What changed on Disk when I Enabled Bitlocker and configured bitlocker protected data partitions

I was curious to see what changes Bitlocker make on my raw disk, So i picked my dskprobe and had a quick look and I will like to share a few changes       i saw. There is lot more which gets changed but not covered below.

 

111 - Copy

 

112

 

On the OS partition i.e. on my C drive, I used dskprobe and opened its NTFS boot sector and i see the OEM ID string saying FVE_FS instead of NTFS.       I also saw that "clusters to MFT mirror" is not actually pointing to clusters to MFT mirror but to....see below

 

cluster mirror mft

I figured out that this is the start of FVE metadata as visible and also GAUEPSSSET01 is the name of my computer and the the value of "clusters to MFT mirror" is stored in the FVE metadata itself. so FVE_FS is one way to find out backup copies of FVE metadata and better way is to use bitlocker repair tool if ever required.

For more information about bitlocker repair tool please have a look at article given below.

928201    How to use the BitLocker Repair Tool to help recover data from an encrypted volume in Windows Vista
https://support.microsoft.com/default.aspx?scid=kb;EN-US;928201

Now i wanted to see what happens in case of data partitions protected by bitlocker of course on a vista sp1 machine.

yes with windows vista sp1 (still in beta) you should be able to protect your data partitions as you may see below

115

 

I once again used dskprobe and opened the NTFS boot sector of one of the data partitions.

ntfs boot sector of data partition

There is lot more which gets changed but not covered here.

For more information about dskprobe (part of support tools) see below:

https://technet2.microsoft.com/windowsserver/en/library/006902f1-bae9-4055-9ad2-123ea19006b71033.mspx?mfr=true

 

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.