6E1.
Deleting index entry Microsoft.V0f908656# in index $I30 of file 6E1.
Deleting index entry Microsoft.Vdf92321b# in index $I30 of file 6E1.

Deleting index entry Boss in index $I30 of file 5EF
Boss is actual username and the folder name. Could that folder been by chkdsk or rather not recovered by recover-bde?

Another strange thing is I did perform all the actions on a laptop in safe mode as CMD was either giving me a generic error or telling me that one of the drives were in use, so this is what I see from the laptop from safe mode:


Yet, it doesn't work from normal mode:


@Brink, could you give me an advice how to recover User files or/and how to keep using the original drive, please?

Hello @TenBoss,

Check the permissions of the "D" drive to make sure you have access rights.

Change Permissions of Objects for Users and Groups in Windows 10

It looks like either there was drive corruption or the BitLocker recovery process may have been interrupted since the "E" drive still shows as encrypted by BitLocker in normal mode and "in use" in safe mode, and no access to the "D" drive you recovered to.

RomStriker said:

Hi @Brink,

I have a problem and I am hoping you could help me out a bit. The problem is I have a 2TB external HDD with multiple partitions and one of them was bitlocker encrypted. I had a lot of valuable data on there like old backups and family pictures, and yeah I was stupid enough to have no other backups. I didn't use the disk for quite sometime and recently checked it, and strangely the space of the bitlocker encrypted drive showed up as unallocated. I don't remember how this happened and I might have deleted the parition by mistake.

Now, I am trying to recover the partition or the files in the partition. I tried multiple third party tools like the Minitools MiniTool Power Data Recovery, DiskGenius, Stellar Data Recovery and more, but none of them were able to detect the deleted partition. I tried using the bde-repair tool, but it gives the error:
ERROR: The input volume has suffered damages to critical information related to the decryption key. Please try the -KeyPackage option to specify a key package. The volume may not be recoverable.

I deleted the rest of the partitions, hoping that there might be BL metadata copies in other locations and ran the bde-tool again and this time it found the proper metadata, but it was invalid and in the end I got the same error as before. I also tried to run the other recovery tools again, which finds the other deleted partitions but not the encrypted one.

Is there anything more I can do at this point to recover my data, or is there no hope?

Hello Rom, and welcome to Ten Forums.

It sure sounds like the data may be gone for good.

RomStriker said:

Thanks. That's unfortunate. I'll try to contact some data recovery companies and see if they can salvage anything.

I hope they will be able to, but it can get expensive.

zx8346 said:

Hi @Brink

Thank you soooo much for the detailed explanation. I've successfully completed the decrypting using Option #2, but it shows "The type of the file system is RAW. CHKDSK is not available for RAW drives." as I ran the CHKDSK D: /f command per Option # 2. Does this mean the data stored in the source drive has been decrypted and restored into the output now despite the output drive being RAW (unreadable neither in WINDOWS or Mac) ?

I've also tried to use "CHKDSK D: /r" to no avail. What exactly do you think the cause might be in this case? Would you suggest me to use Raw data recovery software (i.e. R-Studio, Iboysoft etc) to see if any files could be retrieved from the output Drive ?

Thank you so much !!!

Hello,

Could be an issue or corruption on the output disk.

If you have another drive the same size or larger than the source, try option 2 again on it to see if can finish without the output drive being RAW.