Welcome, Guest. Please login or register.
Did you miss your activation email?
June 19, 2019, 01:19:40 PM
Home Help Search Login Register
News:

+  DIY DataRecovery.nl Support forum
|-+  Support
| |-+  DiskPatch (Moderators: Tom, Joep)
| | |-+  Recovering a partition encrypted using BitLocker
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] 2 Go Down Print
Author Topic: Recovering a partition encrypted using BitLocker  (Read 74845 times)
spyder_pk
member

Posts: 14


« on: January 29, 2013, 06:04:23 PM »

Hi,
My external Seagate Freeagent 250GB HDD is partitioned in 2 Primary partitions. One was used for backing up frequently used software and music and is NOT encrypted and it working just fine but the second one (50GB) I used to backup personal files and photos and hence it was BitLocker encrypted in Windows 7 has developed problems out of the blue.



I run Windows 8. Recently the drive just disappeared from My Computer. I could still see it in Disk Management but the drive had no volume assigned to it and therefore had no drive letter assigned as well. I cannot check drive properties in Disk Management or assign it a drive letter. No file recovery software can read the files on the partition as they are encrypted. I did NOT format the drive yet to preserve my data.

It was initially detected as an Active primary but I used diskpart tool in windows to unmark the active attribute. So, it is currently a RAW, Primary partition.

I GetDataBack for NTFS shows the drive as having the same start and end values:


I tried Testdisk software from CGsecurity.org and it shows 2 errors.

1) Space conflict between the two partitions - overlapping sectors?
2) Bad NTFS bootsector for the missing partition.



However Testdisk is unable to rebuild the bad BS.

I downloaded DiskPatch and installed it but when I try to run the make bootable cd app, I get an error saying "Failed to load control MCDBControl from MCDBX.ocx. Your version of MCDX may be outdated." Is this a Windows 8 related error?

So what I need first is help working around or fixing this so I can create a bootable DiskPatch USB drive. Can I then rebuild BS to repair my BitLocker encrypted drive?

Many thanks in advance!
Logged
Joep
Developer and Support Tech
Administrator
member
*****
Posts: 1476



WWW
« Reply #1 on: January 29, 2013, 06:44:59 PM »

Hello,

You do not need the boot disk builder to create a bootable USB key, I don't know why it doesn't work, never tried it in windows 8.
From the manual:
"Finally, it's also possible to create a bootable USB key that can be used instead of the diskette or CD/DVD. If you wish to do so open the "Create a bootable USB key for DiskPatch" document from the DiskPatch Start menu and follow the directions.
The PC must be able to boot from USB keys, but most modern day machines have no problems with this. You may need to adjust some settings in the BIOS, notably the boot order and perhaps USB compatibility settings. Consult your PC's BIOS manual for more details."

Whether this can be fixed or not is impossible to tell without a DiskPatch log file.
More info here: http://www.diydatarecovery.nl/dp_manual/guide_supportanalysis.htm
Logged

--
Kind regards,
Joep - My blog @: www.disktuna.com - Try my JPEG Repair Tool: https://youtu.be/Ox2F8QRuU5Q
spyder_pk
member

Posts: 14


« Reply #2 on: February 03, 2013, 07:37:24 AM »

Thanks for the guidance. I made the usb key. And running it now.. at the step where DP determines cluster size repairing ntfs boot sector.. it is 20% done now but the table of cluster size at the top is still emptying. Ill run DP run all the way though and update this.. was just wondering why it still cant determine thee cluster size.. ofcourse the disk is conneected via usb
Logged
Joep
Developer and Support Tech
Administrator
member
*****
Posts: 1476



WWW
« Reply #3 on: February 03, 2013, 10:01:11 AM »

hello,

ok, but a normal DiskPatch analysis logfile would be nice for starters ....
Logged

--
Kind regards,
Joep - My blog @: www.disktuna.com - Try my JPEG Repair Tool: https://youtu.be/Ox2F8QRuU5Q
spyder_pk
member

Posts: 14


« Reply #4 on: February 03, 2013, 10:08:37 AM »

Sure. I'll post the log here when process is completed. Still nothing in cluster size graph.
Logged
spyder_pk
member

Posts: 14


« Reply #5 on: February 03, 2013, 11:16:44 AM »


