DIY DataRecovery.nl Support forum

Support => DiskPatch => Topic started by: spyder_pk on January 29, 2013, 06:04:23 PM



Title: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on January 29, 2013, 06:04:23 PM
Hi,
My external Seagate Freeagent 250GB HDD is partitioned in 2 Primary partitions. One was used for backing up frequently used software and music and is NOT encrypted and it working just fine but the second one (50GB) I used to backup personal files and photos and hence it was BitLocker encrypted in Windows 7 has developed problems out of the blue.

(http://i315.photobucket.com/albums/ll451/spyder_pk/DiskManagement_zps8d8b9b3a.png)

I run Windows 8. Recently the drive just disappeared from My Computer. I could still see it in Disk Management but the drive had no volume assigned to it and therefore had no drive letter assigned as well. I cannot check drive properties in Disk Management or assign it a drive letter. No file recovery software can read the files on the partition as they are encrypted. I did NOT format the drive yet to preserve my data.

It was initially detected as an Active primary but I used diskpart tool in windows to unmark the active attribute. So, it is currently a RAW, Primary partition.

I GetDataBack for NTFS shows the drive as having the same start and end values:
(http://i315.photobucket.com/albums/ll451/spyder_pk/GDBNTFS_zpsf9de6bcc.png)

I tried Testdisk software from CGsecurity.org and it shows 2 errors.
(http://i315.photobucket.com/albums/ll451/spyder_pk/Analyse_zpsc6905b2b.png)
1) Space conflict between the two partitions - overlapping sectors?
2) Bad NTFS bootsector for the missing partition.

(http://i315.photobucket.com/albums/ll451/spyder_pk/Boot_zpse516b001.png)

However Testdisk is unable to rebuild the bad BS.

I downloaded DiskPatch and installed it but when I try to run the make bootable cd app, I get an error saying "Failed to load control MCDBControl from MCDBX.ocx. Your version of MCDX may be outdated." Is this a Windows 8 related error?

So what I need first is help working around or fixing this so I can create a bootable DiskPatch USB drive. Can I then rebuild BS to repair my BitLocker encrypted drive?

Many thanks in advance!


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on January 29, 2013, 06:44:59 PM
Hello,

You do not need the boot disk builder to create a bootable USB key, I don't know why it doesn't work, never tried it in windows 8.
From the manual:
"Finally, it's also possible to create a bootable USB key that can be used instead of the diskette or CD/DVD. If you wish to do so open the "Create a bootable USB key for DiskPatch" document from the DiskPatch Start menu and follow the directions.
The PC must be able to boot from USB keys, but most modern day machines have no problems with this. You may need to adjust some settings in the BIOS, notably the boot order and perhaps USB compatibility settings. Consult your PC's BIOS manual for more details."

Whether this can be fixed or not is impossible to tell without a DiskPatch log file.
More info here: http://www.diydatarecovery.nl/dp_manual/guide_supportanalysis.htm


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 07:37:24 AM
Thanks for the guidance. I made the usb key. And running it now.. at the step where DP determines cluster size repairing ntfs boot sector.. it is 20% done now but the table of cluster size at the top is still emptying. Ill run DP run all the way though and update this.. was just wondering why it still cant determine thee cluster size.. ofcourse the disk is conneected via usb


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 03, 2013, 10:01:11 AM
hello,

ok, but a normal DiskPatch analysis logfile would be nice for starters ....


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 10:08:37 AM
Sure. I'll post the log here when process is completed. Still nothing in cluster size graph. (http://i315.photobucket.com/albums/ll451/spyder_pk/IMAG0057_zps7e4869b3.jpg)


