1 2 3 Previous Next 22 Replies Latest reply on Dec 21, 2010 10:50 AM by SafeBoot

    Decrypting a Disk when OS Rebuilt

      Hi all,

       

      I have a case where a machine had SB v4 installed on the C: Partition with encryption applied to the D: Partition (I have not yet ascertained if the D: Drive is an actual separate HDD or just a partition on the same Local Disc).

       

      Anyhow. Because of an OS corruption, the Desktop team rebuilt the OS partition, leaving D: still encrypted. And then reinstalled a fresh install of SafeBoot v4 on that C: Partition.

       

      Will it be possible to use the SDB file for the old install, and SafeTech, to decrypt D: ? We did attempt it but SafeTech recognised that the SDB file was for another install and we decided not to continue.

       

      Any suggestions?

        • 1. Re: Decrypting a Disk when OS Rebuilt

          SafeTech is looking at the install on C:, so it's correct - the key is wrong, but you knew that already

           

          Yes, what you are suggesting will work - you need to decrypt the 2nd drive (or partition) with the old key. You should be able to get the partition range from partinfo (or an EEPC5 Wintech etc), then you can get SafeTech to decrypt it.

           

          write down everything you do so you can unwind if needed, and once finished, take a look at the first and last sector of the partition to make sure they are indeed in plain text - they should both be NTFS partition markers.

           

          good luck!

          • 2. Re: Decrypting a Disk when OS Rebuilt

            Thanks. I wonder if you could elaborate a bit. I have used SafeTech on many many occasions but have only ever used "Emergency Boot" and "Remove SafeBoot". Looking at partition information and decrypting from a particular sector I have not tried before.

             

            Please be aware this is v4.2.15 so I assume Wintech options no good?

            • 3. Re: Decrypting a Disk when OS Rebuilt

              you're probably better off letting your company EEPC expert handle this then - your version is not supported by McAfee any more, but the process is similar across all versions.

              • 4. Re: Decrypting a Disk when OS Rebuilt

                Well...that would be me...

                 

                I have the Tools folder and Engineer Utilities from v4.2.15 but no documentation on Partinfo.exe

                • 6. Re: Decrypting a Disk when OS Rebuilt

                  This is te Part info from the machine. Would appreciate some guidance on wha this tells me with regard to decrypting the D: Drive. Desktop support tell me that the C: partition has the OS on it which was re-installed and SB reinstalled on that (although with no encryption set at this stage I beleive).

                   


                  PARTINFO 1.10
                  Copyright (c) 1996-2006 TeraByte, Inc.  All rights reserved.

                  Run date: 12/20/2010 16:12

                  ====================================================================
                             MBR Partition Information (HD0 - 0xA42D04A3)
                                           (CHS: 1022/254/63)
                  +====+====+=============+====+=============+===========+===========+
                  | 0: |  0 |    0   1  1 | de |   17 254 63 |        63 |    289107 |
                  | 1: | 80 |   18   0  1 |  7 | 1023 254 63 |    289170 | 156248190 |
                  | 2: |  0 | 1023 254 63 |  f | 1023 254 63 | 156537360 | 156039345 |
                  +====+====+=============+====+=============+===========+===========+
                                           Volume Information
                  +----+----+-------------+----+-------------+-----------+-----------+
                  | 0: |  0 | 1023 254 63 |  7 | 1023 254 63 |     16065 | 156023280 |
                  | 1: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                  | 2: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                  | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                              MBR Partition Information (HD0) Continued:
                  +====+====+=============+====+=============+===========+===========+
                  | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                  +====+====+=============+====+=============+===========+===========+
                                             BOOT SECTOR INFORMATION
                  -------------------------------------------------------------------------------
                  File System ID: 0x7   LBA: 289170  Total Sectors: 156248190   ID: 0x2
                                            Jump: EB 52 90
                                        OEM Name: NTFS   
                                   Bytes Per Sec: 512
                                   Sec Per Clust: 8
                                     Res Sectors: 0
                                          Zero 1: 0x0
                                          Zero 2: 0x0
                                            NA 1: 0x0
                                           Media: 0xF8
                                          Zero 3: 0x0
                                   Sec Per Track: 63
                                           Heads: 255
                                     Hidden Secs: 289170
                                            NA 2: 0x0
                                            NA 3: 0x800080
                                   Total Sectors: 0x0950287D
                                         MFT LCN: 0x0C0000
                                    MFT Mirr LCN: 0x0950287
                                   Clust Per FRS: 0xF6
                                Clust Per IBlock: 0x1
                                       Volume SN: 0x3A00F248F20B21
                                        Checksum: 0x0
                                       Boot Flag: 0xAA55
                  -------------------------------------------------------------------------------
                  File System ID: 0x7   LBA: 156553425  Total Sectors: 156023280
                                            Jump: 69 17 83
                                        OEM Name: Â5z´È¤«ª
                                   Bytes Per Sec: 7504
                                   Sec Per Clust: 69
                                     Res Sectors: 2977
                                        Num FATs: 46
                                   Root Dir Ents: 30979
                                         Sectors: 15661
                                           Media: 0xE9
                                    Secs Per FAT: 19083
                                   Sec Per Track: 34455
                                           Heads: 25132
                                     Hidden Secs: 2643917690
                                    Huge Sectors: 1340537196
                                       Drive Num: 0x19
                                             Res: 0x78
                                             Sig: 0xB0
                                          Vol ID: 0xFEAD1697
                                    Volume Label: Fc8^ >yŸV˲
                                         FS Type: É‚á –ºÈ–
                                       Boot Flag: 0xEF54
                  -------------------------------------------------------------------------------