.../000:03/LOG> ### LOG START ###
.../000:03/LOG> DISKPATCH 3.5.300
.../000:03/LOG> (C) 2000-2009 DIY DataRecovery
.../000:03/LOG> Contact info: http://HTTP://www.DIYDataRecovery.nl
.../000:03/LOG> MemFree: 62Kb
.../000:03/LOG> CommandLineParms:
.../000:03/LOG> LogDate: 02-03-2013
.../000:03/CFG> FilePath="C:DPFILES\"
.../000:03/CFG> ReadRetries="32"
.../000:03/CFG> WriteRetries="32"
.../000:03/CFG> MaxReadErrors="32"
.../000:03/CFG> MaxWriteErrors="1"
.../000:03/CFG> LogEachReadError="1"
.../000:03/CFG> ReadDelay="0"
.../000:03/CFG> VfyFixedBadSect="1"
.../000:03/CFG> CleanAfterDOD="1"
.../000:03/CFG> DiskReset="1"
.../000:03/CFG> SectorSkip="1024"
.../000:03/CFG> AutoSaveState="1"
.../000:03/CFG> DumpFoundSectors="0"
.../000:03/CFG> FixFats="1"
.../000:03/CFG> MaxFatScan="51200"
.../000:03/CFG> MaxDataColEntries="256"
.../000:03/CFG> IgnoreF8FF="0"
.../000:03/CFG> DownSizeExt="1"
.../000:03/CFG> ScanSignature="55AA"
.../000:03/CFG> Rebuild="00"
.../000:03/13H> Ext13H installed test requested
.../000:03/13H> Disk found at 128
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Ext13H Flags: Cylinder/head/sector info is valid
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 128 X13H data : 491/255/63 7892992/512
.../000:03/13H> Disk found at 129
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Removable drive controller functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 129 X13H data : 0/0/0 488397166/512
.../000:03/13H> Disk found at 130
.../000:03/13H> Ext13H version: EDD-3.0
.../000:03/13H> Ext13H Support: Extended disk access functions
.../000:03/13H> Ext13H Support: Enhanced disk drive functions
.../000:03/13H> Ext13H Flags: DMA boundary errors handled transparently
.../000:03/13H> Drive Interface Info:
.../000:03/13H> Disk 130 X13H data : 16383/16/63 234441648/512
.../000:03/13H> Ext13H tested ok
.../000:03/FDL> DiskList requested
.../000:03/FDL> Disk found at 128
.../000:03/FDL> Disk found at 129
.../000:03/FDL> Disk found at 130
### DISKLIST.ARRAY ###
__D_|________LBA_|___H_|__S_|__GB_|__GEO
128 | ...7892992 | 255 | 63 | ..3 | BIOS
129 | .488397166 | 255 | 63 | 232 | BIOS
130 | .234441648 | 255 | 63 | 111 | BIOS
..0 | .........0 | ..0 | .0 | ..0 | BIOS
.../000:03/IAS> AdmiSector found on disk 0 (128)
.../000:03/IAS> AdmiSector init complete for disk 1 (129)
.../000:03/IAS> AdmiSector found on disk 2 (130)
.../000:04/EXE> Read/Write pattern test for disk 0 (128) successful
.../000:04/EXE> Read/Write pattern test for disk 1 (129) successful
.../000:05/EXE> Read/Write pattern test for disk 2 (130) successful
.../000:05/WAS> AdmiSectors in use : 0+ 1+ 2+
.../000:05/KEY> 251OO6OO74/8
.../000:05/PFC> PQstuff signature not detected on disk 0 (128)
.../000:05/PFC> PQstuff signature not detected on disk 1 (129)
.../000:05/PFC> PQstuff signature not detected on disk 2 (130)
.../000:05/PFC> UDMA driver not loaded
.../000:05/PFC> Disk health not checked
.../000:07/PFC> Partition State backup not found on disk 0 (128)
.../000:07/PFC> Partition State backup not found on disk 1 (129)
.../000:07/PFC> Partition State backup not found on disk 2 (130)
.../000:07/PFC> No Repair date found on disk 0 (128)
.../000:07/PFC> No Repair date found on disk 1 (129)
.../000:07/PFC> No Repair date found on disk 2 (130)
.../000:14/MNU> - Main, Select Disk
.../000:43/CSD> Start CheckDisk for disk 1 (129)
.../000:43/CSD> CheckDisk complete, ReadErrors 0
.../000:43/USD> Disk 1 (129) selected
.../000:43/GSC> First DP run, geo info for disk 1 (129) not yet recorded
.../000:43/WAS> AdmiSectors in use : 0+ 1+ 2+
129/000:43/USD> MBR for disk 1 (129)
129/000:43/LOG> SectorDump requested at 0 (0 0 1)
###
000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
016   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
