Since we started deploying Endpoint Encryption for PC(EEPC), I have been reported about 35 boot-failures so far. The total number of deployed machine is approx. 3000 .
Most Laptops are luckily recovered with WinTech, but a few issues resulted in hardware failure that was unable to restore.
Anyway, let me get to the point... one issue I am dealing with is something I've never had. so, Please give me some advice if you can.
Ok, one of my staff's PC is divided with 2 drives. C and D and both drives are fully encrypted.
By mistake, the user formatted C drive where all the encryption related information stored. And what is worse is he started doing encryption again.
Therefore, two SDB file has been created on the server. 140140-04.SDB is a personal key used for encrypting old C, and D drive, and 140140-05.SDB is the one used for newly installed C drives.
So confusing! So, I tried with both keys to unlock the encryption by using A4 management utility in the WinTech console, which enables to see encrypted data and copy and paste. But None of Keys worked.
It should have worked in my experience.
I need to get the data from D drive only!!!!!
I believe D drive is still being affected with 140140-04.SDB. so I have to use the SDB file to decrypt.
Am I right?
depends on the action when he installed new os..
is he repartion again or just format and install on the same partition..
if he only format and install on same partition 2nd partition will not going to be read by the os (encrypted)
or of will detect it as unformated..
after the OS installed and eepc installed - the OS encrypt 2 partition or just 1 partition..Message was edited by: obelicks on 11/12/09 12:58 AM
you need to figure out the sector for the 2nd partition
and decrypt it manually using "Disk" | "Crypt Disk"Message was edited by: obelicks on 11/12/09 1:00 AM
the old one of course..
But please confirm that the 2nd partition is not intact or encrypted for 2nd time.
Never test this actualy but if the 2nd partition is not encrypted for 2nd time.. i think you still have the chance to recover it back
Get the sector range and decrypt it..
if this has been encypted for 2nd time during new OS instalaltion..
i'm not sure if decrypt using new sdb and decypt it back 2nd time using old sdb can recover your old data.
but you can try though..
but as i said you need to clearly know on what happen on those partition.
On second though
how did the user format c drive and install new OS on it ? in save mode?
If the drive is encrypted there is no way the user can see and format the C drive.. you need to login to MEE for os to view it partition etc..
So it most likely the drive has been reformat.. and repartition...
and has been reencrypted for 2nd time.
in this case what you can do is (maybe)..
- get the encryption sector via wintect/safetech get disk information..
- boot the OS back and uninstall the new MEE installation completly
- after then try decrypt or force decrypt the hardisk based on the sector you have..using the old key
- using any recovery software or forensic such as getback data to recovery your data..
- i;m not sure the sucessfull rate but you can try it out..
what i was thinking the pointer has been wipe out when the disk is formated
and new data is writen to some of the disk.. then this new data and space then encrypt on top of previous encrypted data..
Safeboot does encrypt every sector of hardisk except the preboot of course..