Resolved: How to recover an accidentally deleted volume (partition) in a Virtual Disk protected by BitLocker
Resolved: How to recover an accidentally deleted volume (partition) in a Virtual Disk protected by BitLocker
I am going to have to start with a confession, “Resolved” might be a bit of a stretch. For starters, the best case scenario looks like recovering the information but you’ll need a temporary place where to store it, test it (make sure it’s fine not corrupted), etc. I can’t stress enough that as soon as you have messed something up you should read everywhere all you can to avoid following one method and screwing your chances of real recovery with it. I say this because if you write on top of your old data it’s gone probably for good. You have to be extra careful and be mindful that one method might mess up your chances with another one, so err on the side of caution. By this point all bets are off, you should have had made a backup and this should not be your only alternative. If the information is valuable you’re better off hiring a professional than trying to fix it yourself. So all I can really say now is I take no responsibility, this method seemed to have worked for others and it worked for me thankfully… it does not mean it will work for you. So now that you understand the risks involved (if not please abort), let’s get on with it!
So as you probably figured out, I deleted a volume (partition/drive) accidentally. I was trying to delete one that had an issue so I backed up my data on that volume, then moved it over to another, and then I deleted it so I could recreate elsewhere… oh wait… it’s still there… oh wait… where is my other data volume… oh sh!t! And that is how I lost my entire long easter weekend. I tried several utilities on the internet (albeit I distrust so many third parties on my server but what choice did I have), and no good. Finally I found an article from Microsoft: How To Recover an Accidentally Deleted NTFS or FAT32 Dynamic Volume. Basically it states:
To Recover a Deleted NTFS Volume
- Re-create the exact same volume but choose not to format it. This may be difficult if you do not remember the exact size you had created originally, especially because the Disk Management snap-in tends to round partition sizes.
- Using Dskprobe.exe, recover the backup boot sector for the NTFS volume from the end of the volume. Because it is a dynamic volume you may need to use Dmdiag.exe to help find the backup boot sector, or search for it by using Dskprobe.exe (on the Tools menu, click Search Sectors).
- After rewriting the NTFS boot sector, quit Dskprobe.
- In Disk Management, click Rescan Disks on the Action menu. This should mount the volume for immediate use.
so I did that the best I could. Fortunately my partition covered the whole drive so I just used the max size while creating it. Please not you should NOT FORMAT the partition/volume, if you do then you just made the recovery considerably less likely and harder and out of the scope of this post. By now the partition showed up as RAW (not formatted) and all the recovery utilities where unable to recover the information I needed. By now I had lost almost all hope until I started to look at the actual data looking for any information on any sector when I realized everything looked like garbage… eh I mean, random text that might as well be encrypted data! So here is where things took a turn and my immediate future looked brighter! The deleted volume was encrypted using BitLocker, and because of that the OS was unable to recognize the formatting on the drive and what not. Doing some research I found a system utility designed for scenarios such as this.
Solution
Let’s just get a quick list of pre-requisites before we get started
- Make sure you have NOT done a thing to your deleted volume/partition… formatting specially.
- Find your decryption key for BitLocker. You get a few choices between:
- Recovery Key
- Recovery Password
- Password
- Key Package
- Find a suitable storage location to store your decrypted data
- The volume/partition must not be the one you are trying to recover
- The volume/partition must have at least the same amount of available space as the one you are trying to recover (total size of both include used and free space)
so now that you have everything you need let’s get started!
First of, take a deep breath and make sure you don’t accidentally make this thing worse. Double, Triple check everything to make sure you are doing the right thing. So let’s get started
Step I – Recreate the partition from Disk Management
I’ll start off with a big warning: Do NOT format the volume/partition. There are several ways to launch Disk Management (compmgmt.msc), so go ahead and use your favorite method and launch it with administrative rights (as you’ll need them to create the partition.) Now that you have it open, time to go look for the Unallocated space where you had the partition you are trying to restore.
