A locked-out laptop, no recovery key and a deadline — recovered by extracting BitLocker's master key straight from the machine's hibernation file.
A Bristol architecture practice came to us after a senior member of staff left. Their Windows 11 Pro laptop — a Dell with an NVMe system drive — had stopped booting cleanly after a failed feature update and dropped straight to the blue BitLocker recovery screen. The drive was encrypted with BitLocker (XTS-AES 256, sealed to the TPM with a start-up PIN), and the 48-digit recovery key had never been escrowed to the firm's Microsoft 365 tenant or printed off. Months of live project files sat behind the encryption with no key to open them.
The media itself was healthy — this was a key-management problem, not a mechanical one — but we never work on an original. We removed the drive, attached it through a hardware write-blocker and took a full, sector-by-sector forensic image (an .E01) of the encrypted volume. Our PC3000 handles acquisition where a drive is fragile or throwing read errors; here the NVMe imaged cleanly, and we verified the copy against a SHA-256 hash before touching it. Everything that followed was done against the image, leaving the client's original untouched.
For BitLocker decryption we use Passware Kit Forensic. A BitLocker volume can be opened instantly if you can recover its Volume Master Key (VMK) — the key BitLocker itself uses, which lives in RAM while the volume is mounted and is written into the Windows hibernation file (hiberfil.sys) when the machine sleeps. With the laptop unbootable we had no live memory capture, so ordinarily the recovery key or the user PIN would be the only way in — and we had neither.
The break came from the image. The laptop had Fast Startup enabled, and its last hibernation had been written while the encrypted volume was still mounted. We carved hiberfil.sys out of the image and pointed Passware at it: the software extracted the VMK from the hibernation data, derived the Full Volume Encryption Key (FVEK) and produced a fully decrypted copy of the volume. As a by-product it also recovered the 48-digit recovery key, which we handed back so the firm could re-escrow it properly.
Once decrypted, the volume mounted as an ordinary NTFS partition. Every live project file, drawing and email archive was intact and returned on fresh media — three working days from drop-off to handover, with a strong recommendation that the firm switch BitLocker key back-up on across the office. Decryption is only ever carried out for the owner of the device, against signed authority from the business.
Passware Kit Forensic · PC3000 — imaging and recovery carried out in-house. Every job is imaged before any recovery work begins, and the original media is never written to.
Send us your device for a free diagnostic, and tell us a little about what happened — an engineer will review it and confirm your exact quote in writing before any work begins.
Recovering your data starts with getting the device to us. Pack it safely, add your contact details, and send it over — after we run a free diagnostic, we’ll confirm your exact price in writing before any work begins.
Posting it in? We recommend a tracked, insured service. Prefer to drop it off? You’re welcome Monday–Friday, 9am–5:30pm — please still package the device as above.
If you need more information on our data recovery service, fill out the form with more detail about your issue and an engineer will review it and give you a custom quote.
We’ll be in touch shortly. For anything urgent, call 0117 332 1137.
Sometimes — for example by extracting the key from a memory image or hibernation file, or by recovering a failing encrypted drive. Decryption is only carried out for the equipment's owner.
From £800 plus VAT, no fix, no fee on most jobs, with a fixed quote before any work.
Yes, it makes recovery faster and more certain, though we can sometimes recover without it.
Start with an instant online quote, or call and talk it through with us first. You'll have a clear, fixed price before any work begins.