1 2 3 Previous Next 62 Replies Latest reply on Aug 18, 2010 12:24 AM by obelicks

    Stuck in recovery !!!

    rbdudani


      Hi Simon/Peter

       

      I am stuck at one recovery. Data is important that needs to be recovoered.

       

      Version 5.1.8
      [i know new version is released and I should upgrade to latest and we will upgrade soon. but here concern is Data recovery for particular this case. So i request you to suggest me in that way]

       


      Drive is full encrypted and machine was working fine till we got error "Operating system is missing" no PBA was there.

       


      So we have decided to Eboot system.

       

      Steps.
      1. we have authorised and authenticated with database
      2. tried to restore EEPC MBR

       

      it gives

       

      No Boot disk was not found
      0xe002001b

       


      Now tried to recover data through Wintech > Authorised > authenticated with DB

       

      But Drive letter is showing in A43 File Management utility but no Data.

       

      than tried to remove safeboot from wintech but giving same error.

       

      I thought its SATA drive problem so Cloned image to IDE drive and treid to recover data in Wintech but no luck.

       


      Now i think i have one option left is Force crypt sectors [decrypt sectors forcefully].... but here something is strange...

       

      My querry starts here (SEE Disk information.jpg)

       

      Steps:

       

      1. booted system with wintech > Authorised only not authenticated > Disk > Get Disk information
      [Got Disk information which is strange (see attached Disk information.jpg)
      It is showing all confidential information with even Key Check also.. should it show this confidential information ?? as I was not authenticated.. ? how ever this not my concert right now)..]
      2. than authenticated
      now I should force crypt sectors >decrpt...

       

       

       

       

      but just to confirm that SDB is valid or not I always decypt sector 63 and tried to read information "NTLDR is missing"
      I m also attaching Example of decrypted sector 63 for which i always look[see attached dectypted 63.jpg, attached image is example its not taken from this system.].

      but in this case i was not able to read this message. [see decrypted 63.dat  taken from original drive]

       

      Than I check Disk info again and saw Machine ID which is 0000451c (check in Disk information image)
      now in EEM Machines's ID is showing different 00000cae [check Image1] (How it is possible ? )

       

      Than I thought lets try with the machine which has 0000451c ID in EEM [how ever this is defferent machine and working] but i though this is the id showing in Wintech >disk inforamtion , So i should try and decrypt sector 63 even though i m not able to see that "NTLTD Missing message"

       


      Now sugguest me what sould i do ?

       

      also attaching encrypted sector 63, 2048 and decrypted 63, 2048. [note : I decrypted both sectors with 01HW209472.SDB file]

       

       

      Message was edited by: Ram Dudani on 8/6/10 1:58:59 AM CDT
        • 1. Re: Stuck in recovery !!!

          Disk information will be shown even you're NOT authorise so it's not an issue..

          It's only shown Information about Disk.

           

          The picture whosn machine id 0000451c so what sdb 00000cae for?

           

          When you run Wintech Authorize & Authenticate with the right key

          you SHOULD be able to view your C from A43 file managerment..

           

           

          Message was edited by: obelicks on 8/6/10 3:19:44 PM MYT
          • 2. Re: Stuck in recovery !!!

            You should always check machine ID from EEPC pre-boot. Cancel login, go to Options, Recovery. There will be info about database and machine ID's.

            That is the object ID you need to export from database to SDB and use it.

            I suggest that you get partition table information and see if it make sense for this drive. Crypt region and partition info do not match. Maybe wrong SDB was used. What OS is supposed to be on that disk anyways?

             

            Always use verified SDB (via workspace decrypt) when you run forced decryption.

            • 3. Re: Stuck in recovery !!!
              rbdudani


              You should always check machine ID from EEPC pre-boot. Cancel login, go to Options, Recovery. There will be info about database and machine ID's.

              That is the object ID you need to export from database to SDB and use it.

              Ans 1 : i know but No PBA is there.....

               

               

              I suggest that you get partition table information and see if it make sense for this drive. Crypt region and partition info do not match. Maybe wrong SDB was used. What OS is supposed to be on that disk anyways?

              Ans 2 : Same information is showing even i m not authenticated.... so no question of using  wrong SDB. OS was win XP

               

               

              Always use verified SDB (via workspace decrypt) when you run forced decryption.