Once identified, let’s proceed to recreate the partition. In my case, I right clicked the Unallocated space and created a New Simple Volume. Keep in mind we are trying to recreate the lost partition, so you need to provide all the information identically as it was on the deleted volume (size, etc.) For more advanced scenarios you could specify the start and end sectors but if you are like me and used the entire disk the wizard should be enough. Again, be careful, one of the steps in the wizard reads “Format Partition.” Make sure you select the option “Do not format this volume” to avoid data loss. Don’t forget to mount it to a drive letter so you can work on it later on (in my case I have assigned it the letter E.) Once you’re done you’ll see in the Disk Management console that your partition appears as RAW. If you didn’t have BitLocker on your partition it should (based on what I read) show your original partition and you should had recover access to your data. In our case because we used BitLocker the information is encrypted and the OS does not recognize it as a BitLocker enabled drive. Here is where Step II comes in
Step II – Use repair-bde to unencrypt your BitLocker volume
Due to Microsoft wanting to be careful and safe with your data, this tool is basically a read-only tool. It will not repair your lost volume, but rather would read it, decrypt it, and save the unencrypted information elsewhere. This is why we need a storage location where we can store the entire content of the encrypted volume (not just the used space, but the entire space of the volume.) To do so, we are going to use the repair-bde tool as follows:
repair-bde <InputVolume> <OutputVolumeorImage> [-rk] [–rp] [-pw] [–kp] [–lf] [-f] [{-?|/?}]
where
Parameter | Description |
---|---|
<InputVolume> | Identifies the drive letter of the BitLocker-encrypted drive that you want to repair. The drive letter must include a colon; for example: C:. |
<OutputVolumeorImage> | Identifies the drive on which to store the content of the repaired drive. All information on the output drive will be overwritten. |
-rk | Identifies the location of the recovery key that should be used to unlock the volume. This command may also be specified as -recoverykey. |
-rp | Identifies the numerical recovery password that should be used to unlock the volume. This command may also be specified as -recoverypassword. |
-pw | Identifies the password that should be used to unlock the volume. This command may also be specified as -password |
-kp | Identifies the recovery key package that can be used to unlock the volume. This command may also be specified as -keypackage. |
-lf | Specifies the path to the file that will store Repair-bde error, warning, and information messages. This command may also be specified as -logfile. |
-f | Forces a volume to be dismounted even if it cannot be locked. This command may also be specified as -force. |
-? or /? | Displays Help at the command prompt. |
In my case, I used the following command first:
.\repair-bde.exe E: N:\RecoveredData.img -rp 123456-789012-345678-901234-567890-123456-789012-345678 –lf C:\log.txt
This is what I’ve seen most people use. I haven’t troubleshoot enough but I did ran into some issues using an Imagine file. I tried to mount it with no luck (The disk image file is corrupted.) and people suggested using 7Zip to open the image file. That worked fine but all the information I got out was corrupted. I did experience an issue where the progress got stuck at 17% and I had to click enter to have it continue progressing. The same thing happened at different progress %s which might had been the root cause of the data corruption.
Because of those issues, I prepared a new volume where to store the data. Instead of using an image file I used a volume instead like so:
.\repair-bde.exe E: B: -rp 123456-789012-345678-901234-567890-123456-789012-345678 –lf C:\log.txt
If everything goes well, you should get a message like this one:
BitLocker Drive Encryption: Repair Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Beginning scan for BitLocker metadata.
Scanning boot sectors for pointer to metadata: 100%
Scanning sector boundaries for metadata: 100%
Finished scanning for BitLocker metadata.
Beginning decryption.
Decrypting: 100% Complete.
Finished decryption.
ACTION REQUIRED: Run 'chkdsk B: /f' before viewing decrypted data.
after that go ahead and run chkdsk B: /f as requested. (note I used B you might have used another drive letter)
The type of the file system is NTFS.
Chkdsk cannot run because the volume is in use by another
process. Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N) y
Volume dismounted. All opened handles to this volume are now invalid.
Volume label is NTFS Store.
Stage 1: Examining basic file system structure ...
522240 file records processed.
File verification completed.
1912 large file records processed.
0 bad file records processed.
Stage 2: Examining file name linkage ...
591156 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered.
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
34459 data files processed.
CHKDSK is verifying Usn Journal...
545242136 USN bytes processed.
Usn Journal verification completed.
Correcting errors in the uppercase file.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
No further action is required.
3145597 MB total disk space.
662182044 KB in 485658 files.
155952 KB in 34460 indexes.
0 KB in bad sectors.
1223991 KB in use by the system.
65536 KB occupied by the log file.
2497588 MB available on disk.
4096 bytes in each allocation unit.
805273087 total allocation units on disk.
639382591 allocation units available on disk.
and voilà! You got yourself a volume (B:) with the information that used to be stored in the encrypted drive!
I am still double checking all my data is there and that no information is corrupt but thus far it is incredibly promising. All the files I have tried to access are there and displaying properly. Until the users come in tomorrow morning I won’t know for sure if this was 100% successful but from what I’ve seen I believe so. Hopefully this guide saves your life data as well!
Additional knowledge
So here are a few bits and pieces of additional knowledge that might help you when facing this issue:
Q: I get an error when running repair-bde: “Failed to authenticate using supplied recovery information. (0x80310000)”
A: You are not providing the right key/password to decrypt your BitLocker drive. As the message at the end says “ERROR: BitLocker is not suspended on this volume. Try another key protector.“
Q: The image file shows up as corrupted. Could not open it with 7Zip either
A: If your drive is over 2 TB in size it most likely is GPT formatted. If you use diskpart you’ll see that such a formatted disk comes with a “Reserved” system partition:
DISKPART> list partition
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Reserved 128 MB 17 KB
Partition 2 Primary 3071 GB 129 MB
In my case, when I deleted my partition, partition 1 of 128mb remained there so I had no issues. You should use diskpart to see if that is the case. If you don’t have it then partition alignment won’t be the same without it. A potential solution would be to grab a similar drive, partition it, and recreate the partitions identically to replicate as they were before you deleted them in the troubled drive. I am no expert on this, so it’s up to you to pick the right tool and not overwrite your data.
Q: This imagine file looks familiar, can I mount it on a Mac?
A: Sure can. Should work with windows as well… not sure what to make it of though.