1TB HGST Bitlocker protected disk : Data Recovery Case Study

1TB HGST Bitlocker protected disk : Data Recovery Case Study Data Recovery Ireland


Bitlocker is a common encryption application available in Windows 2008, ultimate and enterprise editions of Windows Vista, Windows 7 and Windows 8. It protects a computer owner from data theft in case of the loss of a system, or a storage device and protects against outside attacks through a network.

Bitlocker uses an Advanced Encryption Standard (AES) algorithm in Cipher Block Chaining mode with or without a diffuser. Most default deployments of Bitlocker use AES-128 or 256 bit encryption with an elephant diffuser algorithm.

Bitlocker uses a Full Volume Encryption Key (FVEK) to protect the data. In turn, this key is protected by a Volume Master Key (VMK). Like a lot of encryption applications, Bitlocker allows for multi-factor authentication via Trusted Platform Media chip, PIN number and USB.

Most deployments of Bitlocker are troublefree. However, occasionally due to disk failure or corruption of the encryption application itself, data recovery from a Bitlockered disk will be needed.

Last week one of our clients, a user from an Irish Government agency, had a Bitlocker-protected disk in a Lenovo laptop. The volume became inaccessible. Their I.T. department removed the m1TB HGST disk from the laptop and attached it to another Windows 7 Entreprise system with a TPM chip onboard. The disk would not mount and was “invisible” to the system.


The data was of critical importance and of a confidential nature. Due to confidentiality concerns, the user was not backing up to the department’s server.


We examined the drive. Using special tools our technicians accessed the Host Protected Area of the HGST disk. The G-List aand Translator tables were all corrupt. Using our equipment, which can access the HPA directly, our technicians repaired the corrupt firmware.

This made the drive bootable again. This time, when connected to one of our recovery systems, a Bitlocker volume or Full Volume Encryption File System (FVE-FS) could now be recognised. This could be recognised by the signature “-FVE-FS-” at the start of the volume – always a promising juncture when recovering from an encrypted disk. The client then emailed us their 48 digit Bitlocker key in a .txt file.

We then used the following command to to unlock the volume:

manage-bde -unlock e: -RecoveryPassword XXX48-digitkeyXXX

where e: was the Bitlockered volume.

After having being inputted, the volume’s partitions appeared. We invited the client to login to our sytsems remotely to view and verify their data.


All their files were recovered – intact. Even though, their drive was bootable again, we extracted a copy of the data onto a USB external drive as a precaution.

Lesson : disk encryption and comprehensive backup policies should be in lockstep with each other.

The main takeaway from this case is that disk encryption and comprehensive backup policies should be in lockstep with each other. Disk encryption applications are not like other PC applications where their actions can be easily reversed. If corruption does occur with a whole disk encrypted volume – it is not unknown for some users to lose access to their data irreversibly. As for the users who deliberately refrain from backing up to their company’s or organisation’s server out of confidentiality concerns – alternate practical back-up policies should be drawn up. This could be in form of local backup or backup to a personal Cloud-based service.