cancel
Showing results for 
Search instead for 
Did you mean: 
wisnupp
Level 7

How to decrypt drive D on reimaged Windows

Jump to solution

Hello,

I had a Windows XP PC with  two drives, C and D, both encrypted with EEPC 6. Then someone accidentally reinstalled Windows on drive C and realized he couldn't access files on drive D because it's still encrypted.

Question: how to decrypt drive D if:

A. I haven't deleted that system in ePO (so I still have xml for authentication)

B. The system is somehow deleted in ePO (no xml)

B. I have deleted that system in ePO and reinstall McAfee agent and EEPC on the new Windows (different xml?)

I tried using EETech DVD and did force decrypt D (taking note of sector start and length) but didn't work - drive D still unreadable. "Remove EE" action is not available because no EE is detected (Reinstall Windows)

Has anyone experienced the same problem? Or be kind enough to duplicate the problem?

Thanks,

Wisnu

0 Kudos
1 Solution

Accepted Solutions
SafeBoot
Level 21

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Not sure what your expectations were - but it's simply not possible to "restore" an encrypted drive within a fresh copy of Windows - it is after all encrypted.

To get access to the data you'd need to either

a) use the key reuse option and re-activate EEPC - this will cause the fresh copy of EEPC to re-use the existing key that the old drive is using.

b) use eeTech to copy the data off the drive

c) use eeTech to decrypt the drive

10 Replies
whgibbo
Level 12

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hi,

Could you please let us know the following:

  1. What version of EEPC you are using ?
  2. Has the machine been reactivated ?

Thanks

0 Kudos
wisnupp
Level 7

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hi whgibbo,

1. It was either 6.1.0 or 6.1.1 (the lab is no longer available)

2. Reactivated meaning reinstall EEPC? So here is what happened as I remember:

     A. Installed EEPC to Win XP PC and encrypted all drives (C and D). Ran well.

     B. Someone didnt realize it had EEPC, reimaged/reinstalled Windows XP on C --> D not accessible.

     C. I created EETech DVD and tried to remove EE but not successful.

IMG-20110728-00086.jpg

     D. Reinstalled EEPC, but saw that drive D status is decrypted (new EEPC installation cant detect that drive D is already encrypted), so immediately stopped encryption process (still in progress of encrypting drive C) before the process continue to drive D to prevent double encryption.

     E. After a while, stop effort to restore D, but saved an image of full hard drive.

     In another test (Windows 7):

     A. Installed EEPC and encrypted all drives (C and D). Ran well.

     B. Immediately ran EETech DVD (the PC still have EEPC) and did force decrypt to drive D (taking note of sector start and length). This is just testing if force decrypt works.

     C. Boot back to Windows and check drive D, it's not readable. Why?

     D. Gave up and stopped the test

Luckily this all happened in lab environment.

" Hello Wisnupp.

Please refer McAfee EETech User Guide before performing Decryption, this might help you.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22404/en_US...

Yes I realized I havent studied EEPC thoroughly. But can anyone give a quick advice to make sure I can restore data drive(s) when system drive is reimaged/reinstalled? Does it have something to do with Re-use machine key options? Just found out about this option, took a peak of whgibbo's previous post. Checked with EEPC product guide, the explanation is very brief.

Thanks

0 Kudos
hemantk
Level 12

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hello Wisnupp.

You can refer the below link this might help you with Re-Use Machine Key Option.

https://community.mcafee.com/thread/34867?tstart=0

SafeBoot
Level 21

Re: How to decrypt drive D on reimaged Windows

Jump to solution

I think you are asking too many questions in one discusion - why not create a separate discussion for each scenario you want help with, so we can keep our thoughts in order - you started with three different hypothetical questions after all, which now seem to relate to two actual scenarios.

If you really need to recover the data, please call McAfee support, but if these are write-off test machines, perhaps its better to just format them and save the support bandwidth for some person who's loosing data they really value.

0 Kudos
wisnupp
Level 7

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hi mr Simon Hunt,

Thanks for your reply.

Actually it has some valuable files for our team which need some effort to get it back again when lost. The team have forgiven me for being unable to restore the files, but since then they keep reminding me about it and now I have a homework of mastering EEPC disaster recovery.

Okay, let me change the question.

How do I decrypt drive D of a PC which system drive has been reimaged, if I accidentally delete the corresponding system/object in ePO after reimaging?

Thanks!

0 Kudos
SafeBoot
Level 21

Re: How to decrypt drive D on reimaged Windows

Jump to solution

you need to be more precise - what version of eepc was it encrypted with for example? did you re-install EEPC after re-imaging? Did the machine have the same network name, or a different name? Do you have a backup of your EPO server from the time of the first instance?

Some versions of EEPC will over-write existing keys in the case that the product is re-activated with the same network names, thus preventing recovery unless you have a db backup etc. Some (later) versions create and preserve fresh keys each time.

the "supported" answer though, is if you deleted the object out of EPO, then we assume you don't care about it any more, and thus it would be irrecoverable. There are sometimes ways around this though as long as other activities have not occured.

I suggest you start a new discussion with the exact scenario you need help with.

whgibbo
Level 12

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hi,

If it was encrypted and then reencrypted using a EEADMIN version prior to 1.1.1.x.   Then it is not possible to retrieve the machine key for this machine, as it would have been overwritten if the machine was not removed from ePO.

In which case you will not be able to decrypt the drive.

With EEADMIN version 1.1.1.x the recovery information is archived, but will not be accessible until EEADMIN version 1.1.2.x.

It sounds like you reinstalled and actived the machine without key re-used enabled for the machine..

As SafeBoot commented:

There are sometimes ways around this though as long as other activities have not occured. 

In which case you would have to raise a support ticket for this.

wisnupp
Level 7

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Hi whgibbo,

Thanks for your reply.

After testing I have learned that right after doing fresh Windows reinstall (not reinstall EEPC yet), I cannot immediately restore drive D even when I've saved the xml file (from EETech). This is NOT what I expected from the product's recovery methods.

I'm using EEAdmin 1.0.2.1, EE PC Software 1.0.2.6.

Will try other way and update the result.

Wisnu

Message was edited by: wisnupp on 9/12/11 7:25:11 AM CDT
0 Kudos
SafeBoot
Level 21

Re: How to decrypt drive D on reimaged Windows

Jump to solution

Not sure what your expectations were - but it's simply not possible to "restore" an encrypted drive within a fresh copy of Windows - it is after all encrypted.

To get access to the data you'd need to either

a) use the key reuse option and re-activate EEPC - this will cause the fresh copy of EEPC to re-use the existing key that the old drive is using.

b) use eeTech to copy the data off the drive

c) use eeTech to decrypt the drive