Bitlocker FDE and SSD Cache - Recovered Data using Ease

FAQ, getting help, user experience about PrimoCache
Post Reply
pcusr14506
Level 1
Level 1
Posts: 4
Joined: Mon Aug 16, 2021 4:20 am

Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by pcusr14506 »

Based on my search in previous posts, I was under the impression that that data was stored in an encrypted state in the cache.

My OS NVME and HDD storage drives all have FDE enabled. I wanted to see for myself whether or not data could be recovered from the caching drive. I used 7zip to checksum some files on a folder to trigger the caching function, with a formerly bitlocker encrypted USB drive as a cache. I monitored the completion of caching via process monitor. When it was complete, I deleted the cache task from primo drive.

I then formatted the usb drive via disk manager and mounted it as a lettered volume. I initially used Recuva, which just gave me thousands of junk files. I tried Ease and with that, I was able to successsfully recover files up until the free 2GB limit. Videos were playable. I ensured that caching of encrypted data, at least as I understand it by using the stack 0 command posted in an old post.

Command below makes PrimoCache caches encrypted data (volume level)
rxpcc stack 0 -r

If you want PrimoCache to cache decrypted data (default)
rxpcc stack 1 -r


Am I doing something wrong or is this working as designed. If it is as designed, I feel like it should be more clearly disclosed.
User avatar
Support
Support Team
Support Team
Posts: 3623
Joined: Sun Dec 21, 2008 2:42 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by Support »

Hi pcusr14506, what's your Windows OS and PrimoCache version?
pcusr14506
Level 1
Level 1
Posts: 4
Joined: Mon Aug 16, 2021 4:20 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by pcusr14506 »

Version 10.0.19043 Build 19043
GUI Version 4.1.0
Kernel Version 4.1.0.1
User avatar
Support
Support Team
Support Team
Posts: 3623
Joined: Sun Dec 21, 2008 2:42 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by Support »

Could you open the registry editor and then locate to the branch "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}, then upload a screenshot of its values? We'd like to check the values in "LowerFilters" and "UpperFilters".

And same operations to the branch "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}".
pcusr14506
Level 1
Level 1
Posts: 4
Joined: Mon Aug 16, 2021 4:20 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by pcusr14506 »

FYI, I did do some disabling and re-enabling of the cache to purge and recreate the cache as I'm in the process of ensuring the cache only touches media/games drives and nothing more sensitive. Not sure if that may have changed values.
Image
Attachments
Screenshot 2021-08-18 000331.png
Screenshot 2021-08-18 000331.png (17.49 KiB) Viewed 1207 times
User avatar
Support
Support Team
Support Team
Posts: 3623
Joined: Sun Dec 21, 2008 2:42 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by Support »

The settings seems no problem. We have arranged a test to verify this problem and will keep you updated. Thanks.
pcusr14506
Level 1
Level 1
Posts: 4
Joined: Mon Aug 16, 2021 4:20 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by pcusr14506 »

Any follow-up on this?

I think it is a material security issue if people are operating under the assumption that their data is encrypted when it is not.
User avatar
Support
Support Team
Support Team
Posts: 3623
Joined: Sun Dec 21, 2008 2:42 am

Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease

Post by Support »

I updated the information in the thread viewtopic.php?p=17016#p17016. I'm sorry that I forgot update here too. We did a test case with Bitlocker before and we can confirm that the the cached data are encrypted.
Post Reply