Jump to content

Is data in a Bitlocker encrypted harddrive safe from data recovery software?

avg123

I have a bitlocker encrypted harddrive. If someone formats the drive and then runs data recovery software on it can they recover the

 

1.Data

 

2.Filenames

 

?

Link to comment
Share on other sites

Link to post
Share on other sites

I don't think they can recover the files with full disk encryption unless they found a vulnerability and exploit it. I think though that XTS-AES 128-bit is the sweet spot for security and performance.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Pangea2017 said:

They will get back the enrcpted data. If they manage to recover data from the TPM module they still need the second factor like your password or a smart card.

can they see the filenames?

 

My computer does not support TPM. It only has a password.

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, avg123 said:

can they see the filenames?

 

My computer does not support TPM. It only has a password.

No. Everything is encrypted with Full Disk Encryption like Bitlocker. The only way to recover any data would be to clone the drive and then get the password from you. If the drive gets erased, the data will likely be forever irrecoverable even with the password, since the chances of the entire encrypted key header being able to be recovered intact is astronomically low.

 

However, this all rests on how strong your password is. Make sure you haven't used a password you've ever used before, not even similar. No repeated words or dictionary words. 

 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Tabs said:

No. Everything is encrypted with Full Disk Encryption like Bitlocker. The only way to recover any data would be to clone the drive and then get the password from you. If the drive gets erased, the data will likely be forever irrecoverable even with the password, since the chances of the entire encrypted key header being able to be recovered intact is astronomically low.

 

However, this all rests on how strong your password is. Make sure you haven't used a password you've ever used before, not even similar. No repeated words or dictionary words. 

 

Just to clarify- they cant see the filenames, right?

 

The filenames are just as important as the data itself when we are talking about porn.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, avg123 said:

Just to clarify- they cant see the filenames, right?

 

The filenames are just as important as the data itself when we are talking about porn.

To clarify, yes. Literally everything on the disk is encrypted, including filenames, metadata, everything. To anything looking at the drive, everything is a completely random mess. You can't tell where a file begins or ends, or anything about what data is on there.

 

The most an outside observer can see is that there's an encrypted volume. Nothing more.

 

But again, this all rests on the strength of your password. If you can, invest in a TPM (£10 for a tpm 2.0 device) as that will prevent a clone of your disk working in another machine without the recovery code, limiting any brute force attempts to take place on your machine. 

Link to comment
Share on other sites

Link to post
Share on other sites

26 minutes ago, avg123 said:

Just to clarify- they cant see the filenames, right?

 

The filenames are just as important as the data itself when we are talking about porn.

 

Literally EVERYTHING is encrypted so your secrets will stay safe ;)

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, Tabs said:

To clarify, yes. Literally everything on the disk is encrypted, including filenames, metadata, everything. To anything looking at the drive, everything is a completely random mess. You can't tell where a file begins or ends, or anything about what data is on there.

 

The most an outside observer can see is that there's an encrypted volume. Nothing more.

 

But again, this all rests on the strength of your password. If you can, invest in a TPM (£10 for a tpm 2.0 device) as that will prevent a clone of your disk working in another machine without the recovery code, limiting any brute force attempts to take place on your machine. 

Thanks, mate. I will try to remember it in a few years when I need to encrypt my data just to be sure I get caught off-guard.

 

18 minutes ago, avg123 said:

Just to clarify- they cant see the filenames, right?

 

Keep in mind that you should shut your PC down whenever you leave the room because encryption is useless when you leave your PC on. The police or anyone else could raid your house and see the data so always shut it down.

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, Teddy07 said:

Keep in mind that you should shut your PC down whenever you leave the room because encryption is useless when you leave your PC on. The police or anyone else could raid your house and see the data so always shut it down.

 

That is only if we are talking about full disk encryption. Disk encryption is the encryption of an entire disk, so not just specific files. In other words, if you open up your computer and pop out the hard drive, all the contents (literally everything) of that physical hard drive are encrypted.

