PC-3000 Data Extractor. Windows Bitlocker, Apple FileVault, TrueCrypt

encryptlogo

As you know there are different software that allow to encrypt users area.

Our developers proceed to research a ways for decrypt drives encrypted by software methods.

PC-3000 version 6.2.x allow to work with such encrypted drives and decrypt by special option in Data Extractor tool.

How to do it? – Welcome to this article!

In this video you can see the process of unlocking encrypted drive by BitLocker, but procedure is the same for all other supported encryption methods:

Please note that we are not break an encryption by something brute-force methods and not hack the encryption. Utility simulate a decryption process like it performed in original utility.

That’s why need to know an original key or have a key-file that encryption utilities create when user switch on the encryption  option in the software.

At this time (PC-3000 version 6.2.x) we can work with partitions are encrypted by Windows Bitlocker, Apple FileVault and TrueCrypt.

When this option can be usefull?

For example drive can’t be recognized by OS because have damaged/problem head, then you can decrypt all available users data (via alive heads) without heads swap procedure.

Another example:

Drive have a problem with the files allocation tables and as result impossible to open the Root and files structure in OS, then you can use decrypt option in Data Extractor and analyse the partition – use a Scan INDX + MFT option or RAW recovery.

The procedure is following:

Create a new task in Data extractor software and build a map of encrypted partition.

encrypt01

Add a Virtual drive. Use “Add virtual drive (Encrypted)” option.

encrypt02

You will see the pop-up window that require to enter a password. Also you can use a Recovery key or load a password from file. These two option allow to decrypt a partition by special file that is also created when encryption option is launched in encryption tool.

encrypt03

As result in Data Extractor will be created new virtual partition with decrypted users area.

encrypt04

As you can see all data are decrypted and available.

If you have something problems with this procededure – please contact us!

 

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...

This entry was posted in Articles, Data Extractor, PC-3000 HDD, Video. Bookmark the permalink.

12 Responses to PC-3000 Data Extractor. Windows Bitlocker, Apple FileVault, TrueCrypt

  1. Osity says:

    Does this address core storage?

    • ACELab team says:

      Core Storage is way of volume managment on Apple devices. It can manage one or several volumes. CS with one volume usually called FileVault, CS with several volumes usually called Fusion drive. Standard Data Extractor supports FileVault with 512 and 4096 sector size. Data Extractor RAID supports Fusion drive with HFS+ and APFS file systems.

  2. vario4 says:

    Thank you very much!

  3. Popica says:

    if i don’t have any password? 🙁 the customers forgot all ID and password

    • ACELab team says:

      With out original password PC-3000 can’t expand a partition.
      As wrote in this article:

      “we are not break an encryption by something brute-force methods and not hack the encryption. Utility simulate a decryption process like it performed in original utility.
      That’s why need to know an original key or have a key-file that encryption utilities create when user switch on the encryption option in the software.”

  4. antonvn says:

    Hi, I have a case now with Bitlocker, the customer gave me keys to try and it may work out fine.

    How about in forensics, we need a tool that can retrieve data without keys. I understand and respect your take on hacking and ethics, but this is an important requirement.

    I was working in IT Security before and there is a subject called ‘ethical hacking’ that we were looking into. There were employees at a bank who encrypted disks and then left the company. They said that they did not remember the keys, but the bank was in real trouble. I believe that we should be able to help them – hacking or any other way that you can come up with.

    Do not forget that many of the disks that we recover for companies have very sensitive information on them and this is not regarded to be a problem; why is breaking encryption a problem?

    Think about it and see if you can come up with a win-win solution.

    • ACELab team says:

      Hello. Such questions better to ask directly to TS department. We are not providing full recovery steps for customer problems in article comments.

  5. Arif_Wahedi says:

    Sir If WE Dont Know The Drive Password
    Then How to Encrypt or recover Our Data ??

    • ACELab team says:

      Please read article and comments again.

      With out original password PC-3000 can’t expand a partition.
      As wrote in this article:

      “we are not break an encryption by something brute-force methods and not hack the encryption. Utility simulate a decryption process like it performed in original utility.
      That’s why need to know an original key or have a key-file that encryption utilities create when user switch on the encryption option in the software.”

  6. does the export feature just save a copy of the file on non damaged disks? Or will it use the hardware imager so we can image files and use the features of it? We are struggling with the ability of not being able to image the files since their is file damage on the drive – it doesn’t even put the files in the !Problem folder when saving… When you create a map and folder of the selected data we want to image – after its built – only option is to save it??? Why give us the map files and folder option when you cant use it – very confusing…

    • ACELab team says:

      Dear Joseph,

      When you decrypt BitLocker or Filevault partition Data Extractor creates a new virtual volume using encryption keys. So next actions you do with virtual volumes. Virtual volumes have some restrictions with map operations, for example you cannot re-read bad sectors of file using its map.
      One possible solution to re-read bad sectors is to build submap of either entire volume or specific file based on drive info. This submap provides full functionality for operations with map. You can use multipass reading on this submap. After that, you can return to original virtual map and save file with improved sector content.

Leave a Reply to ACELab team Cancel reply

Your email address will not be published. Required fields are marked *