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 11:16:44 AM

.../000:03/LOG> ### LOG START ###
.../000:03/LOG> DISKPATCH 3.5.300
.../000:03/LOG> (C) 2000-2009 DIY DataRecovery
.../000:03/LOG> Contact info: HTTP://www.DIYDataRecovery.nl
.../000:03/LOG> MemFree: 62Kb
.../000:03/LOG> CommandLineParms:
.../000:03/LOG> LogDate: 02-03-2013
.../000:03/CFG> FilePath="C:DPFILES\"
.../000:03/CFG> ReadRetries="32"
.../000:03/CFG> WriteRetries="32"
.../000:03/CFG> MaxReadErrors="32"
.../000:03/CFG> MaxWriteErrors="1"
.../000:03/CFG> LogEachReadError="1"
.../000:03/CFG> ReadDelay="0"
.../000:03/CFG> VfyFixedBadSect="1"
.../000:03/CFG> CleanAfterDOD="1"
.../000:03/CFG> DiskReset="1"
.../000:03/CFG> SectorSkip="1024"
.../000:03/CFG> AutoSaveState="1"
.../000:03/CFG> DumpFoundSectors="0"
.../000:03/CFG> FixFats="1"
.../000:03/CFG> MaxFatScan="51200"
.../000:03/CFG> MaxDataColEntries="256"
.../000:03/CFG> IgnoreF8FF="0"
.../000:03/CFG> DownSizeExt="1"
.../000:03/CFG> ScanSignature="55AA"
.../000:03/CFG> Rebuild="00"
.../000:03/13H> Ext13H installed test requested
.../000:03/13H> Disk found at 128
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Ext13H Flags: Cylinder/head/sector info is valid
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 128 X13H data : 491/255/63 7892992/512
.../000:03/13H> Disk found at 129
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 129 X13H data : 0/0/0 488397166/512
.../000:03/13H> Disk found at 130
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 130 X13H data : 16383/16/63 234441648/512
.../000:03/13H> Ext13H tested ok
.../000:03/FDL> DiskList requested
.../000:03/FDL> Disk found at 128
.../000:03/FDL> Disk found at 129
.../000:03/FDL> Disk found at 130
### DISKLIST.ARRAY ###
__D_|________LBA_|___H_|__S_|__GB_|__GEO
128 | ...7892992 | 255 | 63 | ..3 | BIOS
129 | .488397166 | 255 | 63 | 232 | BIOS
130 | .234441648 | 255 | 63 | 111 | BIOS
..0 | .........0 | ..0 | .0 | ..0 | BIOS
.../000:03/IAS> AdmiSector found on disk 0 (128)
.../000:03/IAS> AdmiSector init complete for disk 1 (129)
.../000:03/IAS> AdmiSector found on disk 2 (130)
.../000:04/EXE> Read/Write pattern test for disk 0 (128) successful
.../000:04/EXE> Read/Write pattern test for disk 1 (129) successful
.../000:05/EXE> Read/Write pattern test for disk 2 (130) successful
.../000:05/WAS> AdmiSectors in use : 0+ 1+ 2+
.../000:05/KEY> 251OO6OO74/8
.../000:05/PFC> PQstuff signature not detected on disk 0 (128)
.../000:05/PFC> PQstuff signature not detected on disk 1 (129)
.../000:05/PFC> PQstuff signature not detected on disk 2 (130)
.../000:05/PFC> UDMA driver not loaded
.../000:05/PFC> Disk health not checked
.../000:07/PFC> Partition State backup not found on disk 0 (128)
.../000:07/PFC> Partition State backup not found on disk 1 (129)
.../000:07/PFC> Partition State backup not found on disk 2 (130)
.../000:07/PFC> No Repair date found on disk 0 (128)
.../000:07/PFC> No Repair date found on disk 1 (129)
.../000:07/PFC> No Repair date found on disk 2 (130)
.../000:14/MNU> - Main, Select Disk
.../000:43/CSD> Start CheckDisk for disk 1 (129)
.../000:43/CSD> CheckDisk complete, ReadErrors 0
.../000:43/USD> Disk 1 (129) selected
.../000:43/GSC> First DP run, geo info for disk 1 (129) not yet recorded
.../000:43/WAS> AdmiSectors in use : 0+ 1+ 2+
129/000:43/USD> MBR for disk 1 (129)
129/000:43/LOG> SectorDump requested at 0 (0 0 1)
###
000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
016   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
032   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
048   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
064   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
096   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
112   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
128   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
144   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
176   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
192   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
208   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
224   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
240   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
256   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
272   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
288   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
304   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
320   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
336   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
352   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
368   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
384   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
400   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
416   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
432   00 00 00 00 00 00 00 00 00 73 B5 A4 00 00 00 01  |  .........s....
448   01 00 07 FE FF FF 3F 00 00 00 9D 49 C3 16 00 FE  |  .....?...I..
464   FF FF 07 FE FF FF 00 48 C3 16 00 00 59 06 00 00  |  ......H...Y...
480   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
496   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  |  ..............U
###
129/000:43/VEC> Start Verify EPBR Chain for disk 1 (129)
129/000:43/VEC> Listing current partitions on disk:
129/000:43/VEC>     NTFS (P)  FreeAgent D          63   381897117     (182 Gb)