              Ans 3: that is what i m asking i m not able to verify even though i m using correct SDB

              • 4. Re: Stuck in recovery !!!

                trust what wintech tells you - it's reading it off the hard disk, it can't be wrong.

                 

                as long as your sector decrypt test works, then you have the right SDB, so don't use force-decrypt, use the normal mode and just decrypt the region.

                 

                 

                Message was edited by: SafeBoot on 8/6/10 8:50:22 AM EDT
                • 5. Re: Stuck in recovery !!!
                  rbdudani

                  Thanks simon for reply.

                   

                  I m totaly agree with you on trusting wintech info and going with SDB file which has 0000451c ID in EEM (even though IT engineer is saying that this machine has different asset name on EEM 01HW209472=Machine ID 00000cae on EEM]

                   

                  My IT engineer is saying he has not tried to reinstall OS or any image... (right now i m going with his words and trusting that he had not done anything wrong)

                   

                  My Question is if in wintech Disk informaiton it is showing machine ID 0000451c than though this SDB (01HW178623.sdb [Machine ID 0000451c on EEM]) i should be able to decrypt the drive.

                   

                  but not able to see the data.

                   

                  and on remove EEPC from Safetech it is  giving error (e002007 error in reading disk sector)

                   

                  when i come to cryp list i m also confuse why it is showing that small range coz on EEM it is showing disk is fully encrypted.

                  • 6. Re: Stuck in recovery !!!

                    How big is the hard drive and which list do you consider "small"?

                    When you know disk physical size, you can asess if sector range makes sense or not. If any sector number goes beyound physical range, then is wrong, for sure. Then you get sector not found.

                    Another reason for sector not found is physical disk read error or specific hardware and BIOS setting that your WinTech/SafeTech is not compatible with.

                    I wouldn't do any decryption without disk raw image backup.

                    If you suspect disk physical errors, scan your disk.

                    • 7. Re: Stuck in recovery !!!
                      rbdudani

                      How big is the hard drive and which list do you consider "small"?

                      160 GB hard drive having one partition only. I m considering SMALL = Crypt list shown in Disk info.jpg

                       

                      When you know disk physical size, you can asess if sector range makes sense or not. If any sector number goes beyound physical range, then is wrong, for sure. Then you get sector not found.

                      Not applicable in this case

                       

                      Another reason for sector not found is physical disk read error or specific hardware and BIOS setting that your WinTech/SafeTech is not compatible with.

                      If sectors are not readable than how i m able to load sector information in workspace which i have attached in this discussion

                       

                      I wouldn't do any decryption without disk raw image backup.

                      I also do not, I have decrypted only cloned image.. see my post

                       

                      If you suspect disk physical errors, scan your disk.

                      Again not applicable physical errors. not even talking about physical disk error.

                       

                       

                      Message was edited by: Ram Dudani on 8/6/10 8:40:50 AM CDT
                      • 8. Re: Stuck in recovery !!!

                        How did you clone disks then? Were sizes of source and target disks the same?

                        What hardware are you using for recovery?

                         

                        Disk partition table shows first partition starting at sector 2048 (and also wrong OS type, if you had XP installed it should show sector 63 and NTFS).

                        So that is an indication that MBR partition table was played with and is not what it is suppose to be.

                         

                         

                        Message was edited by: peter_eepc on 8/6/10 9:53:51 AM EDT
                        1 of 1 people found this helpful
                        • 9. Re: Stuck in recovery !!!
                          rbdudani


                          How did you clone disks then? Were sizes of source and target disks the same?
                          Nortan Ghost. Both disk were same size. have attached both hdd on SATA on one desktop [discoonected original Dektop's drive at that time]


                          What hardware are you using for recovery?

                          now i have connected that cloned image on this laptop and removed original HDD. I m trying to recover data using laptop (Safetech and Wintech)

                           

                           

                          Disk partition table shows first partition starting at sector 2048 (and also wrong OS type, if you had XP installed it should show sector 63 and NTFS).

                          I agree with you. even i am also wondering on this. but case is like this > machine is on remote location and I have to depend on IT engineer over there.and have to trust what he is saying..


                          So that is an indication that MBR partition table was played with and is not what it is suppose to be.

                          I agree but have question over here. if you go with disk information it is showing one machine ID which is 0000451c. if i decrypt with that sdb file it should show at least some data. coz as per simon wintech is always showing correct data.

                          1 2 3 Previous Next