                  • 7. Re: Decrypting a Disk when OS Rebuilt
                    rbdudani

                    Hi,

                     

                    Make a clone image of the hdd (sector by sector) and force decrypt below range

                     

                    Start Sector :156553425

                    Sector count: 156023280

                    • 8. Re: Decrypting a Disk when OS Rebuilt

                      Thanks Ram,

                       

                      I'm just testing this now on a SafeBooted Test machine which has it's only local drive (C:) encrypted. This is the PartInfo from that machine:

                       


                      PARTINFO 1.10
                      Copyright (c) 1996-2006 TeraByte, Inc.  All rights reserved.

                      Run date: 12/21/2010 8:37

                      ====================================================================
                                 MBR Partition Information (HD0 - 0x767624D6)
                                               (CHS: 1021/239/63)
                      +====+====+=============+====+=============+===========+===========+
                      | 0: | 80 |    0   1  1 |  7 | 1023 239 63 |        63 | 135777537 |
                      | 1: |  0 | 1023 239 63 |  7 | 1023 239 63 | 135777600 |  20487600 |
                      | 2: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                      | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                      +====+====+=============+====+=============+===========+===========+
                                                 BOOT SECTOR INFORMATION
                      -------------------------------------------------------------------------------
                      File System ID: 0x7   LBA: 63  Total Sectors: 135777537   ID: 0x1
                                                Jump: 8C 50 18
                                            OEM Name:  ¤dBtÇy§
                                       Bytes Per Sec: 1895
                                       Sec Per Clust: 179
                                         Res Sectors: 36596
                                            Num FATs: 29
                                       Root Dir Ents: 62700
                                             Sectors: 19423
                                               Media: 0x75
                                        Secs Per FAT: 35661
                                       Sec Per Track: 57626
                                               Heads: 26892
                                         Hidden Secs: 3391631844
                                        Huge Sectors: 2570734437
                                           Drive Num: 0xF0
                                                 Res: 0x4A
                                                 Sig: 0x5B
                                              Vol ID: 0x48D712C7
                                        Volume Label: %gÆ‘K‹¬%ÞcÔ
                                             FS Type: :J‡:k»F<
                                           Boot Flag: 0x5205
                      -------------------------------------------------------------------------------
                      File System ID: 0x7   LBA: 135777600  Total Sectors: 20487600   ID: 0x2
                                                Jump: EB 52 90
                                            OEM Name: NTFS   
                                       Bytes Per Sec: 512
                                       Sec Per Clust: 8
                                         Res Sectors: 0
                                              Zero 1: 0x0
                                              Zero 2: 0x0
                                                NA 1: 0x0
                                               Media: 0xF8
                                              Zero 3: 0x0
                                       Sec Per Track: 63
                                               Heads: 240
                                         Hidden Secs: 135777600
                                                NA 2: 0x0
                                                NA 3: 0x800080
                                       Total Sectors: 0x01389DAF
                                             MFT LCN: 0x0C0000
                                        MFT Mirr LCN: 0x01389DA
                                       Clust Per FRS: 0xF6
                                    Clust Per IBlock: 0x1
                                           Volume SN: 0xB8BC2E7BBC2E33F2
                                            Checksum: 0x0
                                           Boot Flag: 0xAA55
                      -------------------------------------------------------------------------------

                       

                       

                      I'm using v4 Safetech and after loading the key for decryption I have then selected:

                       

                      Hard Disk Functions>Decrypt Sectors. is this correct?

                       

                      It then says "Enter a Range to decrypt". So I entered just "135777600" and it asked to confirm that I just wanted to decrypt a single 512k sector starting at that address.

                       

                      It looks like I have to put the range in from start sector to end sector. How do I calculate the sector range in this instance? I have tried entering "135777600 156265200" but it says "Bad Sector Range". Obviously I need to understand what it is looking for here.

                       

                      Interesting looking at some of the other functions I've not used before. I was able to use the workspace option to open the sector where the C: Drive partition starts and you can see the word "NTFS" on the first line. I guess this is the "NTFS" marker that Simon mentioned in the earlier post?

                       

                      Thanks

                      • 9. Re: Decrypting a Disk when OS Rebuilt
                        rbdudani

                        Hi

                         

                        Really not sure what you want to do ?

                         

                        if PBA is there and you are not getting any error you can simply remove safeboot. you do not have to always force decrypt sectors..

                         

                        and in your last post the part info is showing you have 80 GB HDD which has two partition 70 GB which is encrypted and 10 GB which is in plain text

                         

                        and I guess you are trying to decrypt sector which are already in plain text... coz you are trying 135777600 from here ....

                         

                        and if you want to decrypt only 1 sector than enter below informtion

                         

                        for exp :

                         

                         

                        start Sector : 63

                        Sector count : 1

                         

                        and decrypt

                         

                        you can test this is workspace.... when you decrypt this sector you can read message like "NTLDR is missing"

                         

                         

                        Message was edited by: Ram Dudani on 12/21/10 4:14:08 AM CST
                        1 2 3 Previous Next