cancel
Showing results for 
Search instead for 
Did you mean: 
jmcleish
Level 13

Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Hi,

With regards to Dan's post here about copying or ghosting  off an encrypted disk:

https://community.mcafee.com/message/2421#2421

How do you do that in EETech since there is no 'mount disk'.

On my test machine, i've authenticated and authorised and tried selecting the apporpriate volume in diskpart, but can't seem to mount it successfully (not that familiar with it !), and it still says raw format and i can't read it in the A3 file mgt util.

Basically I've now had a few machines where the encryption agent can't read the registry key and won't boot then spent 4 hours or so waiting for the thing to force decrypt before i can access the data.

Obviously beging able to ghost (preferable)\ extract data off without the need to decrypt is advantageous.

Using Dan's WinPEv3 EETech v6 disk.

Thanks for any help

Jane

0 Kudos
1 Solution

Accepted Solutions
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Dan,

Just to let you know (or anyone else) that i eventually managed to get this working.

I had tried injecting AHCI drivers into the winPE wim but still had no joy...... until this week.

We had a requirement to try and extract data on the fly so I created a new BartPE with EETech v 6.1.1 (one with no drivers for my ata disks, and one with AHCI drivers). When booting from this i am able to read the encrypted disk on the fly fine.

I'm unsure whether it is something to do with the WinPE v's Bart or EETech 6.0.2 v's 6.1.1, but anyway, thanks for all your help on this matter. This makes life MUCH easier!

Thanks

Jane

0 Kudos
8 Replies
SafeBoot
Level 21

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

if you present the correct XML file to EETech, it will mount the host drive for you automatically? Have you checked using the workspace that your XML export is correct?

0 Kudos
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

To be honest I've never used the workspace. It says i have authenticated and the only way i could get the disk to appear unencrypted is to start a crypt sector and cancel it. (obviously this is my test machine, so i can do what i wish with it but wouldn't do that on a production machine)

And i was told that there was hardly anything on EETech on the encrytion course and can't face talking to gold support.....

It would be really handy to have some sort of idea of what to use what for and how to use it, so that us starting out using EEPC can play about with test systems to find out what we can do in EETech. A guide on how to use the components in EETech (obviously with a big disclaimer included) would be very useful.  Either that or a nice mount button. :-)

I saw this post: https://community.mcafee.com/message/149954#149954 and wonder if they mean the EETech from v6.1?

Any idea?

(yes... flailing in at the deep end here....)

Thanks

Jane

0 Kudos
Highlighted
DLarson
Level 12

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

One thing I've noticed is that you have to "refresh" the file management utility after you authenticate (authorization is not necessary for mounting the disk). So maybe you just need to hit F5 or click around in the file manager GUI. As Simon said, the "mount disk" button is gone in EE Tech. Now it just happens automatically after you authenticate. So if that isn't working, then you may be using the wrong key. Here's how to test your key with the workspace functions. Forgive me if the menu names are different, I'm not looking at it right now ... but my memory is pretty good.

  1. Authenticate in EE Tech, using an XML file from ePO
  2. Open workspace
  3. Choose "load sector from disk"
  4. Enter 63 in the start sector, and 1 in the sector count.
  5. The screen will then read that sector of the disk and display it. You will be looking at encrypted data. Only pay attention to the far-right column - this is the actual data on the disk.
  6. To decrypt this sector, you have to go back to the Workspace menu and hit "decrypt"
  7. Look in the far-right column and see if you now see cleartext data. If it is cleartext, then you are using the right XML file.

I say to use sector 63 since that is typically the first sector of the first partition and has predictable text in it - usually "NTFS" is seen. If you load sector 63 and it is blank, then you'll have to go fishing for sectors. I just increase by a factor of 10 while I'm looking ... so 63, then 630, then 6300 and so on. Eventually you'll find a sector with some data that looks like clear text after you decrypt it. If you don't, then you're using the wrong XML file.

0 Kudos
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Thanks for that Dan- thats very helpful.

I'm off for a week, so will try that when i get back.

Thanks again

Jane

0 Kudos
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Hi,

Ok- so i loaded and decrypted the workspace.

At the top of the right hand colum there was R.NTFS and lower down it said: "a disk read error occurred. NTLDR is missing...." so it did show cleartext so i'm assuming its the correct file.

So, leaving  EETech open (authenticated but not authorised), I open A43 and see the c:\ drive in the list, but no matter where I click, refresh or restart A43, I still can't read the disk.

Thanks

Jane

0 Kudos
DLarson
Level 12

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

It could be that you don't have the SATA drivers for your hard disk installed in your PE environment. That's what usually causes this symptom. You can try getting the SATA drivers from Intel, or whomever makes your hard disk(s). Another trick is to go into the BIOS and switch the disk operation to ATA or something that resembles "legacy mode".

0 Kudos
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Thanks Dan,

the one i was testing on is in ide mode - but i think its a solid state drive. I'll try and find and add the drivers tothe winpe image for it.

thanks

Jane

0 Kudos
jmcleish
Level 13

Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

Jump to solution

Dan,

Just to let you know (or anyone else) that i eventually managed to get this working.

I had tried injecting AHCI drivers into the winPE wim but still had no joy...... until this week.

We had a requirement to try and extract data on the fly so I created a new BartPE with EETech v 6.1.1 (one with no drivers for my ata disks, and one with AHCI drivers). When booting from this i am able to read the encrypted disk on the fly fine.

I'm unsure whether it is something to do with the WinPE v's Bart or EETech 6.0.2 v's 6.1.1, but anyway, thanks for all your help on this matter. This makes life MUCH easier!

Thanks

Jane

0 Kudos