We have a problem on an encrypted laptop and we desperately need to get to the data. The lapto will not boot into Windows anymore and I believe that the MBR was damaged. When we use the EETech disk to Remove EE (After authorising and Authenticating of course), it tells us that "Endpoint Encryption is not currently active". We have version 6.1 installed.
Please excuse my ignorance, but I have never decrypted a disk any other way. I have read the manual where they mention Force Crypt sectorsbut never tell you exactly how to do it. Also, how do you know what sectors you need to decrypt if you need to get data from C:\Users\%userprofile% for example? I have used the BartPE disk with A43 and tried looking at the files once authenticated, but Drive C: still shows as empty and unformatted
that won't help if EEPC is not active - it sounds like the OP has a rootkit or some other MBR malware.
You're going to have to do a manual decryption of the sectors AFTER checking you have the right key - you can get the sector range from the disk info, and as long as you have the right key (and the whole partition was encrypted), you'll have 100% success.
It's all about how much validation of your sector ranges and keys though - if you're unfamilier, find the person who got trained on this when the product was purchased, or get professional services in to help you.
What is strange is that after this incident, I took one of my test laptops that is fully encrypted with version 6.1 and tried the same thing (booted off the EETech disk, authorised and authenticated successfully with the XML file and code of the day) but cannot see any data on A43. Am I doing something wrong here because this seems simple enough to do? Are there any specific settings in the product policies that need to be enabled for this to work?
no - it just means the XML file is valid - to test whether it's the correct one or not, decrypt the partition boot sector in the workspace and make sure it looks good.
Please excuse my ignorance once again, but how do I find the exact sectors to identify the boot partition? Also, if it has decrypted successfully, will that mean I will see files on the encrypted volume?
look in the disk information and get the partition start sector.
yes, if it's decrypted you'll see the files without doing anything in a43, and you'll also see the files if the disk information is valid and you supply the right XML file.
If the disk info is invalid though (as it would be if the MBR was damaged), you won't see any files until you decrypt the correct sectors with the correct key.