Client Management Suite

 View Only

Recover a failing BitLocker encrypted HDD using Ghost 

Apr 05, 2016 12:26 PM

Background:  We recently had a hard drive that was showing signs of failing.  User data partition wasn’t unlocking automatically (the data could therefore not be copied off) and the recovery keys weren’t working when using an e-sata hard drive dock but they did work during boot.

Requirements:

  • Failing drive must still be mountable.  If ghost can’t detect the drive, this won’t work
  • A network or external drive that has more free space than the size of the source disk
  • BitLocker recovery passwords for your drive (do not delete the object from Active Directory if this is where it is stored)

 

Capturing the image:

  1. With the failed hard drive installed boot to automation or PXE (your preference).  You may have to enter your BitLocker recover password.
  2. Cancel any automated deployment prompts.
  3. Map to a network drive using the net use {drive-letter}: cmd or connect an external hard drive.
  4. Browse to x:\Program Files\Symantec\Deployment\Ghost and run ghostXX.exe.
  5. Open the options menu.  On the Span/CRC tab select CRC Ignore.
  6.  span_tab.PNG
  7. On the Misc tab select Force Cloning.
  8. misc_tab.PNG
  9. On the Save Settings tab Review, Save, and Accept.
  10. save_tab.PNG
  11. From the menu select Local > Disk > To Image
  12. Select the drive you want to capture an image of.
  13. From the drop down, select the drive that you want to save the .gho to.  Make sure there is enough space for a full image of the entire bitlockered drive.  Select Save.
  14. At this point you will receive a warning that the drive you are trying to create an image from is encrypted and that it will be unable to compress the contents.  Continue or ok and the image will start to capture.  Depending on drive size this will take some time.

 

 

Deploying the image:

Requirements:

  • Access to captured .gho image file that you captured in the previous steps.  I copied this to a drive local to my computer so that I wasn’t held up by the network.
  • A known good replacement for the failed drive.  It must be the same size or larger than the source drive.
  • A copy of the ghost image files from your NS. Mine were at \Program Files\Deployment\Imaging\ghost\   You only need the x64 or x86 directory depending on your preference and architecture.  I used x64 because that’s what I captured it with.

 

  1. Mount the drive that you have the gho stored on and the drive that you want to deploy the image back to.
  2. From your system launch ghostXX.exe as an administrator. 
  3. From the menu select Local > Disk >From Image
  4. Select the .gho that you captured.
  5. Select the drive that you will be deploying the image to.
  6. Accept any prompts.  Wait
  7. Once completed unmount the drive and install it back in to a system and boot to it.  You will be prompted to enter your BitLocker recovery password.  It will be the same as the source drive.  From here you can recover any data without worrying about the drive failing any more.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Feb 09, 2017 01:00 PM

To simplify, at step 4:

Browse to x:\Program Files\Symantec\Deployment\Ghost and run ghostXX.exe.

 

add the command line options to "enable" those features. This removes the need to take those steps.

 

From: http://www.symantec.com/docs/HOWTO99984 and http://www.symantec.com/docs/TECH106615 (Greate examples of switch usage toward the bottom)

Switches and hyphens
When a switch is both preceded by and followed by a hyphen, such as with -NTC-, the second hyphen means that the feature is disabled. Such switches are normally not used without the second hyphen. For instance, -NTC- forces Ghost to disable the allocation of NTFS contiguous cluster runs. -NTC is not used because Ghost enables the allocation of NTFS contiguous cluster runs by default.

We would use something like: (xx represents 32 or 64, appropriate for the type of WinPE version you are booting into. 32 will work in the 64bit WinPE, but 64 won't work in the 32bit version).

(These switches are also shown in the images you captured and pasted into this article)

 

ghostXX.exe -span -auto -CRCIGNORE -FRE -sure

 

another switch that you might want/need to use is -ntexact
- Enable an exact restore of the NTFS source volume layout.

 

When you "Save" the checked boxes in your method you are bascially creating a file that ghost automatically checks for when it is starting. If you use the command line switch method you don't have to go through that process.

 

Related Entries and Links

No Related Resource entered.