1 2 3 4 Previous Next 31 Replies Latest reply on Aug 11, 2010 10:01 PM by obelicks

    Solved: Any tools to recover encrypted partition list?

      Hi all,

       

      Let me explain the issue first..

      We're using MEE version 5.2.4

       

      A hardisk with partition (C, D, E) was installed with MEE and then the OS was broken.

      End user sent to Site IT without telling it was encrypted with MEE and removed it first.

       

      So Site It ghost back C, (technically we knew that ghosting doesn't fix the SBR only restore partiton)

      So OS still can't be boot

       

      So he then format C: and install new OS

       

      New OS boot fine HOWEVER D & E is encrypted so he can't read it..

       

      He contact McAfee Support

       

      McAfee support ask him to use wintech/safetech to removed eepc

      - of course this option failed because the SBR has been replace with new MBR by the new OS installation.

       

      if failed McAfee Support also ask him to cryp or force crypt (dangerous tools to play)

      - he can't used crypt because the new MBR doesn't contain encryption information

      - he tried force Crypt "decrypt"instead and sucessfully

      Because he inexperiance Site It never do force crypt before and without he just click by default sector is 0 and count is 1

      So he actualy mess up the new MBR disk sector 0 and now making worse the disk information mess up..and OS can't be boot..

      When using safetech/wintech disk information is not present... For whatever reason he try to reverse back by force crypt and encrypt but not work..

       

      So my question Is there a way to recover this Encrypted Partition list? and fix the disk information?

      Using testdisk http://www.cgsecurity.org/wiki/TestDisk can only recover C: ntfs not D & E

       

      Technically we need to recover D & E and get the partition information on sector do do sector by sector decryption.

       

       

      -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------------------------------------------------------

       

      This consider SOLVED

       

      Update Note:  This steps ONLY work with one partition unencrypted in this case C: partition was formated.

       

      Solution Steps is :

       

      1) Recover MBR partition C: with testdisk (D & E) still encrypted so it won'r be shown only 1 ntfs partition will be shown, lets save and fix the mbr first then reboot.

      2) Boot with wintech again and used partinfo to check on unallocated partition (which contain D & E)  we need to sector start & Tortal Sector for this unallocated partitoon - Thanks Ram Dudani for tool info

      3) After get the sector info Run Wintech - authorize & Authenticate with SDB file and launch force crypt, From Information from PartInfo we put Sector Start & Sector Count/Total Sector  to the box and press "Decrypt"

      4) Decryption will take a while make sure power cable is on

      5)  after finish reboot and then run testdisk again, Now since the  allocated space is decypted partition D & E will be seen by testdisk

      6) Write partition D & E to the disk..

      7) Reboot and boot up the machine..

       

      For hardisk with full encrypted partition C,D,E  (note: i've not test Gparted with above issue c formated maybe also work..)

       

      1) Boot and launch gparted,

      2) Run Gparted - Select unallocated disk | View | device information (get the total sector information), reboot and boot with Wintech CD

      3) Run Wintech - authorize &  Authenticate with SDB file and launch force crypt, From Information from  PartInfo we put start sector in this case is 63 & Sector Count/Total Sector  to the box and press "Decrypt"

      4) Decryption will take a while make sure power cable is on

      5)   after finish reboot and then run testdisk again, Now since the   allocated space is decypted partition D & E will be seen by testdisk

      6) Write partition D & E to the disk..

      7) Reboot and boot up the machine..

       

      Tools Used:

      McAfee Wintech http://www.mcafee.com

      GParted http://gparted.sourceforge.net

      Testdisk http://www.cgsecurity.org/wiki/TestDisk

      Partinfo ftp://ftp.symantec.com/public/english_us_canada/tools/pq/utilities/PartIn9x.zip

       

       

      Message was edited by: obelicks : update on all partition encrypted.  on 8/12/10 10:58:35 AM MYT
        1 2 3 4 Previous Next