129/000:43/VEC>     NTFS (P)      NO NAME   381896704   106496000      (51 Gb)
129/000:43/VEC> Partition Table info for sector 0 (0 0 1)
129/000:43/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381897117
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/000:43/VEC> 55AA sig Ok
129/000:43/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55
129/000:43/VEC> BS and BBS equal
129/000:43/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/000:43/VEC> BS and BBS not equal, dump follows;
129/000:43/LOG> Boot sector dump requested at 488392703 (30401 10 9)
### BootSectorDump for BStype NTFS (B)
...........Jump Code (hex): 14C02C
............OEM Name (txt): p1} +
....Bytes per Sector (dec): 17179
.Sectors per Cluster (dec): 165
....Reserved Sectors (dec): 4294951377
..............Unused (hex): 79CF7E1AFD
....Media Descriptor (hex): 71
..............Unused (hex): 4144
...Sectors per Track (dec): 4294957122
.....Heads per Track (dec): 4294962553
......Hidden Sectors (dec): 280752731
..............Unused (hex): 4C0DEC5D
.............Unknown (hex): B8A7CC09
.......Total Sectors (dec): 2633527330
........MFT Location (dec): 1942010997
.MFT Mirror Location (dec): 1784810133
....Clusters per FRS (dec): 1831991639
.Clusters/Indx Block (dec): 4224906717
...........Volume ID (hex): F9E181174FF48AEE
........Volume Label (txt): (Err)
............Checksum (hex): A7F7D126
....Sector Signature (hex): CD27
129/000:43/VEC> Verify EPBR Chain completed
129/000:44/USD> Select disk completed
129/000:49/MNU> - Main, Repairs
129/000:54/MNU> - Repair, Rebuild Boot Sectors
129/001:05/UND> New Undo archive created for disk 1 (129)
129/001:05/LOG> Undo settings: GL(+) DE(+) FAT(+)
129/001:32/CBS> Checking validity for NTFS BS at 381896704 (23771 247 29)
129/001:32/CBS> E: Jumpcode : EB5890
129/001:32/CBS> I: OEM name : -FVE-FS-
129/001:32/CBS> E: clusters/FRS : 2687104
129/001:32/CBS> E: clusters/indx block : 1308622848
129/001:32/CBS> E: Unknown : 00001FE0
129/001:32/CBS> E: Volume size : 0
129/001:32/CBS> E: MFT location : 393217
129/001:32/CBS> 1st sector of MFT:
129/001:32/LOG> SectorDump requested at 385042440 (23967 199 49)
###
000   05 7E 67 68 B5 EA D0 F8 CD B5 5E 4C DD 84 62 EE  |  .~gh͵^L݄b
016   0D 4D 73 AD 3B 01 48 89 9D 52 0F 00 9D CF C8 63  |  .Ms;.HR..c
032   85 92 68 95 0A 7F A2 10 3A 01 87 7B 5A F2 64 94  |  h..:.{Zd
048   57 7A ED E5 9F 28 43 BF C1 9E 80 54 EE DD 1B 1E  |  Wz(CT..
064   5B 92 9D 7D 19 D3 43 4C 9F C2 F1 E4 47 3C 9F 05  |  [}.CLG<.
080   CA 0F D4 4E 21 ED 03 A3 8A 4F 18 19 2E A4 63 6B  |  .N!.O...ck
096   89 1C BB 65 36 65 17 6E 9D 68 F7 39 61 74 ED F7  |  .e6e.nh9at
112   4F 22 19 16 8F 28 AF 3C 66 FB C9 E9 D6 AB 9D 5D  |  O"..(<f֫]
128   52 78 C7 EE 6E 42 2A 5F BD 62 D7 12 61 7B 3A 7F  |  RxnB*_b.a{:
144   E6 0A 9C 7B E3 0B FC CB 9B 8F 05 6B 4A C4 E6 F3  |  .{.˛.kJ
160   B2 E7 42 F1 92 B8 EB 3C 65 80 33 6B ED 97 B0 04  |  B<e3k헰.
176   8A 72 E0 2F 48 8A A6 32 47 6E 80 9F 8E 93 CA F1  |  r/H2Gn
192   4D 7E 3F 88 12 8C 4A DD E8 44 41 4B CF 7E 4B D4  |  M~?.JDAK~K
208   BC C8 75 B4 AE 0E 31 C9 8E 1F F8 B8 DA D7 E3 D3  |  u.1Ɏ.
224   BA 06 DC 7A 80 87 30 09 D0 4E 07 23 03 78 3B 2B  |  .z0.N.#.x;+
240   3C 43 28 BD 2F 1A 9F B7 66 7F 2A B5 CE B9 58 82  |  <C(/.f*ιX
256   04 32 20 A2 AD 0C 67 5D AB A4 B6 18 39 CA 86 DE  |  .2 .g].9ʆ
272   71 F1 33 92 60 A6 1A E1 96 C9 90 7E 26 03 DB 36  |  q3`.ɐ~&.6
288   0B EE 4B 09 C0 35 F2 50 30 04 1E 3E 2C 2A EB AA  |  .K.5P0..>,*
304   0C 5D B5 80 37 EC DF AC D6 75 88 DB 03 E8 09 7E  |  .]7߬u..~
320   C8 5F 7C BE 5C 38 5B DE FD 2A 0A 0F 47 C8 86 3D  |  _|\8[*..GȆ=
336   21 39 FF 18 77 35 CC 21 AF 4C 28 97 78 E8 24 BD  |  !9..w5!L(x$
352   7E 77 CF BA EC FF A9 A5 89 8B 62 CC 59 6C 86 EB  |  ~wϺ.bYl
368   7A 1B EA 1D 8E 29 FE BC 93 F9 78 6D C7 8D 08 DE  |  z..)xmǍ.
384   70 25 DA 06 95 FC C9 83 AC 73 46 80 C5 34 E4 BD  |  p%.ɃsF4
400   22 21 1F 4D 7E 7D B7 9C C8 B5 03 9E 20 F9 4C 36  |  "!.M~}ȵ. L6
416   D2 F3 ED D6 4D 3A 1D 09 AE 34 AE B5 32 81 4C 2B  |  M:..42L+
432   44 E1 16 E9 22 F6 D4 F0 6D D1 E3 41 F7 D8 A5 7E  |  D."mAإ~
448   28 0A 05 3D 45 B7 E2 A1 C2 CD 67 2A 2C B8 8D 84  |  (..=Eg*,
464   C0 13 5D 45 D8 7A C5 8A F5 F7 8F DF C8 B9 7B 14  |  .]EzŊȹ{.
480   37 9F 6F F6 3E 70 BD 24 C2 02 40 3B 13 5E 9C 36  |  7o>p$.@;.^6
496   4B 7B 67 1D A2 7A 02 D0 11 9C 05 E7 23 41 99 87  |  K{g.z...#A
###
129/001:32/CBS> E: MFT mirror location : 0
129/001:32/CBS> E: 1st sector for MFT/MFTmirror NOT equal
129/001:32/CBS> E: Checksum : 41462020
129/001:32/CBS> Check completed
129/002:00/AFR> Start FindClusterSize (NTFS), from 381896704 to 388188159 (6291456)
129/244:37/AFR> ClusterSize could not be determined
129/244:37/RBS> BS data could not be determined
129/245:14/BSE> Start BSedit NTFS at 381896704 (23771 247 29)
129/245:14/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/247:04/BSE> End BSedit NTFS at 381896704 (23771 247 29), changes discarded
129/247:08/UND> Undo archive discarded, no sectors saved
129/247:15/MNU> - Main, Disk Ops
129/247:21/MNU> - Main, MBR ops
129/247:31/CPA> Start Change Partition Attributes, dump follows;
129/247:31/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381897117
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/247:36/CPA> Change Partition Attributes aborted
129/247:38/MNU> - Main, Utilities
129/247:45/MNU> - Main, Options
129/247:52/MNU> - Main, Quit
129/247:52/LOG> RunTime: 247:52
129/247:52/LOG> ### CLOSE LOG ###



Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 11:20:33 AM
BS recovery failed.. cluster size could not be determined.. I think even that is encryped by bitlocker  :-\

Need help. Should I do a quick format or try to enter BS manually?


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 03, 2013, 07:49:47 PM
Hello,

The entire volume is encrypted. -FVE-FS- is put there by the encryption software. Changing it to NTFS is useless. I'm afraid there's nothing we can do for you. Rather than treating this as a file system issue, you should see if there are solutions (from Microsoft) to re-gain access to an encrypted bitlocker volume.


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 08:28:52 PM
Thanks for your help. I have contacted MS and waiting for them to get back to me. I compared the BS of the partitions in the log and seems the BS of the FVE-FS drive is correct.. it has a lot of hidden sectors and other data that is not damaged as I did not format the drive...


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 03, 2013, 08:32:21 PM
Hi Joep,

Could you just answer one more question for me please?

Can I edit the partition table/MBR to register this volume so it get a drive letter?

MS has a BitLocker Repair Tool app but that requires the volume to have a drive letter attached which I can't at the moment. I cannot understand why this drive is showing up as RAW.


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 04, 2013, 02:09:48 PM
Hello,

The partition table is already telling it's NTFS. So assume the file system driver gets the information that it's an encrypted volume from the partition's boot sector (the -FVE-FS- signature). With the DiskPatch boot sector editor it's easy enough to change that to NTFS, but I'm really uncomfortable make any suggestions like that: I haven't got a clue of what might happen.

regarding the drive letter thing: I assume you already tried doing that in disk management? [EDIT] Sorry, see you already tried that ....


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 04, 2013, 04:00:04 PM
Thanks for your help Joep. Really appreciate it. I posted for help on 4-5 forums and you are the only one helping me. I need you advice once again.

I noticed in the log that the Hidden Sectors value for both partitions are different.. why is that?

First the boot sector of the first partition that is working perfectly:
129/000:43/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55

All is fine and normal there... Now the Boot Sector of the lost drive which IS encrypted:

129/000:43/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

FVE(Full volume encryption or BitLocker) is on. Now my question... why is the Hidden Sectors count of this partition 381896704 instead of 63(the same as first partition)? Should it be 63?

I also encrypted another 1GB LOGICAL partition on ANOTHER HDD using BitLocker to check it's Boot Sector:
129/000:23/LOG> Boot sector dump requested at 232388608 (14465 133 5)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

As you can see the Boot sector of this encrypted drive is almost exactly the same as the boot sector of the drive I lost except for 1 field.. Hidden Sectors (dec): 63

So why it 63 here? Is it because the partition is logical while the partition I lost was primary? If not then can this be why the drive is lost? Will changing the Hidden Sectors to 63 on the lost drive boot sector from 381896704 help recover the drive?

