BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.1
How to detect
Volumes encrypted with BitLocker will have a different signature than the standard NTFS header.
A BitLocker encrypted volume starts with the “-FVE-FS-” signature.
A hexdump of the start of the volume should look similar to:
00000000 eb 58 90 2d 46 56 45 2d 46 53 2d 00 02 08 00 00 |.X.-FVE-FS-.....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 00 00 00 |........?.......|
00000020 00 00 00 00 e0 1f 00 00 00 00 00 00 00 00 00 00 |................|
00000030 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 80 00 29 00 00 00 00 4e 4f 20 4e 41 4d 45 20 20 |..)....NO NAME |
00000050 20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 | FAT32 3.....|
Decryption
I would recommend using Autopsy for this, it can detect BitLocker and allow user to type in the password. Also combining with other plugins, which will make life easier for you.
Or mount it using FTK Imager, after that go to File Explorer and type in the password or recovery key, and now that drive is accessible anywhere else.
