I have a laptop that was running EEPC v5.2 and Windows XP SP3. Even with all our warnings in a place, a tech tried to upgrade the encrypted system directly to Windows 7 using our process for unencrypted systems which is:
- USMT Scanstate with hardlinking (leaves defined data on drive even through a wipe)
- Wipe the drive (not a format - whatever the new Windows 7 thing is with USMT).
- Install the new OS (Windows 7 SP1)
- Do a USMT Loadstate to restore the data from the hard links.
This, as expected, fails at Step #3 and Windows 7 never comes down. I now have a drive where I assume the hardlinked files are still there (encrypted?) but I have no way that I can access them.
Where I'm at now:
I booted off a SafeTech key, I can authenticate & authorize (using SDB) and the following shows for Disk Information:
- Logical DIsk Number: 1
- Disk Information (error=e0020000a)
- Crypt List
- Region Count: 0
- PowerFail Status
- Status: Unknown
- Partition: 0
- Type: OS/2 HPFS
- Bootable: Yes
- Start Sector: 0000002048
- End SEctor: 0488394751
- Sector Count: 0488392704
I have no idea if this is my disk or not though (could it be the USB?)
If I load up the Workspace and go out to sector 2048, it's plaintext.
Any thoughts on how to recover the data that's likely sitting out there somewhere, or should I be sending this off for data recovery?
Could be tough indeed. Afaik you now have encrypted files on a plaintext drive, so the sector chain data we need to reconstruct them from the mft is in plain text, whereas the data sectors themselves are encrypted.
Not sure how you can get out of this - I'd clone the drive, then do a forced decrypt of the partition and see what a file recovery tool finds.
Thanks Simon! Do I need to clone it to a like-HDD or do you know of any tools where I can just create and mount a file based drive or something?
Humm no, as long as you don't try to change the partition size, then the sectors should be in the same locations. Geometry is not important but absolute sector number is.
As for a soft image, sorry I don't have any experience - I guess ghost might allow that, but then you have to mount it in an environment where you can use wintech etc.
An update for anyone following. I've now had two drives with this issue. The first drive I cloned and tried to Force Crypt Sectors (Decrypt) and then data recovery and it didn't see the drive. I'm decrypting the second one now and we'll give that a run through as well. I've left the originals alone in case they have to go out to professional recovery folks.
Simon - my process has been:
If you have any suggestions on a better way to do this, or if I'm doing something that's obviously not going to work, I'm happy to hear any suggestions :-)
There's no need to do a force, if the disk information is valid - just do a remove or follow the region list to be safe.
I'm not sure it's going to succeed though, as the hardlinked files are going to be encrypted, and when you build the new OS and restore them, the drive is not. I'm not sure how that could ever work, and how you would even go about recovering them.
So, post-"it broke", I believe we're left with a plaintext empty drive, but encrypted data. If I decrypt it all, don't I end up with garbage plaintext (which is useless anyway) and decrypted data that (maybe) some recovery software would detect?
Or are the components that the disk needs to be able to know what that encrypted (now plaintext) data gone and it's all useless?
Yes, you will end up with an encrypted drive, and plain text files.
unfortunately, there's no links between the sectors you can follow to reconstruct the file - all that's stored in the MFT, which is now in plaintext and will get encrypted when you decrypt the drive.
So, I guess it's worth a try, but I don't hold up most hope unfortunately.