Showing results for 
Show  only  | Search instead for 
Did you mean: 

File recovery process with a mountable decrypted boot partition

We have an end user that was installing an OS on an external eSATA HDD, during the process the McAfee encrypted pre-boot partition was modified as a dual boot partition was inadvertently applied.

The affected system is Windows 7 Enterprise utilizing McAfee drive encryption

The situation was made worse when partition fix (MBR) was attempted on both the pre-boot partition and the OS boot partition.  At no time was a partition create performed.

Using the daily key for this workstation we can decrypt the boot partition and view file contents in the clear.

Pre-boot repair fails. We cannot perform a complete decrypt operation on the drive or partition using WinTech and the other tools utilizing the daily key for this particular workstation.

Using the daily key we can mount and decrypt the boot partition sector-by-sector, the question is are there tools to recreate the file system to pull specific files off?

I know there are dozens if not hundreds of similar posts but I have yet been able to locate an applicable post to my situation to determine what other tools are available and what steps and/or procedures should be employed to successfully recover files off of the end-users boot partition.

With exception of the end-user attempting to fix the MBR/Boot Partition using OS level recovery tools, the partition and data is intact.  Surely there are tools to pull unencrypted data off by a limited number of sectors that can be loaded into memory.

5 Replies

Re: File recovery process with a mountable decrypted boot partition

With EETECH 6 and the daily key and XML file  in hand I can look at both the pre-boot and boot partitions.  I also performed a sector level backup of the users laptop HDD utilizing Acronis TrueImage.

The users laptop is Windows 7 Enterprise with a single boot partition on a 500GB HDD.

I'm certain this is neither the first nor last time an authorized power-user will accidently step on their encrypted HDD partitions.

If the pre-boot is no longer functional and the MBR of the boot partition has been modified such that decryption of the HDD and recreation of the file system is not so straight forward ... is this a recoverable situation such that at least files can be recovered?  Being that this a remote support situation, what technical references and additional software tools should I ask our central support organization for?  I don't see me being able to get them without our corporate account information with McAfee.

Being that the end-user's need to recover the data is critical I'm beginning to think that we just send the drive off to one of the more reputable recovery services and encourage our power-users to take more care especially as this is their first experience with full drive encryption being deployed across all organizations.

For me, it highlights the need for backups and off-site storage of the end-user's data.

Re: File recovery process with a mountable decrypted boot partition

From what I can tell ...

1.  Make a backup and operate on that ... I'm assuming a sector level backup is necessary

2. Using EETech or other available tools decrypt the partition (using the backup written to some other HDD)

3. Any number of commercial recovery tools can then be used on a decrypted partition to recover the partition (as in maybe) or at least recover critical files.

It would be great if someone else can verify my musings from all my reading ... especially someone from McAfee.


Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: File recovery process with a mountable decrypted boot partition

yes, decrypt the partition, then you can use any standard file recovery tool to recover the data.

Third party data recovery companies won't be able to recover the files until the drive's encrypted either.

Re: File recovery process with a mountable decrypted boot partition

Thank you for confirming this for me SafeBoot.  I'm very much appreciative of your time! 😉

I hope to perform the decryption and recovery this afternoon.

I'll report back as to my results later.

Again, Thank You!


Level 7
Report Inappropriate Content
Message 6 of 6

Re: File recovery process with a mountable decrypted boot partition

Hi, any updates as to how it went ?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community