Based on my search in previous posts, I was under the impression that that data was stored in an encrypted state in the cache.
My OS NVME and HDD storage drives all have FDE enabled. I wanted to see for myself whether or not data could be recovered from the caching drive. I used 7zip to checksum some files on a folder to trigger the caching function, with a formerly bitlocker encrypted USB drive as a cache. I monitored the completion of caching via process monitor. When it was complete, I deleted the cache task from primo drive.
I then formatted the usb drive via disk manager and mounted it as a lettered volume. I initially used Recuva, which just gave me thousands of junk files. I tried Ease and with that, I was able to successsfully recover files up until the free 2GB limit. Videos were playable. I ensured that caching of encrypted data, at least as I understand it by using the stack 0 command posted in an old post.
Command below makes PrimoCache caches encrypted data (volume level)
rxpcc stack 0 -r
If you want PrimoCache to cache decrypted data (default)
rxpcc stack 1 -r
Am I doing something wrong or is this working as designed. If it is as designed, I feel like it should be more clearly disclosed.
Bitlocker FDE and SSD Cache - Recovered Data using Ease
-
- Level 1
- Posts: 4
- Joined: Mon Aug 16, 2021 4:20 am
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
Hi pcusr14506, what's your Windows OS and PrimoCache version?
-
- Level 1
- Posts: 4
- Joined: Mon Aug 16, 2021 4:20 am
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
Version 10.0.19043 Build 19043
GUI Version 4.1.0
Kernel Version 4.1.0.1
GUI Version 4.1.0
Kernel Version 4.1.0.1
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
Could you open the registry editor and then locate to the branch "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}, then upload a screenshot of its values? We'd like to check the values in "LowerFilters" and "UpperFilters".
And same operations to the branch "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}".
And same operations to the branch "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}".
-
- Level 1
- Posts: 4
- Joined: Mon Aug 16, 2021 4:20 am
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
FYI, I did do some disabling and re-enabling of the cache to purge and recreate the cache as I'm in the process of ensuring the cache only touches media/games drives and nothing more sensitive. Not sure if that may have changed values.
- Attachments
-
- Screenshot 2021-08-18 000331.png (17.49 KiB) Viewed 1343 times
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
The settings seems no problem. We have arranged a test to verify this problem and will keep you updated. Thanks.
-
- Level 1
- Posts: 4
- Joined: Mon Aug 16, 2021 4:20 am
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
Any follow-up on this?
I think it is a material security issue if people are operating under the assumption that their data is encrypted when it is not.
I think it is a material security issue if people are operating under the assumption that their data is encrypted when it is not.
Re: Bitlocker FDE and SSD Cache - Recovered Data using Ease
I updated the information in the thread viewtopic.php?p=17016#p17016. I'm sorry that I forgot update here too. We did a test case with Bitlocker before and we can confirm that the the cached data are encrypted.