Call us — 0113 322 3083
Mon–Fri · 9am–5:30pm · No fix, no fee
Start a free diagnostic →
Service · encryption & passwords

Encrypted, locked, or password-forgotten.

A drive that asks for a password nobody has. A BitLocker screen after an update. A T2 Mac locked to a firmware password, or an encrypted external whose passphrase went with a former member of staff. Where a route to the key exists — and on hardware you own or are authorised to examine — we can often recover or extract it. Where one genuinely does not, we tell you so on day one, free, rather than sell you hope. That honesty is the whole service.

In-house, never outsourced
Owned or authorised devices only
No recovery, no fee · most jobs
// the honest line

What this is — and what it isn’t.

Modern encryption, correctly implemented, is not breakable. AES-256 with a key that exists nowhere reachable — no recovery key, no escrowed copy, no password you can supply, no TPM willing to release it — stays shut, for us and for everyone else, forever. Anyone who tells you otherwise is selling something.

What we can do is different, and worth understanding. Almost every real-world lockout has a route to the key that does not involve breaking the cipher: a recovery key escrowed to an account or a company directory; the key sitting in the computer’s RAM, if the machine was captured while still running; a clear key left on the disk itself where BitLocker was suspended rather than fully removed; a security chip that will hand over the volume key when the machine boots; a hardware-encryption implementation with a known weakness; or a password weak enough to recover. Our forensic decryption toolkit — Passware Kit, alongside the imaging and firmware benches every job here uses — is built precisely to find and use those routes. In practice that means searching the two places a key can physically exist: the drive itself (its image, for an escrowed or clear key) and the computer’s memory (a live RAM capture or hibernation file, where the machine was seized running). It does not attack the mathematics. It finds the door that was left unlocked.

And there is a hard rule attached: this work is done only on devices you own, or are lawfully authorised to examine. Passware supply the tool to law enforcement, government, and firms with a justifiable business need — forensic and corporate investigation teams — and verify every order. We apply the same test. Your own locked drive: yes. A company device under company policy: yes. Someone else’s phone or account: no, and see forensic recovery for exactly where that line sits.

// bitlocker

BitLocker, including TPM and PIN.

The commonest encrypted job by far. Most BitLocker lockouts are solved simply by finding the recovery key where it was escrowed — a Microsoft account for personal machines, or Entra ID, Active Directory or a management platform for work ones — and BitLocker recovery covers that route in full.

Where the key was never escrowed, a second route sometimes exists. For a TPM-protected volume, the security chip releases the volume master key to a machine it considers trusted — and that key can, on supported hardware, be acquired from the TPM directly, even where a PIN is set. It works on fTPM systems too, including AMD Zen and Zen+ desktops, where the PIN is recovered first and the volume key after. This is not breaking BitLocker; it is persuading the chip to release the key it was always going to release at boot — on a machine physically in front of us, that we are authorised to unlock.

Lenovo ThinkPads with TPM 2.0 (the E, L, X, P and T series, 2016–2020) are specifically supported: the volume key is acquired and the recovery key retrieved, so the laptop decrypts.

// apple

T2 Macs and EFI firmware locks.

Apple’s T2 security chip encrypts the SSD in every Mac that has one, and an APFS image from such a machine is unreadable without cooperation. On supported hardware, with the Mac physically connected by USB-C or Thunderbolt, the account password can be recovered and the APFS image decrypted. A separate but related problem — a Mac EFI firmware password that blocks imaging in the first place — can be recovered or reset so acquisition can even begin. Both, again, only on a Mac you own or are authorised to examine.

// encrypted drives

Hardware-encrypted external drives.

Plenty of external drives encrypt themselves in hardware, and forget-the-password lockouts on them are common. Supported cases include:

  • Western Digital — My Book (2021–2024, 4TB/6TB) and My Passport (2014–2024) with built-in 256-bit AES: unlock, decrypt, and recover the original protection password.
  • Seagate and LaCie — password recovery on hard drives from 2018–2022, including disks with multiple accounts, GPU-accelerated.
  • Transcend — portable SSDs from 2022–2025 built on the SM2320 controller: password recovery and unlock.

These are model-and-year specific, because they rely on the details of each manufacturer’s implementation rather than any general break. If your drive falls outside a supported range, we will say so at the diagnostic rather than take it on and hope.

// forensic use

The forensic side, done lawfully.

The same capabilities serve genuine investigations — a business clients examining a company device, a matter instructed through a solicitor — and there the rules tighten rather than relax. The device must be owned by, or the examination authorised by, the instructing party; the scope is agreed in writing before anything starts; and everything runs under a documented chain of custody with hash-verified images, so the findings survive challenge. forensic recovery sets out how that works in practice, including the requests we decline. Encryption capability does not change the boundary: no ownership or authority, no work.

// questions

Asked often, answered straight.

No. If the recovery key was escrowed somewhere — a Microsoft account, or a company’s Entra ID or Active Directory — we can almost always retrieve it. If the machine has a TPM, we can sometimes acquire the key from the chip directly on supported hardware. But BitLocker with no escrowed key, no recoverable password and no cooperating TPM is designed to be unbreakable, and it is. We tell you which situation you are in at the free diagnostic.

Often, yes, if it is a supported model and year — WD My Book and My Passport, Seagate and LaCie disks from the supported ranges, and Transcend SM2320 SSDs can have their original password recovered. Bring or post the whole drive; we confirm at the diagnostic whether yours falls within a recoverable range before any charge.

No. This work is done only on devices you own or are lawfully authorised to examine — your own drive, or a company device under company policy, or a matter instructed through a solicitor. We do not access other people’s phones, laptops or accounts, whatever the reason. That is both the law and our own firm policy.

Entirely. Every device stays with our own engineers, in-house, under a documented chain of custody, and NDAs are signed as standard on business and forensic work under our ICO registration (ZC173784). Nothing is subcontracted.

0113 322 3083