I also noted a difference in the HEX data of the boot sectors of lost drive and the drive I encrypted for testing.
First few bytes of HEX data of the lost drive are:

EB 58 90 2D 46 56 45 2D 46 53 2D 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 48 C3 16

and corresponding data is:

X.-FVE-FS-............?...H.

Same boot sector bytes of the test drive are:

EB 58 90 2D 46 56 45 2D 46 53 2D 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00

and corresponding data on test drive is:

X.-FVE-FS-............?..?...

while this data for ALL NTFS drives I checked is:

R.NTFS    ............?..?...

As you can clearly see the lost drive has different HEX data here than the test encrypted drive AND normal NTFS volume. Will editing .H. to ?... help??

Complete log of second disk is attached. I tried to attach it but the site did not allow it as it is not zip


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 05, 2013, 04:53:31 AM
Never mind..

I know the answer already.. I changed the test partition to primary and reencrypted it and sure enf the noot sector started looking almost exactly like the one on the lost drive. At this point I'm stumped.
MBR.. perfect..
Partition table..perfect.
Boot sector.. perfect

Partition.. raw and lost

Here are the boot sector tables for lost and test partitions..

Lost:
129/245:14/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

Test:
.../000:27/LOG> Boot sector dump requested at 232396290 (14466 0 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 232396290
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

Anything else I should check?


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Tom on February 05, 2013, 02:20:11 PM
I'm confused. You said you have a bitlocker recovery tool but it requires a driveletter. The thing is, you should be able to assign a driveletter to a raw volume, just do that in the disk management tool. Once the letter is assigned you can run the bitlocker recovery tool, right?


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 06, 2013, 04:09:58 AM
Disk management gives me an error that it cannot read the disk or smth and to close Disk Management and reopen. I guess it cannot write due to disk space conflict? Overlapping sectors are there...

End sector for Partition 0 = 381 897 117
First sector of Partition 1 - 381 896 704
Why is this number more than First sector?
Partition 0 overlapping Partition 1?
Could this be the problem?

Will backing up all the data in Paritition 0 and deleting it help??! If I can just get to Partition 1 and back it up then I can delete it repartition the entire disk!


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 06, 2013, 07:53:00 AM
I very much doubt deleting the partition will help you. How did that number get there, in the partition table (381897117)? What was the disk partitioned with?

Anyway, the real number that the file system uses is the one in the boot sector (381896001).


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 06, 2013, 05:54:25 PM
Thanks Joep!

I cannot believe I missed that!  ???

Should I then edit the MBR to number 381896001 as total sectors in the first drive instead of 381897117 it is showing now?! Will that fix it? I backed up all data from the first partition in case I plan to go ahead with any repairs.


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 06, 2013, 08:16:42 PM
Hi Joep!

I found out the problem.. it is as you said!

After reading your post.. I did some calculations and it was there right in front of us all along! I decided to check what the boot sector dump at sector 63 (start sector for the NTFS drive that is working) showed.

I was shocked to see I missed that the boot sector dump of at sector 63 showed the total sectors in the partition to be 381896001 AND NOT 381897117 as shown in MBR!

So I decided to do the calculations with 381896001 as total sectors and here it is:
381896001 + 63(Start of partition 0) = 381896064 - END OF Partition 0 (Location of Backup BS??)
Start of Lost partition is 381896704
So.. 381896704-381896064= 640 - NO OVERLAPPING FOR 640 SECTORS!!!

It is now CONFIRMED! Total Sectors count for Partition 0 in MBR is false!

Confirmation is the Backup Boot Sector Dump for sector 63 is found at sector 381896064 (63+381896001) from the partition's boot sector and NOT at sector 381897180 (63+381897117) from the MBR.

DUMP at sector 381896064:
Offset(h)   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
2D868B0000  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00  R.NTFS    .....
2D868B0010  00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00  .......?..?...
2D868B0020  00 00 00 00 80 00 80 00 41 45 C3 16 00 00 00 00  ......AE.....
2D868B0030  02 00 00 00 00 00 00 00 54 C4 D1 01 00 00 00 00  ........T.....
2D868B0040  F6 00 00 00 01 00 00 00 4E 9B 9C 78 A9 9C 78 04  .......Nxx.
2D868B0050  00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07  ....3м.|.
2D868B0060  8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00  ....3...
2D868B0070  10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4  .S.h..hj.ˊ.$.
2D868B0080  08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66  ..s.f.@f
2D868B0090  0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F  .р?.Af.
2D868B00A0  B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A  ff .ôAU
2D868B00B0  16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01  .$..r..Uu..
2D868B00C0  74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66  t....f`..f..f
2D868B00D0  03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A  ....f;. ..:..fj
2D868B00E0  00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00  .fP.Sfh....>...
2D868B00F0  0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00  ...>....a.
2D868B0100  B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07  B.$....fX[.
2D868B0110  66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00  fXfX.-f3f....
2D868B0120  66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36  fŠff.6
2D868B0130  1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8  ..֊.$...̸
2D868B0140  01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66  ....... .f
2D868B0150  FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61  .......o..fa
2D868B0160  C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE  ... ...
2D868B0170  B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10  .<.t.....
2D868B0180  EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64  ..A disk read
2D868B0190  20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00   error occurred.
2D868B01A0  0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69  ..NTLDR is missi
2D868B01B0  6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F  ng...NTLDR is co
2D868B01C0  6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73  mpressed...Press
2D868B01D0  20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F   Ctrl+Alt+Del to
2D868B01E0  20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00   restart........
2D868B01F0  00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA  ........ ..U

