cancel
Showing results for 
Search instead for 
Did you mean: 

Solved: Any tools to recover encrypted partition list?

Hi all,

Let me explain the issue first..

We're using MEE version 5.2.4

A hardisk with partition (C, D, E) was installed with MEE and then the OS was broken.

End user sent to Site IT without telling it was encrypted with MEE and removed it first.

So Site It ghost back C, (technically we knew that ghosting doesn't fix the SBR only restore partiton)

So OS still can't be boot

So he then format C: and install new OS

New OS boot fine HOWEVER D & E is encrypted so he can't read it..

He contact McAfee Support

McAfee support ask him to use wintech/safetech to removed eepc

- of course this option failed because the SBR has been replace with new MBR by the new OS installation.

if failed McAfee Support also ask him to cryp or force crypt (dangerous tools to play)

- he can't used crypt because the new MBR doesn't contain encryption information

- he tried force Crypt "decrypt"instead and sucessfully

Because he inexperiance Site It never do force crypt before and without he just click by default sector is 0 and count is 1

So he actualy mess up the new MBR disk sector 0 and now making worse the disk information mess up..and OS can't be boot..

When using safetech/wintech disk information is not present... For whatever reason he try to reverse back by force crypt and encrypt but not work..

So my question Is there a way to recover this Encrypted Partition list? and fix the disk information?

Using testdisk http://www.cgsecurity.org/wiki/TestDisk can only recover C: ntfs not D & E

Technically we need to recover D & E and get the partition information on sector do do sector by sector decryption.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This consider SOLVED

Update Note:  This steps ONLY work with one partition unencrypted in this case C: partition was formated.

Solution Steps is :

1) Recover MBR partition C: with testdisk (D & E) still encrypted so it won'r be shown only 1 ntfs partition will be shown, lets save and fix the mbr first then reboot.

2) Boot with wintech again and used partinfo to check on unallocated partition (which contain D & E)  we need to sector start & Tortal Sector for this unallocated partitoon - Thanks Ram Dudani for tool info

3) After get the sector info Run Wintech - authorize & Authenticate with SDB file and launch force crypt, From Information from PartInfo we put Sector Start & Sector Count/Total Sector  to the box and press "Decrypt"

4) Decryption will take a while make sure power cable is on

5)  after finish reboot and then run testdisk again, Now since the  allocated space is decypted partition D & E will be seen by testdisk

6) Write partition D & E to the disk..

7) Reboot and boot up the machine..

For hardisk with full encrypted partition C,D,E  (note: i've not test Gparted with above issue c formated maybe also work..)

1) Boot and launch gparted,

2) Run Gparted - Select unallocated disk | View | device information (get the total sector information), reboot and boot with Wintech CD

3) Run Wintech - authorize &  Authenticate with SDB file and launch force crypt, From Information from  PartInfo we put start sector in this case is 63 & Sector Count/Total Sector  to the box and press "Decrypt"

4) Decryption will take a while make sure power cable is on

5)   after finish reboot and then run testdisk again, Now since the   allocated space is decypted partition D & E will be seen by testdisk

6) Write partition D & E to the disk..

7) Reboot and boot up the machine..

Tools Used:

McAfee Wintech http://www.mcafee.com

GParted http://gparted.sourceforge.net

Testdisk http://www.cgsecurity.org/wiki/TestDisk

Partinfo ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/PartIn9x.zip

Message was edited by: obelicks : update on all partition encrypted.  on 8/12/10 10:58:35 AM MYT
31 Replies
Highlighted
rbdudani
Level 11
Report Inappropriate Content
Message 2 of 32

Re: Any tools to recover encrypted partition list?

get the sector info with Partinfo tool and than authorize with database & force decrypt the drives manually.

Re: Any tools to recover encrypted partition list?

By the way the partition list is gone now..

disk info was mess up..even if we can decrypt the sector.. how to put back the partition for os to read the data?

I've check partinfo and it's useless because disk information is gone so

no partition can be view from partinfo

is there any other tools?

Message was edited by: obelicks on 8/5/10 3:31:01 PM MYT

Re: Any tools to recover encrypted partition list?

Just restore original MBR (one of the options in SafeTech/WinTech) from exported machine SDB (database) file.

This restores partition table information. If disk is fully decrypted, that should work and partitiones D, E should be accessible.

(but what happened to C drive partition when disk was forcefully decrypted? Is it scrambled again?)

Re: Any tools to recover encrypted partition list?

This option not work..

I though SDB file could fix this MBR but It's not

error shown up "Unable to find system Boot disk"

So i believe MBR only exist in SBFS disk/OrigMBR not SDB file.

However after C: formated and new os installed SBFS has been wipe out

Message was edited by: obelicks on 8/5/10 11:38:37 AM MYT

Re: Any tools to recover encrypted partition list?

Partition information definitely exists in SDB file. Please provide exact steps that you are executing to restore original MBR.

Send me that SDB and I will tell you what partition table you should have.

Re: Any tools to recover encrypted partition list?

Hi Peter_EEPC

The step

- boot with wintech

- authorize

- authenticate with sdb file

- disk restore MBR (under disk menu)

Is this the right step?

I saw set safe original MBR under (Wintech Menu - not sure what the different),

Tried this too but same error shown

0xe002001b - Unable to find system boot disk

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 8 of 32

Re: Any tools to recover encrypted partition list?

formatting the partition won't damage the MBR partition table, neither will decrypting it and encrypting it.

So - what exactly did you or your user do to mess up the MBR?

Re: Any tools to recover encrypted partition list?

Encrypting/decrypting partition won't change partition table, but encrypting/decrypting disk sector 0 will.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 10 of 32

Re: Any tools to recover encrypted partition list?

no it won't if you reverse what you did - that's the point of encryption/decryption - you get back what you started with.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community