VeraCrypt, TrueCrypt and Bitlocker data recovery

Artem Makarov aka Robin
19.11.2023
741 view

Data encryption is often used by users who do not think about the fact that in full accordance with the dialectic - «where there are roses, there are thorns», and pleasant pluses, in the form of preserving the confidentiality of their files, at any moment can turn into a risk of their loss due to a logical or physical failure of the medium.

Bitlocker, Truecrypt and Veracrypt data recovery

That's what happened to the USB flash drive that was sent to our lab.

Bitlocker encryption

Being serviceable physically, a pop-up notification of bitlocker encryption appears when connected to the system, but when attempting to unlock the disk with a known password:

Bitlocker decryption

The message «BitLocker encryption on this disk is not compatible with the version of Windows you are using. Try opening the disk with a newer version of Windows.»

BitLocker encryption on this disk is not compatible with the version of Windows you are using

The flash drive has a dedicated partition with a utility «BitlockerToGo.exe», designed to access the encrypted partition in operating systems such as Windows 7, but trying to use it, also gives the error «This drive cannot be unlocked by the Bitlocker To Go Reader».:

This disk cannot be unlocked by Bitlocker To Go Reader

Having received such inputs, the first thing we do is to create a full sector copy into an image file, to get more room for experimentation.

BitLocker does not accept the password

First of all, you should try the console utility «repair-bde», designed to recover BitLocker data lost as a result of a failure. In this case, the utility did not help, in the process of processing, messages like «JOURNAL ERROR: 0xc000003b» and «JOURNAL ERROR: 0xc0000033» were displayed:

Repair-bde error

Such an error can be caused by an attempt to unlock Bitlocker with an incorrect password, but in this case the password was correct. What happened?

How to unlock BitLocker

The point is that BitLocker encryption is layered, if I may say so. At the «low level» is the basic encryption, which uses the basic unmodifiable Full Volume Encryption Key. This key is generated by the system and is independent of the user's password. It, in turn, is encrypted via the Volume Master Key, which, again, is encrypted by the user password or by the TPM. Thus, when the user password is changed, the data on the disk itself is not modified, but only the Volume Master Key encryption is changed, which makes it possible to change the user password almost instantly, without burdening the operating system and disk array, if we are talking, for example, about encrypting the system disk.

A logical failure, which can often be initiated by a password change, corrupts the encryption metadata stored in the header. Fortunately, the metadata has copies, and if the main one is damaged, you can try to get everything you need from the backup one.

BitLocker decryption

Full logical analysis allows you to localize all available copies of metadata:

Copies of the BitLocker primary encryption key

BitLocker metadata structure

The next sector contains the «full key» of the volume, which will need to be decrypted with a known password:

BitLocker hack and recovery

Damage to the metadata may not be critical, but due to a mismatched checksum field, the encryption system will perceive the metadata as corrupted and give an error such as «wrong user password» even if the password is correct, or will not recognize the volume as decryptable at all. In this case, you can decrypt a damaged BitLocker disk by making the necessary CC edits.

Interesting hint: found copies of metadata may contain versions containing unprotected Volume Master Key! This can happen if the user has paused or disabled protection before and then re-enabled it. Disabling encryption does not modify the encrypted data, but only decrypts the volume master key, however, as a result it is relatively easy to access encrypted files. Thus, to decrypt or break BitLocker, it makes no difference how VMK protection was implemented, whether by TPM or user password, as long as logical analysis can find the public version of the encryption key.

TrueCrypt and VeraCrypt data recovery

Often, due to logical or hardware failure of a TrueCrypt or VeraCrypt encrypted drive, the user is faced with the inability to decrypt a disk or volume with a known password or key file. Sometimes the encryption program shows the presence of an encrypted volume, but after applying the password, the file system on the decrypted drive is seen as RAW (not partitioned).

TrueCrypt and VeraCrypt error - RAW system

To perform the analysis, it is necessary to exclude the possibility of spontaneous uncontrolled writing to the analyzed disk, especially if a backup sector copy has not been made.

Mounting TrueCrypt and VeraCrypt disk for analysis

Select the physical disk you want to investigate from among the available disks.

Selecting TrueCrypt and VeraCrypt disk for recovery

Define the beginning and end of the cipher data search area, you can use both automatic detection and specify offsets from the beginning and end manually.

Search for TrueCrypt and VeraCrypt encryption

The next step will require you to enter the known password or key file used to initially encrypt the disks.

Decrypting a damaged disk with TrueCrypt and VeraCrypt

After running the scan, encrypted corrupted Trucrypt or Veracrypt volumes will be found, which can be submonitored into the system and an additional logical scan of the decrypted area can be performed.

Data recovery of files and information with TrueCrypt and VeraCrypt

Truecrypt and veracrypt password recovery

Recovering data from a VeraCrypt or TrueCrypt container in a situation with a forgotten or lost password is a difficult but realizable task, and our laboratory has successfully completed such orders many times. A container file or encrypted disk (partition) is a structure filled with so-called «white noise», which is higher in entropy than most video files. Password selection consists in extracting HASH data from the container or disk, to which a mask will be applied based on the compilation of a known or suspected encryption algorithm and a sequentially searchable password variant applied to the algorithm.

Hash extraction for truecrypt and veravrypt containers is performed by similar methodology, using a hex editor, by manually selecting 200h bytes in a certain part of the image and saving the selected fragment to a separate file.

TrueCrypt and VeraCrypt hash extraction

Further, the obtained hash is matched with selection methods, both commonly used and those of author's design, using partner distributed computing networks, which allows to successfully select rather complex passwords within reasonable time. If the algorithm of the encryption used is not known reliably, one has to go through the options starting from the most common «default» AES SHA-512..

If you are faced with a problem related to the need to recover files from an encrypted disk, volume or partition that you are unable to solve on your own, contact our lab for help!

Write a comment