032   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
048   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
064   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
096   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
112   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
128   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
144   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
176   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
192   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
208   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
224   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
240   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
256   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
272   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
288   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
304   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
320   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
336   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
352   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
368   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
384   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
400   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
416   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
432   00 00 00 00 00 00 00 00 00 73 B5 A4 00 00 00 01  |  .........s....
448   01 00 07 FE FF FF 3F 00 00 00 9D 49 C3 16 00 FE  |  .....?...I..
464   FF FF 07 FE FF FF 00 48 C3 16 00 00 59 06 00 00  |  ......H...Y...
480   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
496   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  |  ..............U
###
129/000:43/VEC> Start Verify EPBR Chain for disk 1 (129)
129/000:43/VEC> Listing current partitions on disk:
129/000:43/VEC>     NTFS (P)  FreeAgent D          63   381897117     (182 Gb)
129/000:43/VEC>     NTFS (P)      NO NAME   381896704   106496000      (51 Gb)
129/000:43/VEC> Partition Table info for sector 0 (0 0 1)
129/000:43/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381897117
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/000:43/VEC> 55AA sig Ok
129/000:43/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55
129/000:43/VEC> BS and BBS equal
129/000:43/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/000:43/VEC> BS and BBS not equal, dump follows;
129/000:43/LOG> Boot sector dump requested at 488392703 (30401 10 9)
### BootSectorDump for BStype NTFS (B)
...........Jump Code (hex): 14C02C
............OEM Name (txt): p1} +
....Bytes per Sector (dec): 17179
.Sectors per Cluster (dec): 165
....Reserved Sectors (dec): 4294951377
..............Unused (hex): 79CF7E1AFD
....Media Descriptor (hex): 71
..............Unused (hex): 4144
...Sectors per Track (dec): 4294957122
.....Heads per Track (dec): 4294962553
......Hidden Sectors (dec): 280752731
..............Unused (hex): 4C0DEC5D
.............Unknown (hex): B8A7CC09
.......Total Sectors (dec): 2633527330
........MFT Location (dec): 1942010997
.MFT Mirror Location (dec): 1784810133
....Clusters per FRS (dec): 1831991639
.Clusters/Indx Block (dec): 4224906717
...........Volume ID (hex): F9E181174FF48AEE
........Volume Label (txt): (Err)
............Checksum (hex): A7F7D126
....Sector Signature (hex): CD27
129/000:43/VEC> Verify EPBR Chain completed
129/000:44/USD> Select disk completed
129/000:49/MNU> - Main, Repairs
129/000:54/MNU> - Repair, Rebuild Boot Sectors
129/001:05/UND> New Undo archive created for disk 1 (129)
129/001:05/LOG> Undo settings: GL(+) DE(+) FAT(+)
129/001:32/CBS> Checking validity for NTFS BS at 381896704 (23771 247 29)
129/001:32/CBS> E: Jumpcode : EB5890
129/001:32/CBS> I: OEM name : -FVE-FS-
129/001:32/CBS> E: clusters/FRS : 2687104