So we edit the MBR!!!

Guide me :)


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Tom on February 07, 2013, 10:08:48 PM
You could edit the MBR to 'adjust' the incorrect value for that first volume. Simply use DiskPatch's disk editor and go to the MBR (which is displayed by default when starting the disk editor). Start the partition table editor and correct the value (so LBA length for the first volume should be 381896002).
You will be doing this at your own risk, we here don't believe it is going to make a difference, but it's up to you. I suppose there's no harm in doing this, but make sure the undo feature is active so you can roll back the changes if needed.


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 08, 2013, 04:53:29 AM
Hi Joep,

Why 381896002? Why not 381896001 as in the boot sector?

The BS mirror is at 381896064 and partition starts at 63, so 381896001+63=381896064

If I enter 381896002 then BBS will not be found again? Or am I missing something? Also will I need to make any changes to the end CHS for partition 0 in the MBR?

Thanks


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 08, 2013, 08:27:39 AM
Hello,

381896001 is the size of the file system. The backup boot is not part of the file system but is directly following, so 381896001 + 1. Leave CHS as they are, they're obsolete and ignored by Windows anyway.

Now, we have just found numbers that don't exactly match. No way of telling if fixing this value in the partition table will fix things. I doubt it to be honest.


Title: Re: Recovering a partition encrypted using BitLocker
Post by: spyder_pk on February 09, 2013, 06:26:09 AM
Hi,

Well then you would be wrong!!  ;D

Because that is what fixed it! And I have all my data back!

(http://i315.photobucket.com/albums/ll451/spyder_pk/RecoveredDiskManagement_zps6f734e5f.png)


(http://i315.photobucket.com/albums/ll451/spyder_pk/RecoveredMyComputer_zps3d908b0f.png)

But I was afraid to edit HEX data manually so I downloaded a software called Partition Guru Pro from: http://www.partitionguru.com/download.php

When I ran it it said there were 2 problems in my HDD:
1) No active partitions - didn't need it
2) Space conflict between partitions - the culprit!

So I just chose to let it fix the problems. Nothing happened initially after I reconnected the drive via USB except it making my first partition active! I was very disappointed at that point.. so I went into Diskpart and marked it inactive and  disconnected/reconnected the drive and voil!! Windows said the drive was bitlocked and asked for a password.. accepted the password and showed me the data!  :D

Thank you for pointing out the end sector in BS was different than that in the MBR. That really pinpointed the error. Also without your log files I could not have made out what was happening really quickly.

Also "The Starman" from http://thestarman.pcministry.com/ helped/guided me A LOT! throughout!

I have learnt my lesson now and backed up the encrypted data on another drive the moment I got it back!

You can close this thread now! Everything is fixed!

Final LOG file:

