VeraCrypt, TrueCrypt and Bitlocker data recovery
Data encryption is often used by users who do not think about the fact that in full accordance with the dialectic - «where there are roses, there are thorns», and pleasant pluses, in the form of preserving the confidentiality of their files, at any moment can turn into a risk of their loss due to a logical or physical failure of the medium.
That's what happened to the USB flash drive that was sent to our lab.
Being serviceable physically, a pop-up notification of bitlocker encryption appears when connected to the system, but when attempting to unlock the disk with a known password:
The message «BitLocker encryption on this disk is not compatible with the version of Windows you are using. Try opening the disk with a newer version of Windows.»
The flash drive has a dedicated partition with a utility «BitlockerToGo.exe», designed to access the encrypted partition in operating systems such as Windows 7, but trying to use it, also gives the error «This drive cannot be unlocked by the Bitlocker To Go Reader».:
Having received such inputs, the first thing we do is to create a full sector copy into an image file, to get more room for experimentation.
BitLocker does not accept the password
First of all, you should try the console utility «repair-bde», designed to recover BitLocker data lost as a result of a failure. In this case, the utility did not help, in the process of processing, messages like «JOURNAL ERROR: 0xc000003b» and «JOURNAL ERROR: 0xc0000033» were displayed:
Such an error can be caused by an attempt to unlock Bitlocker with an incorrect password, but in this case the password was correct. What happened?
How to unlock BitLocker
The point is that BitLocker encryption is layered, if I may say so. At the «low level» is the basic encryption, which uses the basic unmodifiable Full Volume Encryption Key. This key is generated by the system and is independent of the user's password. It, in turn, is encrypted via the Volume Master Key, which, again, is encrypted by the user password or by the TPM. Thus, when the user password is changed, the data on the disk itself is not modified, but only the Volume Master Key encryption is changed, which makes it possible to change the user password almost instantly, without burdening the operating system and disk array, if we are talking, for example, about encrypting the system disk.
A logical failure, which can often be initiated by a password change, corrupts the encryption metadata stored in the header. Fortunately, the metadata has copies, and if the main one is damaged, you can try to get everything you need from the backup one.
BitLocker decryption
Full logical analysis allows you to localize all available copies of metadata:
The next sector contains the «full key» of the volume, which will need to be decrypted with a known password:
Damage to the metadata may not be critical, but due to a mismatched checksum field, the encryption system will perceive the metadata as corrupted and give an error such as «wrong user password» even if the password is correct, or will not recognize the volume as decryptable at all. In this case, you can decrypt a damaged BitLocker disk by making the necessary CC edits.
Interesting hint: found copies of metadata may contain versions containing unprotected Volume Master Key! This can happen if the user has paused or disabled protection before and then re-enabled it. Disabling encryption does not modify the encrypted data, but only decrypts the volume master key, however, as a result it is relatively easy to access encrypted files. Thus, to decrypt or break BitLocker, it makes no difference how VMK protection was implemented, whether by TPM or user password, as long as logical analysis can find the public version of the encryption key.
TrueCrypt and VeraCrypt data recovery
Often, due to logical or hardware failure of a TrueCrypt or VeraCrypt encrypted drive, the user is faced with the inability to decrypt a disk or volume with a known password or key file. Sometimes the encryption program shows the presence of an encrypted volume, but after applying the password, the file system on the decrypted drive is seen as RAW (not partitioned).
To perform the analysis, it is necessary to exclude the possibility of spontaneous uncontrolled writing to the analyzed disk, especially if a backup sector copy has not been made.
Select the physical disk you want to investigate from among the available disks.
Define the beginning and end of the cipher data search area, you can use both automatic detection and specify offsets from the beginning and end manually.
The next step will require you to enter the known password or key file used to initially encrypt the disks.
After running the scan, encrypted corrupted Trucrypt or Veracrypt volumes will be found, which can be submonitored into the system and an additional logical scan of the decrypted area can be performed.
Truecrypt and veracrypt password recovery
Recovering data from a VeraCrypt or TrueCrypt container in a situation with a forgotten or lost password is a difficult but realizable task, and our laboratory has successfully completed such orders many times. A container file or encrypted disk (partition) is a structure filled with so-called «white noise», which is higher in entropy than most video files. Password selection consists in extracting HASH data from the container or disk, to which a mask will be applied based on the compilation of a known or suspected encryption algorithm and a sequentially searchable password variant applied to the algorithm.
Hash extraction for truecrypt and veravrypt containers is performed by similar methodology, using a hex editor, by manually selecting 200h bytes in a certain part of the image and saving the selected fragment to a separate file.
Further, the obtained hash is matched with selection methods, both commonly used and those of author's design, using partner distributed computing networks, which allows to successfully select rather complex passwords within reasonable time. If the algorithm of the encryption used is not known reliably, one has to go through the options starting from the most common «default» AES SHA-512..
If you are faced with a problem related to the need to recover files from an encrypted disk, volume or partition that you are unable to solve on your own, contact our lab for help!