129/001:32/CBS> E: clusters/indx block : 1308622848
129/001:32/CBS> E: Unknown : 00001FE0
129/001:32/CBS> E: Volume size : 0
129/001:32/CBS> E: MFT location : 393217
129/001:32/CBS> 1st sector of MFT:
129/001:32/LOG> SectorDump requested at 385042440 (23967 199 49)
###
000   05 7E 67 68 B5 EA D0 F8 CD B5 5E 4C DD 84 62 EE  |  .~gh͵^L݄b
016   0D 4D 73 AD 3B 01 48 89 9D 52 0F 00 9D CF C8 63  |  .Ms;.HR..c
032   85 92 68 95 0A 7F A2 10 3A 01 87 7B 5A F2 64 94  |  h..:.{Zd
048   57 7A ED E5 9F 28 43 BF C1 9E 80 54 EE DD 1B 1E  |  Wz(CT..
064   5B 92 9D 7D 19 D3 43 4C 9F C2 F1 E4 47 3C 9F 05  |  [}.CLG<.
080   CA 0F D4 4E 21 ED 03 A3 8A 4F 18 19 2E A4 63 6B  |  .N!.O...ck
096   89 1C BB 65 36 65 17 6E 9D 68 F7 39 61 74 ED F7  |  .e6e.nh9at
112   4F 22 19 16 8F 28 AF 3C 66 FB C9 E9 D6 AB 9D 5D  |  O"..(<f֫]
128   52 78 C7 EE 6E 42 2A 5F BD 62 D7 12 61 7B 3A 7F  |  RxnB*_b.a{:
144   E6 0A 9C 7B E3 0B FC CB 9B 8F 05 6B 4A C4 E6 F3  |  .{.˛.kJ
160   B2 E7 42 F1 92 B8 EB 3C 65 80 33 6B ED 97 B0 04  |  B<e3k헰.
176   8A 72 E0 2F 48 8A A6 32 47 6E 80 9F 8E 93 CA F1  |  r/H2Gn
192   4D 7E 3F 88 12 8C 4A DD E8 44 41 4B CF 7E 4B D4  |  M~?.JDAK~K
208   BC C8 75 B4 AE 0E 31 C9 8E 1F F8 B8 DA D7 E3 D3  |  u.1Ɏ.
224   BA 06 DC 7A 80 87 30 09 D0 4E 07 23 03 78 3B 2B  |  .z0.N.#.x;+
240   3C 43 28 BD 2F 1A 9F B7 66 7F 2A B5 CE B9 58 82  |  <C(/.f*ιX
256   04 32 20 A2 AD 0C 67 5D AB A4 B6 18 39 CA 86 DE  |  .2 .g].9ʆ
272   71 F1 33 92 60 A6 1A E1 96 C9 90 7E 26 03 DB 36  |  q3`.ɐ~&.6
288   0B EE 4B 09 C0 35 F2 50 30 04 1E 3E 2C 2A EB AA  |  .K.5P0..>,*
304   0C 5D B5 80 37 EC DF AC D6 75 88 DB 03 E8 09 7E  |  .]7߬u..~
320   C8 5F 7C BE 5C 38 5B DE FD 2A 0A 0F 47 C8 86 3D  |  _|\8[*..GȆ=
336   21 39 FF 18 77 35 CC 21 AF 4C 28 97 78 E8 24 BD  |  !9..w5!L(x$
352   7E 77 CF BA EC FF A9 A5 89 8B 62 CC 59 6C 86 EB  |  ~wϺ.bYl
368   7A 1B EA 1D 8E 29 FE BC 93 F9 78 6D C7 8D 08 DE  |  z..)xmǍ.
384   70 25 DA 06 95 FC C9 83 AC 73 46 80 C5 34 E4 BD  |  p%.ɃsF4
400   22 21 1F 4D 7E 7D B7 9C C8 B5 03 9E 20 F9 4C 36  |  "!.M~}ȵ. L6
416   D2 F3 ED D6 4D 3A 1D 09 AE 34 AE B5 32 81 4C 2B  |  M:..42L+
432   44 E1 16 E9 22 F6 D4 F0 6D D1 E3 41 F7 D8 A5 7E  |  D."mAإ~
448   28 0A 05 3D 45 B7 E2 A1 C2 CD 67 2A 2C B8 8D 84  |  (..=Eg*,
464   C0 13 5D 45 D8 7A C5 8A F5 F7 8F DF C8 B9 7B 14  |  .]EzŊȹ{.
480   37 9F 6F F6 3E 70 BD 24 C2 02 40 3B 13 5E 9C 36  |  7o>p$.@;.^6
496   4B 7B 67 1D A2 7A 02 D0 11 9C 05 E7 23 41 99 87  |  K{g.z...#A
###
129/001:32/CBS> E: MFT mirror location : 0
129/001:32/CBS> E: 1st sector for MFT/MFTmirror NOT equal
129/001:32/CBS> E: Checksum : 41462020
129/001:32/CBS> Check completed
129/002:00/AFR> Start FindClusterSize (NTFS), from 381896704 to 388188159 (6291456)
129/244:37/AFR> ClusterSize could not be determined
129/244:37/RBS> BS data could not be determined
129/245:14/BSE> Start BSedit NTFS at 381896704 (23771 247 29)
129/245:14/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55
129/247:04/BSE> End BSedit NTFS at 381896704 (23771 247 29), changes discarded
129/247:08/UND> Undo archive discarded, no sectors saved
129/247:15/MNU> - Main, Disk Ops
129/247:21/MNU> - Main, MBR ops
129/247:31/CPA> Start Change Partition Attributes, dump follows;
129/247:31/LOG> PartListDump requested at 0 (0 0 1)
### _ACT_|_TYPE_|__START--C/H/S_|__END----C/H/S_|__LBA-start_|_LBA-length
..1 ...0 | ..07 | ....0...1...1 | .1023.254..63 | ........63 | .381897117
..2 ...0 | ..07 | .1023.254..63 | .1023.254..63 | .381896704 | .106496000
..3 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
..4 ...0 | ..00 | ....0...0...0 | ....0...0...0 | .........0 | .........0
129/247:36/CPA> Change Partition Attributes aborted
129/247:38/MNU> - Main, Utilities
129/247:45/MNU> - Main, Options
129/247:52/MNU> - Main, Quit
129/247:52/LOG> RunTime: 247:52
129/247:52/LOG> ### CLOSE LOG ###

