Bitlocker - Get Recovery Password and decrypt volume
What can you do when you find a running Windows system that has Bitlocker enabled?
Well, first you could start a live image of the currently unlocked volumes.
Secondly you could deactivate the encryption of the volumes.
In both cases you need a lot of time on the running system to finish the step.
I will show a third possibility here where you get the recovery passwords and can than securely shutdown the system and image it/decrypt it later.
How to get the recovery password?
You can get the recovery passwords either with the command shell or the power shell.
The command shell (cmd)
First we need to identify the encrypted devices.
This command lists all available volumes in the system and the Bitlocker encryption status. Here the device with the activated encryption.
After we identified the voulme with the activated Bitlocker, we get the Recovery Password with the following command:
manage-bde.exe -protectors -get e:
Where [e:] is the corresponding drive letter.
So, the recovery password is 069641-553707-292402-096712-341495-599060-437536-444620.
First we list all devices with the current status with the following command:
Then we get all recovery keys that are available:
So, the recovery password is, again, 069641-553707-292402-096712-341495-599060-437536-444620.
How to decrypt the volume later?
We now have the recovery password and can decrypt the volume later with the following command:
.\manage-bde.exe -unlock e: -RecoveryPassword 069641-553707-292402-096712-341495-599060-437536-4 44620
That's it. Now you have the decrypted volume.