5 Replies Latest reply on Mar 2, 2011 6:26 AM by TechSecurityNate

    Decrypt Partition

      Hi All

       

      Got a machine that had SB encryption on C: and D:

       

      To address an OS problem, the local Desktop reimaged the OS on the C: drive after moving the customer data to the D: Drive, and then reinstalled SafeBoot.

       

      I'm hoping to decrypt the D: drive using the old SDB file on the database for the original istallation. Got the Partinfo for the machine and I'm concerned about the output:

       

      Error: Partition didn't end on cylinder boundary?

       

       

       

       

       


      ============================================================================

      Disk 0:  19457 Cylinders, 255 Heads, 63 Sectors/Track.

      BiosExtensions: 0x2100 Subsets (0x00000005): Access EDD
      The BIOS supports INT 13h extensions for this drive.

      ============================ Partition Tables ==============================

      Partition          -----Begin----      ------End-----     Start     Num

      Sector     # Boot   Cyl Head Sect  FS   Cyl Head Sect     Sect      Sects

      ---------- - ----  ---- ---- ----  --  ---- ---- ----  ---------- ----------

               0 0 80       0    1    1  07 [1023  254   63]         63  155653722 [Large Drive Placeholders]

                            0    1    1      9688  254   63                         Actual Values

               0 1 00   [1023    0    1] 0F [1023  254   63]  155653785  156906855 [Large Drive Placeholders]

                         9689    0    1     19455  254   63                         Actual Values

      155653785 0 00   [1023    1    1] 07 [1023  254   63]  155653848  156906792 [Large Drive Placeholders]

                         9689    1    1     19455  254   63                         Actual Values

      BiosExtensions: 0x2100 Subsets (0x00000005): Access EDD
      EGeo 0x0001 30592 16 32 15663104 0 512


      ============================================================================

      Disk 1:  974 Cylinders, 255 Heads, 63 Sectors/Track.

      BiosExtensions: 0x2100 Subsets (0x00000005): Access EDD
      The BIOS supports INT 13h extensions for this drive.

      ============================ Partition Tables ==============================

      Partition          -----Begin----      ------End-----     Start     Num

      Sector     # Boot   Cyl Head Sect  FS   Cyl Head Sect     Sect      Sects

      ---------- - ----  ---- ---- ----  --  ---- ---- ----  ---------- ----------

      Warning: The OS reported too few cylinders.  974 cylinders are present.

               0 0 80   [   0    1    1] 0C [ 973  254   63]         63   15663041 [Large Drive Placeholders]

                            0    1    1       974  250   44                         Actual Values

      Error #108: Partition didn't end on cylinder boundary.

        ucEndHead expected to be 254, not 250.

      Error #108: Partition didn't end on cylinder boundary.

        ucEndSector expected to be 63, not 44.

       


      ================================================================================ ==

      Disk 0:  152625.3 Megabytes

      ============================= Partition Information ==============================

      Volume        Partition                         Partition        Start     Total

      Letter:Label  Type            Status   Size MB  Sector     #     Sector    Sectors

      ------------- --------------- -------- -------- ---------- - ---------- ----------

                    NTFS            Pri,Boot  76002.8          0 0         63  155653722

                    ExtendedX       Pri       76614.7          0 1  155653785  156906855

                    EPBR            Log       76614.7       None -  155653785  156906855

                    QNX, UN*X       Log       76614.6  155653785 0  155653848  156906792

                    Unallocated     Pri           7.8       None -  312560640      16065

       

       

      ================================================================================ ==

      Disk 1:  7648.1 Megabytes

      ============================= Partition Information ==============================

      Volume        Partition                         Partition        Start     Total

      Letter:Label  Type            Status   Size MB  Sector     #     Sector    Sectors

      ------------- --------------- -------- -------- ---------- - ---------- ----------

      C:NO NAME     FAT32X          Pri,Boot   7648.0          0 0         63   15663041

       

       