Logged
spyder_pk
member

Posts: 14


« Reply #6 on: February 03, 2013, 11:20:33 AM »

BS recovery failed.. cluster size could not be determined.. I think even that is encryped by bitlocker  Undecided

Need help. Should I do a quick format or try to enter BS manually?
Logged
Joep
Developer and Support Tech
Administrator
member
*****
Posts: 1476



WWW
« Reply #7 on: February 03, 2013, 07:49:47 PM »

Hello,

The entire volume is encrypted. -FVE-FS- is put there by the encryption software. Changing it to NTFS is useless. I'm afraid there's nothing we can do for you. Rather than treating this as a file system issue, you should see if there are solutions (from Microsoft) to re-gain access to an encrypted bitlocker volume.
Logged

--
Kind regards,
Joep - My blog @: www.disktuna.com - Try my JPEG Repair Tool: https://youtu.be/Ox2F8QRuU5Q
spyder_pk
member

Posts: 14


« Reply #8 on: February 03, 2013, 08:28:52 PM »

Thanks for your help. I have contacted MS and waiting for them to get back to me. I compared the BS of the partitions in the log and seems the BS of the FVE-FS drive is correct.. it has a lot of hidden sectors and other data that is not damaged as I did not format the drive...
Logged
spyder_pk
member

Posts: 14


« Reply #9 on: February 03, 2013, 08:32:21 PM »

Hi Joep,

Could you just answer one more question for me please?

Can I edit the partition table/MBR to register this volume so it get a drive letter?

MS has a BitLocker Repair Tool app but that requires the volume to have a drive letter attached which I can't at the moment. I cannot understand why this drive is showing up as RAW.
Logged
Joep
Developer and Support Tech
Administrator
member
*****
Posts: 1476



WWW
« Reply #10 on: February 04, 2013, 02:09:48 PM »

Hello,

The partition table is already telling it's NTFS. So assume the file system driver gets the information that it's an encrypted volume from the partition's boot sector (the -FVE-FS- signature). With the DiskPatch boot sector editor it's easy enough to change that to NTFS, but I'm really uncomfortable make any suggestions like that: I haven't got a clue of what might happen.

regarding the drive letter thing: I assume you already tried doing that in disk management? [EDIT] Sorry, see you already tried that ....
Logged

--
Kind regards,
Joep - My blog @: www.disktuna.com - Try my JPEG Repair Tool: https://youtu.be/Ox2F8QRuU5Q
spyder_pk
member

Posts: 14


« Reply #11 on: February 04, 2013, 04:00:04 PM »

Thanks for your help Joep. Really appreciate it. I posted for help on 4-5 forums and you are the only one helping me. I need you advice once again.

I noticed in the log that the Hidden Sectors value for both partitions are different.. why is that?

First the boot sector of the first partition that is working perfectly:
129/000:43/LOG> Boot sector dump requested at 63 (0 1 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5290
............OEM Name (txt): NTFS
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00800080
.......Total Sectors (dec): 381896001
........MFT Location (dec): 2
.MFT Mirror Location (dec): 30524500
....Clusters per FRS (dec): 246
.Clusters/Indx Block (dec): 1
...........Volume ID (hex): 04789CA9789C9B4E
........Volume Label (txt): FreeAgent D
............Checksum (hex): 00000000
....Sector Signature (hex): AA55

All is fine and normal there... Now the Boot Sector of the lost drive which IS encrypted:

129/000:43/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

FVE(Full volume encryption or BitLocker) is on. Now my question... why is the Hidden Sectors count of this partition 381896704 instead of 63(the same as first partition)? Should it be 63?

