Descifrar Bitlocker suspendido con dislocker
Tenía un SSD procedente de un portátil. Al insertarlo en mi PC de escritorio y arrancar desde él, veía que Bitlocker estaba suspendido (con el icono del candado abierto). Veamos cómo abrirlo con dislocker:
Montamos la partición de Bitlocker. Nótese que no introduzco ninguna contraseña:
j@arai ~ % sudo dislocker -V /dev/nvme0n1p3 -- /mnt/dislocker_virtual_ntfs [0]
[sudo] password for j:
Esto crea un fichero dislocker-file, que contiene una sistema de ficheros NTFS:
[root@arai ~]# ls -l /mnt/dislocker_virtual_ntfs/
total 0
-rw-rw-rw- 1 root root 494814625792 Jan 1 1970 dislocker-file
Al intentar montar dislocker-file me saltaba este error:
j@arai ~ % sudo mount -o loop /mnt/dislocker_virtual_ntfs/dislocker-file /mnt/dislocker_clear [0]
mount: /mnt/dislocker_clear: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.
dmesg(1) may have more information after failed mount system call.
Mirando en dmesg (con journalctl -kf):
j@arai ~ % sudo journalctl -fk
Jul 12 13:46:54 arai.home.arpa kernel: loop0: detected capacity change from 0 to 966434816
Jul 12 13:46:54 arai.home.arpa kernel: blk_print_req_error: 1 callbacks suppressed
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 120804336, async page read
Jul 12 13:46:54 arai.home.arpa kernel: FAT-fs (loop0): bogus number of reserved sectors
Jul 12 13:46:54 arai.home.arpa kernel: FAT-fs (loop0): Can't find a valid FAT filesystem
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434688, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434689 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434689, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434690 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434690, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434691 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434691, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434692 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434692, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434693 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434693, async page read
Jul 12 13:46:54 arai.home.arpa kernel: I/O error, dev loop0, sector 966434694 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434694, async page read
Jul 12 13:46:54 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 966434695, async page read
Jul 12 13:48:19 arai.home.arpa kernel: loop0: detected capacity change from 0 to 966434816
Jul 12 13:49:20 arai.home.arpa kernel: loop0: detected capacity change from 0 to 966434816
Jul 12 13:49:20 arai.home.arpa kernel: blk_print_req_error: 1 callbacks suppressed
Jul 12 13:49:20 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Jul 12 13:49:20 arai.home.arpa kernel: I/O error, dev loop0, sector 966434688 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Jul 12 13:49:20 arai.home.arpa kernel: Buffer I/O error on dev loop0, logical block 120804336, async page read
Jul 12 13:49:20 arai.home.arpa kernel: FAT-fs (loop0): bogus number of reserved sectors
Jul 12 13:49:20 arai.home.arpa kernel: FAT-fs (loop0): Can't find a valid FAT filesystem
Vi aquí que había que especificar la opción -t ntfs-3g. El manual de dislocker no menciona nada de esto, pero bueno…
j@arai ~ % sudo mount -t ntfs-3g -r -o loop /mnt/dislocker_virtual_ntfs/dislocker-file /mnt/dislocker_clear [32]
mount: /mnt/dislocker_clear: unknown filesystem type 'ntfs-3g'.
dmesg(1) may have more information after failed mount system call.
Mount no sabe qué es ntfs-3g. Tengo que instalarlo:
j@arai ~ % sudo pacman -S ntfs-3g [32]
resolving dependencies...
looking for conflicting packages...
Packages (1) ntfs-3g-2022.10.3-1
Total Download Size: 0.54 MiB
Total Installed Size: 1.59 MiB
:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
ntfs-3g-2022.10.3-1-x86_64 550.9 KiB 1900 KiB/s 00:00 [#####################################################################] 100%
(1/1) checking keys in keyring [#####################################################################] 100%
(1/1) checking package integrity [#####################################################################] 100%
(1/1) loading package files [#####################################################################] 100%
(1/1) checking for file conflicts [#####################################################################] 100%
(1/1) checking available disk space [#####################################################################] 100%
:: Processing package changes...
(1/1) installing ntfs-3g [#####################################################################] 100%
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
Ahora sí:
j@arai ~ % sudo mount -t ntfs-3g -r -o loop /mnt/dislocker_virtual_ntfs/dislocker-file /mnt/dislocker_clear [32]
j@arai ~ % ls -l /mnt/dislocker_clear [0]
total 45385452
drwxrwxrwx 1 root root 4096 Mar 31 2023 '$Recycle.Bin'
drwxrwxrwx 1 root root 0 Oct 21 2021 '$WINDOWS.~BT'
drwxrwxrwx 1 root root 0 Mar 31 2023 '$WinREAgent'
drwxrwxrwx 1 root root 4096 Jul 11 16:38 93a28133a52f54146143104c
drwxrwxrwx 1 root root 0 May 14 2020 Apps
lrwxrwxrwx 2 root root 34 May 14 2020 'Archivos de programa' -> '/mnt/dislocker_clear/Program Files'
drwxrwxrwx 1 root root 8192 May 14 2020 Dell
lrwxrwxrwx 2 root root 26 May 14 2020 'Documents and Settings' -> /mnt/dislocker_clear/Users
drwxrwxrwx 1 root root 0 May 14 2020 Drivers
drwxrwxrwx 1 root root 4096 May 14 2020 Intel
drwxrwxrwx 1 root root 0 Mar 31 2023 PerfLogs
drwxrwxrwx 1 root root 8192 Jul 11 14:27 'Program Files'
drwxrwxrwx 1 root root 8192 Jul 11 14:27 'Program Files (x86)'
drwxrwxrwx 1 root root 20480 Jul 11 17:06 ProgramData
drwxrwxrwx 1 root root 0 May 14 2020 Recovery
drwxrwxrwx 1 root root 24576 Jul 11 17:51 'System Volume Information'
drwxrwxrwx 1 root root 4096 Oct 21 2021 Users
drwxrwxrwx 1 root root 20480 Jul 11 16:38 Windows
drwxrwxrwx 1 root root 4096 Mar 31 2023 ba17bbf665b3777897ea4f
-rwxrwxrwx 1 root root 36950 May 14 2020 dell.sdr
-rwxrwxrwx 1 root root 41110343680 Jul 11 17:49 hiberfil.sys
drwxrwxrwx 1 root root 0 Apr 20 2019 langpacks
-rwxrwxrwx 1 root root 5347430400 Jul 11 17:49 pagefile.sys
-rwxrwxrwx 1 root root 16777216 Jul 11 17:49 swapfile.sys
j@arai ~ %