 

File encryption is the encryption of specific files only. So, if you have only two documents on your computer, you can choose to encrypt one but not the other. Unlike disk encryption, which I mentioned above, you actually have to make a decision on what you’re going to have encrypted. (This does not necessarily mean that you have to remember which files to encrypt every time. For example, your Excel files will be encrypted automatically but not any jpegs saved to your computer). Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files.

 

Folder encryption is the same concept as disk encryption, in that anything that’s saved to a particular folder (or, directory, if you prefer) is encrypted. Take the file out of the folder, and it’s not encrypted anymore.

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, Christophe Corazza said:

 

That is only if we are talking about full disk encryption. Disk encryption is the encryption of an entire disk, so not just specific files. In other words, if you open up your computer and pop out the hard drive, all the contents (literally everything) of that physical hard drive are encrypted.

 

File encryption is the encryption of specific files only. So, if you have only two documents on your computer, you can choose to encrypt one but not the other. Unlike disk encryption, which I mentioned above, you actually have to make a decision on what you’re going to have encrypted. (This does not necessarily mean that you have to remember which files to encrypt every time. For example, your Excel files will be encrypted automatically but not any jpegs saved to your computer). Unlike disk encryption, since the actual file is encrypted, passing around the files (via e-mail or otherwise) will still ensure the security of those files.

 

Folder encryption is the same concept as disk encryption, in that anything that’s saved to a particular folder (or, directory, if you prefer) is encrypted. Take the file out of the folder, and it’s not encrypted anymore.

My internal harddrive has 2 partitions, C: and D: and I encrypted both.

 

I know there is another 500mb partition that windows created when I installed Windows 10 and that is not encrypted.

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, avg123 said:

My internal harddrive has 2 partitions, C: and D: and I encrypted both.

 

I know there is another 500mb partition that windows created when I installed Windows 10 and that is not encrypted.

 

Well, if someone would "read" your C and D partitions, literally EVERYTHING will look like one entire soup. Nothing will make sense and - unless they have/obtain your password - they won't be able to get any usable data from it.

Link to comment
Share on other sites

Link to post
Share on other sites

Why not just use a flash drive for your realllly weird stuff like the rest of us do?

Link to comment
Share on other sites

Link to post
Share on other sites

Regardless of what is stored on the drive - BitLocker encrypts everything. If someone tried to access the data they'd need the key otherwise they'd have no access whatsoever. If they tried to recover the data, they'd only restore the encrypted data (as mentioned earlier), so they'd see what looks like jibberish. Everything about the contents of the the drive are encrypted and cannot be read without the key. I know this because I've recently had to deploy BitLocker to my entire site in the wake of GDPR.

Stop and think a second, something is more than nothing.

Link to comment
Share on other sites

Link to post
Share on other sites

If you want to increase the strength of the encryption itself from 128 to 256, you can do so :
https://www.tenforums.com/tutorials/36827-change-bitlocker-encryption-method-cipher-strength-windows-10-a.html
The only arguments I can find against increasing the strength of the cypher, is this "well it already takes an impossibly long time to brute force AES128 encryption, so there's no point going to AES256, it will only use up more CPU resources so it's not worth it".
 

But, keep in mind, regardless of the strength of the cypher used, if you added a password to unlock the drive, the encryption itself won't matter, because your password will be cracked much faster, even more so if it's a dictionary word or variant thereof.

 

Especially with a $5 wrench.

https://xkcd.com/538/

 

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

23 hours ago, avg123 said:

I have a bitlocker encrypted harddrive. If someone formats the drive and then runs data recovery software on it can they recover the

 

1.Data

 

2.Filenames

 

?

The answer is NO. Even the best forensic software cannot read bitlocker information without the key. Now if they want to spend 3-6 months trying to crack the key that is a different story.

 

That being said though they will not be able to recover any of the encrypted data. All they will see if they run a forensic software is a bunch of random characters. It will basically just show as a non-partitioned or unallocated space, but the data in it will not be readable.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×