.../000:03/LOG> ### LOG START ###
.../000:03/LOG> DISKPATCH 3.5.300
.../000:03/LOG> (C) 2000-2009 DIY DataRecovery
.../000:03/LOG> Contact info: HTTP://www.DIYDataRecovery.nl
.../000:03/LOG> MemFree: 62Kb
.../000:03/LOG> CommandLineParms:
.../000:03/LOG> LogDate: 02-09-2013
.../000:03/CFG> FilePath="C:DPFILES\"
.../000:03/CFG> ReadRetries="32"
.../000:03/CFG> WriteRetries="32"
.../000:03/CFG> MaxReadErrors="32"
.../000:03/CFG> MaxWriteErrors="1"
.../000:03/CFG> LogEachReadError="1"
.../000:03/CFG> ReadDelay="0"
.../000:03/CFG> VfyFixedBadSect="1"
.../000:03/CFG> CleanAfterDOD="1"
.../000:03/CFG> DiskReset="1"
.../000:03/CFG> SectorSkip="1024"
.../000:03/CFG> AutoSaveState="1"
.../000:03/CFG> DumpFoundSectors="0"
.../000:03/CFG> FixFats="1"
.../000:03/CFG> MaxFatScan="51200"
.../000:03/CFG> MaxDataColEntries="256"
.../000:03/CFG> IgnoreF8FF="0"
.../000:03/CFG> DownSizeExt="1"
.../000:03/CFG> ScanSignature="55AA"
.../000:03/CFG> Rebuild="00"
.../000:03/13H> Ext13H installed test requested
.../000:03/13H> Disk found at 128
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Ext13H Flags: Cylinder/head/sector info is valid
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 128 X13H data : 491/255/63 7892992/512
.../000:03/13H> Disk found at 129
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 129 X13H data : 0/0/0 488397166/512
.../000:03/13H> Disk found at 130
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 130 X13H data : 16383/16/63 234441648/512
.../000:03/13H> Ext13H tested ok
.../000:03/FDL> DiskList requested
.../000:03/FDL> Disk found at 128
.../000:03/FDL> Disk found at 129
.../000:03/FDL> Disk found at 130
### DISKLIST.ARRAY ###
__D_|________LBA_|___H_|__S_|__GB_|__GEO
128 | ...7892992 | 255 | 63 | ..3 | BIOS
129 | .488397166 | 255 | 63 | 232 | BIOS
130 | .234441648 | 255 | 63 | 111 | BIOS
..0 | .........0 | ..0 | .0 | ..0 | BIOS
.../000:03/IAS> AdmiSector found on disk 0 (128)
.../000:03/IAS> AdmiSector found on disk 1 (129)
.../000:03/IAS> AdmiSector found on disk 2 (130)
.../000:04/EXE> Read/Write pattern test for disk 0 (128) successful
.../000:04/EXE> Read/Write pattern test for disk 1 (129) successful
.../000:05/EXE> Read/Write pattern test for disk 2 (130) successful
.../000:05/WAS> AdmiSectors in use : 0+ 1+ 2+
.../000:05/KEY> 251OO6OO74/8
.../000:05/PFC> PQstuff signature not detected on disk 0 (128)
.../000:05/PFC> PQstuff signature not detected on disk 1 (129)
.../000:05/PFC> PQstuff signature not detected on disk 2 (130)
.../000:05/PFC> UDMA driver not loaded
.../000:05/PFC> Disk health not checked
.../000:06/PFC> Partition State backup not found on disk 0 (128)
.../000:06/PFC> Partition State backup not found on disk 1 (129)
.../000:06/PFC> Partition State backup not found on disk 2 (130)
.../000:06/PFC> No Repair date found on disk 0 (128)
.../000:06/PFC> No Repair date found on disk 1 (129)
.../000:06/PFC> No Repair date found on disk 2 (130)
.../000:11/MNU> - Main, Select Disk
.../000:17/CSD> Start CheckDisk for disk 1 (129)
.../000:17/CSD> CheckDisk complete, ReadErrors 0
.../000:17/USD> Disk 1 (129) selected
.../000:17/GSC> No geo change detected for disk 1 (129)
.../000:17/WAS> AdmiSectors in use : 0+ 1+ 2+
129/000:17/USD> MBR for disk 1 (129)
129/000:17/LOG> SectorDump requested at 0 (0 0 1)
###
000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C  |  3м.|P.P..|
016   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04  |  ..PW.˽..
032   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5  |  8n.|.u...
048   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B  |  .It.8,t ..
064   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88  |  <.t....
080   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B  |  N.F.s*F.~..t.
096   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83  |  ~..t. .uҀF..
112   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB  |  F..V..!.s. .
128   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0  |  >}Ut.~..t
144   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56  |  .멋.W˿..V
160   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC  |  ...r#$?ފ
176   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56  |  Cцֱ.B9V
192   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C  |  .w#r.9F.s....|
208   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A  |  N.V..sQOtN2
224   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD  |  V..V.`UA
240   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60  |  .r6Uu0.t+a`
256   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A  |  j.j..v..v.j.h.|j
272   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B  |  .j.B.aas.Ot.
288   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61  |  2V..aInva
304   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61  |  lid partition ta
320   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E  |  ble.Error loadin
336   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74  |  g operating syst
352   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61  |  em.Missing opera
368   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00  |  ting system.....
384   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
400   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
