Bitlocker FDE and SSD Cache - Recovered Data using Ease
Posted: Mon Aug 16, 2021 4:33 am
Based on my search in previous posts, I was under the impression that that data was stored in an encrypted state in the cache.
My OS NVME and HDD storage drives all have FDE enabled. I wanted to see for myself whether or not data could be recovered from the caching drive. I used 7zip to checksum some files on a folder to trigger the caching function, with a formerly bitlocker encrypted USB drive as a cache. I monitored the completion of caching via process monitor. When it was complete, I deleted the cache task from primo drive.
I then formatted the usb drive via disk manager and mounted it as a lettered volume. I initially used Recuva, which just gave me thousands of junk files. I tried Ease and with that, I was able to successsfully recover files up until the free 2GB limit. Videos were playable. I ensured that caching of encrypted data, at least as I understand it by using the stack 0 command posted in an old post.
Command below makes PrimoCache caches encrypted data (volume level)
rxpcc stack 0 -r
If you want PrimoCache to cache decrypted data (default)
rxpcc stack 1 -r
Am I doing something wrong or is this working as designed. If it is as designed, I feel like it should be more clearly disclosed.
My OS NVME and HDD storage drives all have FDE enabled. I wanted to see for myself whether or not data could be recovered from the caching drive. I used 7zip to checksum some files on a folder to trigger the caching function, with a formerly bitlocker encrypted USB drive as a cache. I monitored the completion of caching via process monitor. When it was complete, I deleted the cache task from primo drive.
I then formatted the usb drive via disk manager and mounted it as a lettered volume. I initially used Recuva, which just gave me thousands of junk files. I tried Ease and with that, I was able to successsfully recover files up until the free 2GB limit. Videos were playable. I ensured that caching of encrypted data, at least as I understand it by using the stack 0 command posted in an old post.
Command below makes PrimoCache caches encrypted data (volume level)
rxpcc stack 0 -r
If you want PrimoCache to cache decrypted data (default)
rxpcc stack 1 -r
Am I doing something wrong or is this working as designed. If it is as designed, I feel like it should be more clearly disclosed.