I also encrypted another 1GB LOGICAL partition on ANOTHER HDD using BitLocker to check it's Boot Sector:
129/000:23/LOG> Boot sector dump requested at 232388608 (14465 133 5)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 63
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

As you can see the Boot sector of this encrypted drive is almost exactly the same as the boot sector of the drive I lost except for 1 field.. Hidden Sectors (dec): 63

So why it 63 here? Is it because the partition is logical while the partition I lost was primary? If not then can this be why the drive is lost? Will changing the Hidden Sectors to 63 on the lost drive boot sector from 381896704 help recover the drive?

I also noted a difference in the HEX data of the boot sectors of lost drive and the drive I encrypted for testing.
First few bytes of HEX data of the lost drive are:

EB 58 90 2D 46 56 45 2D 46 53 2D 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 48 C3 16

and corresponding data is:

X.-FVE-FS-............?...H.

Same boot sector bytes of the test drive are:

EB 58 90 2D 46 56 45 2D 46 53 2D 00 02 08 00 00 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00

and corresponding data on test drive is:

X.-FVE-FS-............?..?...

while this data for ALL NTFS drives I checked is:

R.NTFS    ............?..?...

As you can clearly see the lost drive has different HEX data here than the test encrypted drive AND normal NTFS volume. Will editing .H. to ?... help??

Complete log of second disk is attached. I tried to attach it but the site did not allow it as it is not zip
Logged
spyder_pk
member

Posts: 14


« Reply #12 on: February 05, 2013, 04:53:31 AM »

Never mind..

I know the answer already.. I changed the test partition to primary and reencrypted it and sure enf the noot sector started looking almost exactly like the one on the lost drive. At this point I'm stumped.
MBR.. perfect..
Partition table..perfect.
Boot sector.. perfect

Partition.. raw and lost

Here are the boot sector tables for lost and test partitions..

Lost:
129/245:14/LOG> Boot sector dump requested at 381896704 (23771 247 29)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 381896704
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

Test:
.../000:27/LOG> Boot sector dump requested at 232396290 (14466 0 1)
### BootSectorDump for BStype NTFS
...........Jump Code (hex): EB5890
............OEM Name (txt): -FVE-FS-
....Bytes per Sector (dec): 512
.Sectors per Cluster (dec): 8
....Reserved Sectors (dec): 0
..............Unused (hex): 0000000000
....Media Descriptor (hex): F8
..............Unused (hex): 0000
...Sectors per Track (dec): 63
.....Heads per Track (dec): 255
......Hidden Sectors (dec): 232396290
..............Unused (hex): 00000000
.............Unknown (hex): 00001FE0
.......Total Sectors (dec): 0
........MFT Location (dec): 393217
.MFT Mirror Location (dec): 0
....Clusters per FRS (dec): 2687104
.Clusters/Indx Block (dec): 1308622848
...........Volume ID (hex): 2020454D414E204F
........Volume Label (txt): NO NAME
............Checksum (hex): 41462020
....Sector Signature (hex): AA55

Anything else I should check?
Logged
Tom
Developer and Support Tech
Administrator
member
*****
Posts: 1476


WWW
« Reply #13 on: February 05, 2013, 02:20:11 PM »

I'm confused. You said you have a bitlocker recovery tool but it requires a driveletter. The thing is, you should be able to assign a driveletter to a raw volume, just do that in the disk management tool. Once the letter is assigned you can run the bitlocker recovery tool, right?
Logged

spyder_pk
member

Posts: 14


« Reply #14 on: February 06, 2013, 04:09:58 AM »

Disk management gives me an error that it cannot read the disk or smth and to close Disk Management and reopen. I guess it cannot write due to disk space conflict? Overlapping sectors are there...

End sector for Partition 0 = 381 897 117
First sector of Partition 1 - 381 896 704
Why is this number more than First sector?
Partition 0 overlapping Partition 1?
Could this be the problem?

Will backing up all the data in Paritition 0 and deleting it help??! If I can just get to Partition 1 and back it up then I can delete it repartition the entire disk!
Logged
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  


Login with username, password and session length

Powered by MySQL Powered by PHP Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!