the short version of my problem: We had one machine object with a wrong policy (external hard drives connected to the computer were encrypted). The Notebook was stolen recently and now all we got left is the machine object of the device with which I thought the decryption process would be fairly simple.
I exported the SDB file and booted to the SafeTech environment, authenticated from the SDB and experimented with the workspace (load from sectors -> different start sectors like 2048 or 63, decrypt workspace, etc.) but nothing worked (no pattern in the workspace).
I attached a screenshot of the disk information and my hope is that one of you can tell me the secret where I have to fill in which values to decrypt this HDD.
This is really urgent and I already tried to get support via the Phone / E-Mail but it seems the supporters are swamped at the moment, delays are horrible and the answers are not helping to be honest.
Please let me know if you need any more information and I will gladly provide it!
Thank you very much in advance and best regards
first question - how is this removable disk attached to the laptop running SafeTech?
If it's the 2nd drive - did you forgot to change disk? and you're looking at the laptop hard disk, not the removable one? You need to set the correct disk number (probably 1).
remember, the internal drive on an encrypted laptop will have a different key than an external drive from another machine.
1. The HDD was attached to the laptop via USB and was partially encrypted during the progress.
2. This is the correct disk, the machine ID you can see in the screenshot matches to the original laptop machine object in the McAfee Endpoint Encryption Manager.
Well if this is disk 1 (not the internal disk of the unrelated laptop) and you exported the correct machine object, but sector 2048 does not decrypt successfuly, then something is not correct.
Are you sure you set the correct disk before you went into the workspace? How did you connect this external drive to a machine and get it working in SafeTech - normally a usb connection would not work (it would work with WinTech though of course).Message was edited by: SafeBoot on 4/22/14 11:29:08 AM EDT
Actually I did not start the decryption because 1. I don't know how and 2. I thought there have to be readable patterns after you decrypt the workspace or it won't work. And yes, I set the correct disk before accessing the workspace.
Which sector count do I enter though?
Not sure about that since I have 3 to choose from in the screenshot. Does that even matter for the decryption?
And how can I start the decryption correctly?
IDK, tried several versions of SafeTech / WinTech we have here but I never had the problem that the HDD would not work via USB...
Thank you for your quick responses!
the region is telling you what is encrypted, the power fail section tells you what *could* be encrypted - you'll have to take a look and decide yourself.
BUT as I keep repeating - you MUST make sure you are looking at the correct disk before you do anything, and then you must make sure you are using the right key.
then, just use the force decrypt option.
If sector 2048 does not decrypt though you're either looking at the wrong disk, or you're using the wrong SDB file.
As a comment- there's no way you can access a USB encrypted hard disk in SafeTech - you have to be using WinTech. SafeTech simply doesn't support USB drives like that (and even if it did, it would take a week to decrypt one).
What's above the screen shot? do you have two disks mentioned in the disk info window?
Yes there are two disks. I will clone the disk 1:1 and start the decryption in a WinTech environment on a test computer just so no valuable data is lost if it fails.
I will report back in 2 days tops, thank you!
Sorry for the delay, I started the force decrypt with start sector 2048 and sector count 177907200. The HDD still doesn't show content in A43 and Windows though. I cloned the original disk again and am ready to test again. Was the sector count I entered correct?
The machine ID from the first screenshot matches the ID in the Safeboot Encryption Manager exactly, isn't that an indicator that the used key is correct?