How to recover files with Linux from a Bitlocker drive

Due to hardware failure Windows became very unstable. I wanted to recover the files using a Live Linux USB thumbdrive. But all my volumes are encrypted with Bitlocker. A quick how-to.

First create a Debian Live USB-stick. Download Debian from the live install images page and use a tool like Rufus to put it on a thumbdrive.

Next boot your system from USB and start the live mode.

In Linux start a terminal and evaluate to root:

machine-a$ sudo su
        

I used Dislocker to access the Bitlocker partitions. Unfortunately the Dislocker package distributed with Debian was unable to read my Bitlocker drives, it seems to be the same issue as issue 185. So my advice is to download the latest versions of Dislocker from GitHub and compile it.

We need a few packages to do the download and compile:

# apt install gcc cmake make libfuse-dev libmbedtls-dev ruby-dev
        

Now we can download, build and install Dislocker:

$ git clone https://github.com/Aorimn/dislocker.git
$ cd disklocker
$ cmake .
$ make
$ make install
        

Now Dislocker is installed we can list all the partitions we have:

machine-a$ fdisk
 
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Disk model: SAMSUNG MZ***              
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C8AE695B-****-****-****-B5625FF1****
 
Device             Start        End   Sectors   Size Type
/dev/nvme0n1p1      2048     534527    532480   260M EFI System
/dev/nvme0n1p2    534528     567295     32768    16M Microsoft reserved
/dev/nvme0n1p3    567296  525885705 525318410 250.5G Microsoft basic data
/dev/nvme0n1p4 525887488  527124479   1236992   604M Windows recovery environme
/dev/nvme0n1p5 527126528  731926527 204800000  97.7G Microsoft basic data
/dev/nvme0n1p6 731926528  936726527 204800000  97.7G Microsoft basic data

In my case the parition with Windows was /dev/nvme0n1p3 (my C drive).

I stored the Bitlocker recovery keys in Azure AD. In Azure AD under devices you can see the Bitlocker ID and you can reveal the recovery key. To know wich parition has which Bitlocker ID, I used bdeinfo. So first I needed to install the package:

apt install libbde-utils

The syntax is pretty simple, bdeinfo followed by the device name

bdeinfo /dev/nvme0n1p3
 
BitLocker Drive Encryption information:
	Encryption method		: AES-XTS 128-bit
	Volume identifier		: e511****-****-***-***
	Creation time			: Jun 23, 2019 21:21:09.633576400 UTC
	Description			: PC15055 Windows 23-6-2019
	Number of key protectors	: 2
 
Key protector 0:
	Identifier			: b8913747-****-****-***
	Type				: Startup key
 
Key protector 1:
	Identifier			: 2a02e2f5-****-****-***
	Type				: Recovery password

Now I was able too match the Recovery password identifier with the ID from in Azure AD.

Next up was creating two directories for mounting.

mkdir /media/bitlocker
mkdir /media/bitlockermount

Dislocker will create a pointer in the mounted directory (/media/bitlocker). That pointer can be mounted in a second directory (/media/bitlockermount) and will contain the filesystem.

First mount Dislocker. Notice the place of the recovery-password and the =-sign after it and take care of the uppercase letter V for the device name!

/usr/local/bin/dislocker -r -s --recovery-password=132627-******-******-******-******-******-******-****** -V /dev/nvme0n1p3 -- /media/bitlocker

Done? Check if it worked and go to the directory.

cd /media/bitlocker
ls

You should see a file named dislocker-file.

Now mount the dislocker-file into the second directory:

mount -t ntfs-3g -o loop dislocker-file /media/bitlockermount

Replace ntfs-3g with exFAT-fuse when you are using exFAT.

Now you are ready to copy files from your Bitlocker encrypted disk to somewhere else.

01-03-2021 EN windows linux bitlocker
Deel via: LinkedIn Twitter