cancel
Showing results for 
Search instead for 
Did you mean: 
niallmca
Level 7

Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

Hi,

We have MacBook Pro with BootCamp (Windows) partition which has been encrypted (or maybe partially encrypted) by ePO.

The encryption seems to have failed.  The disk won't boot into Windows, and OSX can't mount the BootCamp partition.

The error at boot is:


McAfee Drive Encryption


Fatal Error: [0xEE020006] Getting disk info


With a HexViewer, I can see that the NTFS boot loader at the start of the partition has been overwritten.

The disk partition is not recognised or mountable by OSX.

Start of the partition:

Before:

00000000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 e0 22 1d  |........?.....".|
00000020  00 00 00 00 80 00 80 00  ff 8f 1a 1d 00 00 00 00  |................|

After:

00000000  b5 f9 97 de 0f c4 0f a4  19 1c db a6 e6 76 b4 c6  |.............v..|
00000010  d7 9c 4e 05 e0 dd 5b b8  72 87 ef ae 24 31 d6 13  |..N...[.r...$1..|
00000020  5d 02 61 37 df e4 0f a2  68 ec 86 ef 1e a2 3a e3  |].a7....h.....:.|

I would like to try to decrypt this partition with Detech. First, I think we will need to replace the start of the

partition with the original NTFS boot loader - because OSX cannot mount the partition.


For Detech, we can download the Windows version from here, but the Mac OSX version isn't there. 

How could I get the Detech utility for OSX?

Thanks.

Best regards,

Niall.

0 Kudos
54 Replies
SafeBoot
Level 21

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

There is no DETech for OSX, because EEPC software encryption is only supported under Windows.

I'm not sure there is a solution for this - since EEPC is not supported on Mac hardware either. You could perhaps image the partition and then copy it onto a regular PC ?- Then you'll be able to use a DETech/EETech bootable version etc.

0 Kudos
exbrit
Level 21

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

Moved to Mac and Linux Products

----

Peter

Moderator

0 Kudos
niallmca
Level 7

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

SafeBoot wrote:

There is no DETech for OSX, because EEPC software encryption is only supported under Windows.

I'm not sure there is a solution for this - since EEPC is not supported on Mac hardware either. You could perhaps image the partition and then copy it onto a regular PC ?- Then you'll be able to use a DETech/EETech bootable version etc.

I guess we can remove this from the 'good ideas' list

0 Kudos
SafeBoot
Level 21

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

LOL maybe - certainly not with the imaging software you used anyway - it must have been relocating data.

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

niallmca/safeboot

I'm having a very similar issue.  Against policy and my better judgement, I had a couple of Macs that were bootcamped.  They too received Drive Encryption 7.1.3.590 and are inoperable at the moment.

1. In an HP laptop, the drive will boot to PBA and I can authenticate but Windows will start to complain and BSOD.  Same scenario in SafeMode.

2. Using DETech with the drive still in the HP laptop, I see the "Drive Encryption can not be detected" error which eliminates this tool pretty quickly.

3. Usine WinPETech with the drive still in the HP laptop, I can authorize and authenticate with no problem and even view disk information but when I attempt to remove Drive Encryption, I never have a status show up and we have let this sit for a while.

Another strange thing I've found is that in workspace, I get a memory error whenever I try to go to a specific sector.  Of course this happened to an executive, any advice could save my job!

Disk Crypt List:

     Crypt List Region Count: 1

     Crypt List Region 0 Start: 409640

     Crypt List Region 0 Count: 409600

Disk Partitions:

     Partition Count: 3

     Partition 0 Type:  Unknown (0xEE)

     Partition 0 Bootable:    False

     Partition 0 Recognized:  True

     Partition 0 Drive Letter: Unknown

     Partition 0 Start Sector: 1

     Partition 0 Sector Count: 409639

     Partition 0 Bus Type: Unknown

     Partition 1 Type: Unknown (0xAF)

     Partition 1 Bootable: False

     Partition 1 Recognized: True

     Partition 1 Drive Letter: Unknown

     Partition 1 Start Sector: 409640

     Partition 1 Sector Count: 730468736

     Partition 1 Bus Type: Unknown

     Partition 2 Type: NTFS (0x07)

     Partition 2 Bootable: True

     Partition 2 Recognized: True

     Partition 2 Drive Letter: C:

     Partition 2 Start Sector: 731142144

     Partition 2 Sector Count: 734005248

     Partition 2 Bus Type: Unknown

0 Kudos
SafeBoot
Level 21

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

The errors you're getting are expected.

All I can suggest is copy the data off the Windows partition, then reinstall it. We don't do any testing or development on Bootcamp, nor do we expect it to work.

0 Kudos

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

Startling revelation!  While encryption totally hosed the drive on the mac, the drive is fully intact AND unencrypted!  Just not bootable.  Before going through all of this trouble, plug the disk into another laptop as an external drive first!  Just saved myself so many headaches....so many......

Cheers!

0 Kudos
niallmca
Level 7

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

Many thanks for your response.

It has taken me a while, but I have imaged  the partition to a regular PC, and

then decrypted with EETech bootable version.

With HexEditor, I can see lots of data (strings, email text etc) on the

decrypted partition.

I then re-imaged this decrypted partition back to the Mac SSD. 

When I reboot, I get "Missing Operating System".

I noticed that the first sector on the original encrypted partition was not

actually encrypted(!).  This sector contains the "NTFS" oem id in the

first few bytes. So, I copied just this original first sector to my decrypted partition.

Note:  I can't tell for sure from which sector the encryption started.

Then when I reboot, I get " disk read error occurred. Press Ctrl+Alt +Del to restart."

Next I will try imaging the decrypted partition to a regular USB disk, and I will try

to repair it on a Windows PC (chkdsk, etc.).

If you can offer any insight, or any suggestions, that would be greatly appreciated.

Because I can see the user data on the decrypted partition, it seems tantalisingly close.

Thanks.

Best regards,

Niall

0 Kudos
SafeBoot
Level 21

Re: Detech decrypt for Mac OSX (encryption problem on Macbook Pro BootCamp partition)

If you think you decrypted the partition (unless you wrote down EXACTLY what you did, it's not really possible to offer any suggestions), then the only thing I can think of is to use a file recovery tool.

The last sector of a partition is a duplicate of the NTFS boot sector so you can always copy it back from there.

0 Kudos