[Solved]How to Remove/Crack Bitlocker Encryption?

BitLocker encryption is a data protection function of Windows. It is mainly used to solve data theft or malicious leakage caused by physical loss of computer equipment. It can support both FAT and NTFS formats, and can encrypt the entire system partition of the computer. Removable portable storage devices, such as USB flash drives and mobile hard drives.

BitLocker uses the AES (Advanced Encryption Standard/Advanced Encryption Standard) 128-bit or 256-bit encryption algorithm for encryption. The security and reliability of its encryption are guaranteed. Under normal circumstances, as long as the password is strong enough, this encryption is difficult to Crack. Therefore, when collecting evidence and encountering situations where computers, USB flash drives, etc. Involved in a case are encrypted by Bitlocker, it becomes particularly important to crack the encryption and obtain the data involved.

1. Decryption ideas

BitLocker encryption process

The method of BitLocker encryption for a disk is very simple. Open the resource manager, right-click on the disk partition you want to encrypt, and select "Enable BitLocker". (Encryption can also be enabled and managed in "Control Panel" - "System and Security" - "BitLocker Drive Encryption".)

After clicking "Enable BitLocker", set the encrypted drive password in the new pop-up window, click "Next" after entering it, and then select the location to save the recovery key.

Generally speaking, it is more secure to store the recovery key in a USB flash drive or print it out, because in this way, the encrypted drive and the recovery key are kept separately, which provides better security. However, in actual situations, sometimes the recovery key is saved on the hard disk to save trouble, which also gives us the possibility of decryption.

Then BitLocker starts to encrypt the entire drive. BitLocker takes a long time to encrypt and decrypt the drive, and the user needs to wait for a long time. After the encryption is completed, you can see an extra lock on the original disk icon, which indicates that the drive has been encrypted.

Related you may like:Method to recover Hidden Files on Computer.

2.Analysis of decryption ideas

Idea 1: Find and decrypt through password

Obtain password-related data from all media involved, organize the data into a dictionary, and then use corresponding decryption tools to decrypt or brute force it. Because this method has great uncertainty, the choice depends on the situation.

Idea 2: Decrypt through recovery key

Through the BitLocker encryption process, we can know that a recovery key will be generated during encryption settings. Usually everyone will store the recovery key in the "save to file" method (usually you will not choose to register a Microsoft account, and printing is easy to lose. So more often than not, you choose to save to a file). In this way, the recovery key will be stored in the storage medium as a TXT file;

When TXT text data is stored in the medium, the bottom layer is stored in plain text. Even if the TXT is deleted, as long as the bottom data is not overwritten, we can find the recovery key through bottom keyword search and regular matching.

Idea 3: Others

In some cases, through specific media involved, such as encrypted USB flash drives or mobile hard drives, the automatic unlocking function can be started on the relevant computer. We only need to connect the media involved in the case to the corresponding computer to unlock the encrypted media;

Extract the BitLocker key from the decrypted BitLocker-encrypted computer memory image. This method is not described. You can find the corresponding information by yourself.

Computer Data Recovery

One Click to Get Back your Files from Windows/Mac Computer.

Free Download Free Download Learn more

3.Case practice

There is currently a computer partition involved in the case that is encrypted by BitLocker. It is necessary to decrypt the partition to obtain the data involved. The hard disk image of the computer involved in the case has been completed.

Inspection material: 001.DD

Operating software: winhex, DRS6800 data recovery system

Decryption idea: decryption through recovery key

Obtain the image file and load it into winhex to perform a full search for the keyword "recovery key" (you can also search for other keywords in the key text or perform a regular matching search on the rules of the key). The steps are as follows:

Step 1: In order to improve the search accuracy, a hexadecimal search will be performed, the "recovery key" will be written into a new TXT, and saved as a TXT text in UTF-16 LE encoding format. It can also be used with The operating system version corresponding to the computer involved generates a TXT file of the recovery key (usually the saved key TXT file is stored in UTF-16 LE encoding format);

Step 2: Open the txt text containing the "recovery key" through winhex, and copy the sixteen mechanism number corresponding to the "recovery key";

Step 3: Open 001.DD through winhex and convert the image to a disk;

Step 4: Use the sixteen mechanism numbers corresponding to the copied "recovery key" to fully search the opened 001.DD image file, find the records related to the recovery key, and proceed to the next step of decryption and verification of the recovery key.

Decrypt and verify the recovery key found in the previous step, enter the data recovery module of the DRS6800 data recovery system, load the 001.DD image, right-click the encrypted partition in the image, select Unlock Bitlocker, enter the recovery key to decrypt, and select Quick Scan. You can obtain the encrypted partition data.

4.Summary

• The recovery key file may be stored in the relevant media involved in the case, and the relevant media can be quickly found based on traces such as USB plug and unplug records;
• Bitlocker may have compatibility issues due to different operating system versions. If you use the Bitlocker that comes with the Windows system to decrypt, you must be careful to select the same operating system version as the media involved;
• For partitions or USB media that are already in the decrypted state, the evidence needs to be fixed as soon as possible in the decrypted state. You can fix the partition image by directly opening the decrypted partition through winhex. It should be noted that if you fix it by opening the disk and then opening the partition, the partition will still be encrypted;
• For partitions or USB media that are already in the decrypted state, in order to prevent unexpected situations from causing the media to be in the encrypted state again, you can right-click to manage the BitLocker operation backup recovery key file in the decrypted state.