We have an end user that was installing an OS on an external eSATA HDD, during the process the McAfee encrypted pre-boot partition was modified as a dual boot partition was inadvertently applied.
The affected system is Windows 7 Enterprise utilizing McAfee drive encryption 126.96.36.1994.
The situation was made worse when partition fix (MBR) was attempted on both the pre-boot partition and the OS boot partition. At no time was a partition create performed.
Using the daily key for this workstation we can decrypt the boot partition and view file contents in the clear.
Pre-boot repair fails. We cannot perform a complete decrypt operation on the drive or partition using WinTech and the other tools utilizing the daily key for this particular workstation.
Using the daily key we can mount and decrypt the boot partition sector-by-sector, the question is are there tools to recreate the file system to pull specific files off?
I know there are dozens if not hundreds of similar posts but I have yet been able to locate an applicable post to my situation to determine what other tools are available and what steps and/or procedures should be employed to successfully recover files off of the end-users boot partition.
With exception of the end-user attempting to fix the MBR/Boot Partition using OS level recovery tools, the partition and data is intact. Surely there are tools to pull unencrypted data off by a limited number of sectors that can be loaded into memory.
With EETECH 6 and the daily key and XML file in hand I can look at both the pre-boot and boot partitions. I also performed a sector level backup of the users laptop HDD utilizing Acronis TrueImage.
The users laptop is Windows 7 Enterprise with a single boot partition on a 500GB HDD.
I'm certain this is neither the first nor last time an authorized power-user will accidently step on their encrypted HDD partitions.
If the pre-boot is no longer functional and the MBR of the boot partition has been modified such that decryption of the HDD and recreation of the file system is not so straight forward ... is this a recoverable situation such that at least files can be recovered? Being that this a remote support situation, what technical references and additional software tools should I ask our central support organization for? I don't see me being able to get them without our corporate account information with McAfee.
Being that the end-user's need to recover the data is critical I'm beginning to think that we just send the drive off to one of the more reputable recovery services and encourage our power-users to take more care especially as this is their first experience with full drive encryption being deployed across all organizations.
For me, it highlights the need for backups and off-site storage of the end-user's data.
From what I can tell ...
1. Make a backup and operate on that ... I'm assuming a sector level backup is necessary
2. Using EETech or other available tools decrypt the partition (using the backup written to some other HDD)
3. Any number of commercial recovery tools can then be used on a decrypted partition to recover the partition (as in maybe) or at least recover critical files.
It would be great if someone else can verify my musings from all my reading ... especially someone from McAfee.
yes, decrypt the partition, then you can use any standard file recovery tool to recover the data.
Third party data recovery companies won't be able to recover the files until the drive's encrypted either.
Thank you for confirming this for me SafeBoot. I'm very much appreciative of your time! 😉
I hope to perform the decryption and recovery this afternoon.
I'll report back as to my results later.
Again, Thank You!
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center