Find the bitlocker key of a deleted computer in ActiveDirectory

Hello,

How many of you deleted a unused bitlocked computer and then need to retrieve some data on that computer hard drive ?

If you have an MBAM-like tool, it isn’t an issue for you, but if you don’t have that kind of solution, you’ll need to go through the deleted objects of your Active Directory domain. To do that, you have plenty of solution, I personally recommend two :

  1. SysInternal AD Explorer
  2. PowerShell

The first solution is fine if you have some time ahead of you and you do not do that very often. If you want to automate this process, you’ll need PowerShell.

First of all, for both solution, you need to know that a BitLocker key, is a child of the computer AD object. So, you need to go in the deleted objects container, search the computer you deleted, and then, copy its DistinguishedName (it changed when the object was deleted). Once you have the DistinguishedName, you need to search for an object type of “msFVE-RecoveryInformation”, with a “LastKnownParent” attribute equals to the deleted computer DistinguishedName. When you that this object, just have a look of the “msFVE-RecoveryPassword” attribute, that’s the bitlocker key you need to decrypt the hard drive.

Note, you can also search for a “msFVE-RecoveryInformation” object with approximately the same “whenChanged” timestamp of the computer.

The process is quite long but you can let PowerShell do the work for you :

$DeletedComputerName="DeletedComputer"
[System.Collections.ArrayList]$list=@()
$DeletedComputer = Get-ADObject -LDAPFilter "CN=$DeletedComputerName*" -IncludeDeletedObjects -properties whenChanged
if($DeletedComputer){
foreach($CurrentComputer in $DeletedComputer) {
$BitLocker = Get-ADObject -Filter {objectClass -eq 'msFVE-RecoveryInformation'} -IncludeDeletedObjects -Properties LastKnownParent,'msFVE-RecoveryPassword' | ? {$_.LastKnownParent -eq "$($CurrentComputer.DistinguishedName)"}
$Object = New-Object -TypeName PSObject -Property @{
'ComputerName'     = $CurrentComputer.Name.split('')[0]
'BitLockerKey'     = $BitLocker.'msFVE-RecoveryPassword'
'Date'             = $CurrentComputer.whenChanged
}
$list.add($Object) | Out-Null
}
$list | Format-Table -AutoSize
}
else{"Computer not found in the deleted objects."}

Leave a Reply