cancel
Showing results for 
Search instead for 
Did you mean: 

Data recover issue - Endpoint encryption.

Jump to solution

Hi Everybody,

I am trying to recover one of our company user data.

I have read many articles and talk with McAfee platinum support.

But I couldn't recover the data yet.

Here the scenario.

1. User fail to log in on PBA screen.

2. I received user's labtop. Tried machine recovery and token reset - fail with error message

3. log-in and token reset failed with administrator account

3. Download recovery file for EEtech authentication.

4. Remove EE failed with incorrect key error message.

5. Emergency boot also failed. - Operating System not found_

5. Restore MBR (Think that was bad idea...)

6. Made a copy image drive

7. Did a test decryption on sector 63 - Couldn't find readable data

8. Did a force decryption on the copy image - Can't see the data yet.

Can anybody tell me that I've missing something?

1 Solution

Accepted Solutions

Re: Data recover issue - Endpoint encryption.

Jump to solution

Thanks, SafeBoot

Luckily, I was able to recover data with one of old xml file.

Which is odd that I always thought the latest recovery file should be the right key all the time.

I guess there was communication issue with client between sever.

9 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

yes, restoring the MBR was a very bad idea.

You're basically using the wrong key - that's why nothing is working. Force decryption with the wrong key was almost as bad as clearing the MBR.

Before you cleared the MBR you could have used the disk information to get the keycheck value, then you could have found that in EPO. Now, you're going to have to find all the keys associated with this machine and try them one by one.

Before that though, you need to force *encryption* with the wrong key to get things back how they started, then find the right key.

Why are you testing Sector 63? Is that where the PBR is according to the disk information?

Re: Data recover issue - Endpoint encryption.

Jump to solution

Thanks for the reply.

When I restored MBR, idea was maybe drive is not encrypted yet.

I regret it right after reboot.

So I made a copy image after that.  I understand I need right key. I have 2 old version of key on this machine.

If this two failed. Will there be no other way to recover data?

Talking about sector 63. I assume if I used right key than I can see some plane text. Because the sector is use as  the windows start sector.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

Without the right key there is no way to recover the data.

I question your use of 63, as most OS's use 2048 now. As long as you're sure you're trying to decrypt a PBR then it is indeed the right sector.

Re: Data recover issue - Endpoint encryption.

Jump to solution

Thanks, SafeBoot

Luckily, I was able to recover data with one of old xml file.

Which is odd that I always thought the latest recovery file should be the right key all the time.

I guess there was communication issue with client between sever.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

You are correct, the XML always has the latest keys for the machine. The only way the XML would have the wrong key, is if another machine had activated with the same agent GUID.

You're not cloning machines by any chance are you?

I'm glad you got the data back though.

danlin
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

Hello sanchezlee

I had the same exact issue where the MBR is overwritten.

Can u let me know if i have the relevant XML, how do you recover the data?

The eetech 6.1 does not have any option to browse the HDD.

thx

Re: Data recover issue - Endpoint encryption.

Jump to solution

Hi Danlin,

As I know there are two kinds of eetech.

1. Stand alone - When you boot with this image, it directly launch eetech program.

2. EEtech on Windows PE - This image will road Windows PE. you can see command window after all. you can launch eetech program by DOS command.

With second one, you actually can browse your computer with windows explorer. And it returns popup window when you trying to access encrypted drive.

Hope it helps.

danlin
Level 7
Report Inappropriate Content
Message 9 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

I only found the standalone copy from mcafee, can u send me the link for the 2nd eetech u mention?

i had the same exact issue like u and the standalone copy is not able to recover using the emergency boot since the MBR is gone.
i trying to find a way to copy the data off the encrypted HDD with no avail until i saw your similar post.

appreicate your guidance here.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Data recover issue - Endpoint encryption.

Jump to solution

see

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community