System would not boot. 3 partitions. User data on 3rd Partion (E Drive).
Went into Wintech to recover data. Authorised/Authenticated no problems. A43 would not open.
Rebooted. Opened A43 first. Could see all 3 system drives/partitions. Opened Wintech. Went back to A43 and could see data. Tried to copy data to external I had attached. Would freeze after a few seconds. Manual Decrypt time.
Rebooted and started manual decrypt and let it run. Power cable must have been loose because it turned off about 5 hours in. Last I looked at it had decrypted a little over 60 mil of 104 mil sectors.
Rebooted and started manual decrypt again. First Mistake. Rebooted system again after realizing I probably should not have started again. Second Mistake.
Rebooted. Opened A43 then Wintech and authorise/authenticate. No longer can see any user data. Can see data on the second partition but no user data there that user would need.
If it was as you have said "Rebooted. Opened A43 first. Could see all 3 system drives/partitions.", why didn't you recover/copy your data at that time?
Which version of encryption product did you have installed?
Do you know how to use Disk Information and Workspace fuctions to determine which sectors are encrypted and which ones are not?
Quote "Would freeze after a few seconds."
Version 5.2.3; Using 5.2.3 wintech.
And yes, I know how to use both of these funtions. Sorry about wrong terminology, I meant Force Decrypt, not Manual decrypt.
The problem I am having is determining which sector it stopped at. When I look at it in the Workspace, it still looks like scrambled text, even when I decrypt or encrypt the workspace.
Then use binary tree search to inspect bigger sector range. Also load more than one sector to workspace at a time, I use 4.
Look at other patterns: multiple 00 or FF's are also indication of data being seen in clear.
Oh, I see what you asked peter. Because I had to authenticate and authorise as the drive was encrypted. I did try to copy the data at that point but it would freeze up. I have had success in the past when this happens by force decrypting.
yeah - force decrypt does not keep a record of where it got to - that's why you shouldnt use it unless absolutely necessary.
Your only hope is via inspection as you say, but if the user has compressed data, movies, videos, zips etc, you won't be able to tell the difference. As peter says, just binary chop through the drive until you have an idea of the beginning and the end, and hope the MFT is included in that. Then you might be able to use some file recovery tools to construct the rest.
Success! I did have to manually inspect using workspace to find out where it had stopped and started. Then force encrypt that which I had decrypted twice. Whew! Was like finding a needle in a haystack but I got it close enough. The MFT was at the front of the drive so once I got that back to a plain text state, I could see everything again with the A43 utility.
Thanks for the suggestions!
Message was edited by: curtandy on 2/10/11 11:24:40 AM GMT-06:00Message was edited by: curtandy on 2/10/11 11:25:14 AM GMT-06:00