A customer of ours uses McAfee Data Encryption/Endpoint Encryption. Due to a malware incident, the first sectors of the drive have been altered.
With the XML file that is used for EETech/DETech we are able to restore the original MBR (not the windows one, but the McAfee MBR)
When trying to "Remove EE" in EETech I get the Error "EE02000A chain sector invalid". Emergency Boot does not work either (BOOTMGR is missing).
My guess is that not only the MBR has been overwritten by the malware but also further sectors that are required for the McAfee DE/EE boot process?!
Is there anything I can do to decrypt the volume?
Online sources claim that 34 sectors including the mbr have been altered.
Is there any essential information stored in the first 33 sectors behind the mbr that is not recoverable? (like the internal AES key in any form) ?
Or can the sectors 2-34 (or the subset necessary for decription) be restored havon the XML which contains the epe mbr?
I was able to recover data from non-encrypted volumes, but obviously I cannot "break" the McAfee Encryption.
You can try starting so called manual decryption. Use the XML to authenticate and the code of the day to authorize. Go to "Disk Information" and write down the starting sector and the sector count for the encrypted partition, then go to Force Crypt Sectors and enter the same values and press Decrypt.
Note that it's recommended to do a sector by sector copy of the disk and work on the cloned one, not on the original HDD.
Let us know if this worked.