Recovering Data from a bit-lockered drive that is dying


So today i go home and fired up the Windows 10 PC with all of my drives Bitlockered. Long story short, one of my drives was throwing up some I/O error and i was unable to open the drive.

At this point, I was thinking, hmm ok , let’s just reboot and see if it was a one off. Unfortunately this was not the case and I was starting to get worried as all of my DSLR photos are on that drive, every photo since 2007! Yes i have a backup of those files on a NAS and also  a lower quality on a Google Drive account also.

Anyway, i wanted my data back so i booted up into my Linux OS and got crackalacking!

Below are the steps that allowed me to recover data. Hope this is of some help to you others

Make two folders, /media/bitlocker and /media/mount:

sudo mkdir /media/bitlocker /media/mount

Download and then extract Dislocker.
git clone https://github.com/Aorimn/dislocker.git
sudo apt-get install gcc cmake make libpolarssl-dev ruby-dev
sudo apt0get install libfuse-dev (this one failed to install due to dependency issues)
You will need to download these files also.

Once you have them downloaded you will need to extract them then
sudo dpkg – i libc6-dev_2.21-0ubuntu4_amd64.deb
sudo dpkg – i libpolarssl-dev_1.3.9-2.1_amd64.deb
sudo dpkg – i libpolarssl7_1.3.9-2.1_amd64.deb

Once this has been done you can move on to the below

cd dislocker
cmake .
Once this is done
sudo make install

Now dislocker is installed and you can just type dislocker at the shell and start using the dislocker application.

So now we need to Identify your encrypted partition:
You can do this by typing
sudo fdisk -l

MAKE SURE YOU KNOW HOW TO IDENTIFY THE CORRECT HDD,
i accept NO responsibility if you break something!

Now you can decrypt using: (sdaX being the HDD you need changing X where needed)

sudo dislocker -r -V /dev/sdaX -p1536987-000000-000000-000000-000000-000000-000000-000000 — /media/bitlocker

PS: You should replace 1536987-000000-000000-000000-000000-000000-000000-000000 with your recovery password.

OR if u don’t have recovery password, decrypt using your user password:

sudo dislocker -r -V /dev/sdaX -uPASSWORD — /media/bitlocker

PS: You should replace uPASSWORD with your User password.

Now mount the file:

sudo -i
cd /media/bitlocker
mount -o loop dislocker-file /media/mount

At this point i got an error as below

The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Failed to mount ‘/dev/loop1’: Operation not permitted
The NTFS partition is in an unsafe state. Please resume and shutdown
Windows fully (no hibernation or fast restarting), or mount the volume
read-only with the ‘ro’ mount option.

So i had to use the below instead.
mount -o ro dislocker-file /media/mount/

Now you can move to the /media/mount folder and see your decrypted data.

screenshot-1

And now i can copy and paste the files over to a new HDD! Phew! Thanks for linux and the creator of dislocker! Good luck to you all.

screenshot-2