416   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
432   00 00 00 00 00 00 00 00 00 73 B5 A4 00 00 00 01  |  .........s....
448   01 00 07 FE FF FF 3F 00 00 00 42 45 C3 16 00 FE  |  .....?...BE..
464   FF FF 07 FE FF FF 00 48 C3 16 00 00 59 06 00 00  |  ......H...Y...
480   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
496   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  |  ..............U
###
129/000:17/VEC> Start Verify EPBR Chain for disk 1 (129)
129/000:17/VEC> Listing current partitions on disk:
129/000:17/VEC>     NTFS (P)  FreeAgent D          63   381896002     (182 Gb)
129/000:17/VEC>     NTFS (P)      NO NAME   381896704   106496000      (51 Gb)
129/000:17/VEC> Partition Table info for sector 0 (0 0 1)
129/000:17/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381896002
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/000:17/VEC> 55AA sig Ok
129/000:17/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55
129/000:17/VEC> BS and BBS equal
129/000:17/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/000:17/VEC> BS and BBS not equal, dump follows;
129/000:17/LOG> Boot sector dump requested at 488392703 (30401 10 9)
### BootSectorDump for BStype NTFS (B)
...........Jump Code (hex): 14C02C
............OEM Name (txt): p1} +
....Bytes per Sector (dec): 17179
.Sectors per Cluster (dec): 165
....Reserved Sectors (dec): 4294951377
..............Unused (hex): 79CF7E1AFD
....Media Descriptor (hex): 71
..............Unused (hex): 4144
...Sectors per Track (dec): 4294957122
.....Heads per Track (dec): 4294962553
......Hidden Sectors (dec): 280752731
..............Unused (hex): 4C0DEC5D
.............Unknown (hex): B8A7CC09
.......Total Sectors (dec): 2633527330
........MFT Location (dec): 1942010997
.MFT Mirror Location (dec): 1784810133
....Clusters per FRS (dec): 1831991639
.Clusters/Indx Block (dec): 4224906717
...........Volume ID (hex): F9E181174FF48AEE
........Volume Label (txt): (Err)
............Checksum (hex): A7F7D126
....Sector Signature (hex): CD27
129/000:17/VEC> Verify EPBR Chain completed
129/000:18/USD> Select disk completed
129/000:26/MNU> - Main, Repairs
129/000:28/MNU> - Repair, Rebuild Boot Sectors
129/000:32/UND> Undo skipped
129/000:33/LOG> Undo settings: GL(+) DE(+) FAT(+)
129/000:36/MNU> - Main, Repairs
129/000:39/MNU> - Repair, Rebuild Boot Sectors
129/000:40/UND> New Undo archive created for disk 1 (129)
129/000:40/LOG> Undo settings: GL(+) DE(+) FAT(+)
129/000:46/BSE> Start BSedit NTFS at 381896704 (23771 247 29)
129/000:46/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/000:52/BSE> End BSedit NTFS at 381896704 (23771 247 29), changes discarded
129/000:55/BSE> Start BSedit NTFS at 63 (0 1 1)
129/000:55/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55
129/000:59/BSE> End BSedit NTFS at 63 (0 1 1), changes discarded
129/001:00/UND> Undo archive discarded, no sectors saved
129/001:04/MNU> - Main, MBR ops
129/001:09/MNU> - Main, Utilities
129/001:17/MNU> - Main, Select Disk
129/001:21/VEC> Start Verify EPBR Chain for disk 1 (129)
129/001:21/VEC> Listing current partitions on disk:
129/001:21/VEC>     NTFS (P)  FreeAgent D          63   381896002     (182 Gb)
129/001:21/VEC>     NTFS (P)      NO NAME   381896704   106496000      (51 Gb)
129/001:21/VEC> Partition Table info for sector 0 (0 0 1)
129/001:21/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381896002
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/001:21/VEC> 55AA sig Ok
129/001:21/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55
129/001:21/VEC> BS and BBS equal
129/001:21/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/001:21/VEC> BS and BBS not equal, dump follows;
129/001:21/LOG> Boot sector dump requested at 488392703 (30401 10 9)
### BootSectorDump for BStype NTFS (B)
...........Jump Code (hex): 14C02C
............OEM Name (txt): p1} +
....Bytes per Sector (dec): 17179
.Sectors per Cluster (dec): 165
....Reserved Sectors (dec): 4294951377
..............Unused (hex): 79CF7E1AFD
....Media Descriptor (hex): 71
..............Unused (hex): 4144
...Sectors per Track (dec): 4294957122
.....Heads per Track (dec): 4294962553
......Hidden Sectors (dec): 280752731
..............Unused (hex): 4C0DEC5D
.............Unknown (hex): B8A7CC09
.......Total Sectors (dec): 2633527330
........MFT Location (dec): 1942010997
.MFT Mirror Location (dec): 1784810133
....Clusters per FRS (dec): 1831991639
.Clusters/Indx Block (dec): 4224906717
...........Volume ID (hex): F9E181174FF48AEE
........Volume Label (txt): (Err)
............Checksum (hex): A7F7D126
....Sector Signature (hex): CD27
129/001:40/VEC> Verify EPBR Chain completed
129/001:41/USD> No source / disk selected
.../001:41/USD> Select disk completed
.../001:44/MNU> - Main, Quit
.../001:44/LOG> RunTime: 001:44
.../001:44/LOG> ### CLOSE LOG ###


Thanks again!


Title: Re: Recovering a partition encrypted using BitLocker
Post by: Joep on February 09, 2013, 10:06:44 AM
AWSOME! Okay, I am glad I have learned something, and I am glad you have your data back .. It's just, I had never seen a case like this .. and I was indeed pessimistic but I am glad I was wrong!

Quote
But I was afraid to edit HEX data manually

Yeah, you could have entered decimal values using DiskPatch or even our freebee MBRtool.