Undelete from BitLocker non-activated drive

A forum on data recovery using the professional data recovery software R-STUDIO.
jmmh
Posts: 3
Joined: Sun Sep 03, 2023 9:00 am

Undelete from BitLocker non-activated drive

Post by jmmh » Sun Sep 03, 2023 9:36 am

I've been an IT professional for decades and was hex-editing FAT directory structures years ago and even wrote my own advanced HEX disk editor back in the DOS days. Been much more focused on software and less on hardware for a long time now so have forgotten most of the low-level drive details. Anyway..

Stupid me, I accidently deleted the wrong directly on an NTFS drive which was too large for the recycle bin. Noticed the mistake immediately and have not written anything to the drive since. Its a 2nd separate data disk that does not have system files on it. Various data recovery tools (R-Studio, Disk Genious, Recuva, etc) can all find the directly structure and files. When I pull it up in R-Studio it shows the files as "Excellent" with no overwritten sectors. So this is good news, this means the files should be easily recoverable without data loss.

Only the files haven't been recoverable. Every program I try says they can recover them, copies them to a different, unrelated target drive I specify where they end up being garbage data / unrecognizable file formats that can't be accessed. This is odd.

The only thing I can think of is the computer is a laptop and the drive has BitLocker, but its not activated. Various recovery tools, including R-Studio mention BitLocker when listing the drive. But when I got into the BitLocker configuration on my computer it clearly indicates that BitLocker has not been activated for that drive. So there should not be any encryption on that drive.

This makes me wonder if the recovery software is seeing the presence of BitLocker on the drive and then treating the drive as if it is encrypted, even though it is not encrypted (is not "activated")? Trying to decrypt cleartext files would obviously lead to garbage data.

Something odd is clearly going on here. The files were merely deleted though Windows Explorer. Which means the data is still sitting there untouched on the drive, enact. The directory and file structures are still there in NTFS because all the software systems can see them. The file sectors are reported as entact and not overwritten. The drive is not encrypted. There is nothing I am aware of that should prevent the full and complete recovery of these files.

BTW - The R-Studio demo is terrible compared to every other recovery program. I have some videos in that folder and I wanted to try and undelete a couple as a test, since if a video is recovered correctly its a darn good sign everything else will be before I buy. Every other program allowed me to undelete a couple video files with their demo, R-Studio limited me to 250k or smaller files! Luckily I had some that were under that, but I have some media directories that only have large files so I wouldn't have even been able to test a single file. Not confidence building at all.

P.S. This is the first I've ever heard of R-Studio. Really wish I had known about this a few years ago, I had a RAID go bad and the controller lost its configuration and could not read the drives anymore. I tried a whole bunch to recover that thing with no luck, but I didn't have a tool with the RAID recovery capabilities that R-Studio appears to be capable of. I've still got the card and disks sitting on a shelf, I might just give it another go. Though, as mentioned above, having only been able to test a couple of < 250k files (that didn't work) I'm very iffy on spending > $100 at the moment.

jmmh
Posts: 3
Joined: Sun Sep 03, 2023 9:00 am

Re: Undelete from BitLocker non-activated drive

Post by jmmh » Sun Sep 03, 2023 9:55 am

I poked around in the GUI and found a bit more interesting info.

In the Device List, in the grid the line under the drive letter shows "BitLocker. If I click on it it shows some detail on the right.

Code: Select all

Drive Type        SLABS
Name              BitLocker
Size              3.64 TB
BitLocker Informaton
     Encryption Type         XTS-AES 128
So it certainly seems that R-Studio believes the drive to be encrypted, even though the drive IS NOT ENCRYPTED.

To clarify, if I go into the Control Panel applet for Bit Locker and select the D: drive what BitLocker officially says about the drive is:
"Data (D:) BitLocker waiting for activation" then it has a link to the right "Turn on BitLocker". It also shows an un-locked padlock with a yellow alert exclamation mark for the drive.

Back in R-Studio, I tried clicking on the "unlock Bitlocker" right-click menu item for the drive to see what would happen. Very interesting, I got the following pop-up dialog box:

"R-Studio Demo 9.3.191230"
"The drive is encrypted with an unknown method and can't be unlocked."

This is definitely looking like the case of having BitLocker on a disk but not activated was not something that was coded for. Hopefully this is an easy code change though, I mean probably this is just figuring out how to detect if BitLocker is activated or not and then, if not activated, doing a normal recovery operation as if BitLocker wasn't even there. Hopefully. But leaves me without a solution at the moment if I'm correct.

Alt
Site Moderator
Posts: 3069
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Undelete from BitLocker non-activated drive

Post by Alt » Mon Sep 04, 2023 2:47 pm

This is the "suspended" mode of BitLocker. R-Studio will address this issue in its next release.

jmmh
Posts: 3
Joined: Sun Sep 03, 2023 9:00 am

Re: Undelete from BitLocker non-activated drive

Post by jmmh » Thu Sep 14, 2023 2:27 am

Is there an ETA on when that release will be?

Alt
Site Moderator
Posts: 3069
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Undelete from BitLocker non-activated drive

Post by Alt » Fri Sep 15, 2023 12:14 pm

jmmh wrote:
Thu Sep 14, 2023 2:27 am
Is there an ETA on when that release will be?
As soon as it gets ready.

Post Reply