      ========================================================================

      Boot Sector for drive *: Drive 1, Starting Sector: 63, Type: NTFS

      ========================================================================

      1. Jump:                    EB 52 90

      2. OEM Name:                NTFS   

      3. Bytes Per Sector:        512

      4. Sectors Per Cluster:     8

      5. Reserved Sectors:        0

      6. Number of FAT's:         0

      7. Root Dir Entries:        0

      8. Total Sectors:           0  (0x0)

      9. Media Descriptor:        0xF8

      10. Sectors Per FAT:        0

      11. Sectors Per Track:      63  (0x3F)

      12. Number of Heads:        255  (0xFF)

      13. Hidden Sectors:         63  (0x3F)

      14. Big Total Sectors:      0  (0x0)

      15. Unused:                 0x80 00 80 00

      16. Total NTFS Sectors:     155653721  (0x9471659)

      17. MFT Start Cluster:      786432  (0xC0000)

      18. MFT Mirror Start Clust: 9728357  (0x947165)

      19. Clusters per FRS:       246

      20. Size per Index Buffer: 1

      21. Serial Number:          0xFE14C56014C51C91

      22. Checksum:               0x00000000

      23. Boot Signature:         0xAA55

       

       

      ========================================================================

      Boot Sector for drive C: Drive 2, Starting Sector: 63, Type: FAT32

      ========================================================================

      1. Jump:                    EB 58 90

      2. OEM Name:                MSDOS5.0

      3. Bytes Per Sector:        512

      4. Sectors Per Cluster:     8

      5. Reserved Sectors:        34

      6. Number of FAT's:         2

      7. Reserved:                0x0000

      8. Reserved:                0x0000

      9. Media Descriptor:        0xF8

      10. Sectors Per FAT:        0

      11. Sectors Per Track:      63  (0x3F)

      12. Number of Heads:        255  (0xFF)

      13. Hidden Sectors:         63  (0x3F)

      14. Big Total Sectors:      15663041  (0xEEFFC1)

      15. Big Sectors Per FAT:    15267

      16. Extended Flags:         0x0000

      17. FS Version:             0

      18. First Cluster of Root:  2 (0x2)

      19. FS Info Sector:         1

      20. Backup Boot Sector:     6

      21. Reserved:               0x00 00 00 00 00 00 00 00 00 00 00 00

      22. Drive ID:               0x80

      23. Reserved for NT:        0x00

      24. Extended Boot Sig:      0x29

      25. Serial Number:          0x32710D1E

      26. Volume Name:            NO NAME   

      27. File System Type:       FAT32  

      28. Boot Signature:         0xAA55

       

        • 1. Decrypt Partition
          TechSecurityNate

          The reports you have do not look familiar to me.  What version of EEPC are you using?  First lesson I would suggest is to never reimage before decryption.

           

          That said, in theory I believe you would want to boot to a Wintech disc and authenticate using the machine key for the original installation.  At that point, you may be able to view and copy the data off to an external device and reformat the partition.  If you cannot access the data, you will most likely have to do a Force Decrypt, assuming you are at least able to get the start and count info for the partition.

           

          I've had to do this many times, but never in your scenario of total replacement of the SBFS used to encrypt the drive.  We have seen issues with it being corrupted and not reading the SBFS which prevented recovery.  I fear you may be in the same situation.

          • 2. Decrypt Partition

            Actually it's v4, so my only recovery option is SafeTech via Floppy. Sorry, should've mentioned that.

             

            The info you see is generated from PartInfo.exe which I've successfully used in the past in situations like this to determine the sector start and end for the partition I wish to decrypt using another SDB file. Trouble is, the output of Partinfo for this particular machine leaves me bewildered.

             

            None of the partitions even look encrypted to me as the serial number and volume name are readable in plain text.

             

            Just recap:

             

            1) Machine had C: and D: encrypted.

            2) Local desktop moved all customer data to D: and the reimaged the OS on C: (yes, I know...)

            3) Local Desktop then reinstalled SB on C: (with NO encryption configuration applied luckily)

            4) Therefore information on D: should still be encrypted with old key from old install and therefore recoverable if I can determine the sector range.

            • 3. Decrypt Partition

              Just been advised by Local Desktop that that

               

              output is not from PartInfo.exe ! I wondered why the layout seemed so unfamiliar.  Apparently it's Western Digital DLG software. I've asked them to try PartInfo again and then hopefully one of you kind souls will be able to decipher the Sector range I need to decrypt.

              • 4. Re: Decrypt Partition

                Ok. Here's the Partinfo. Clearly we have a single disc with a C: and D: Partition. The C: Partition contains a newly installed OS and the original SB install has been removed from that partition (and reinstalled, although no encryption applied).

                 

                The D: Partition is still encrypted by the installation of SafeBoot which was removed from the C: Partition. So....I will attempt a manual Sector decrypt of the D: Paritition using the old SDB file. I have just one question. What is the sector range to decrypt? One assumes it's 155653848 -  312560640

                 


                PARTINFO 1.10
                Copyright (c) 1996-2006 TeraByte, Inc.  All rights reserved.

                Run date: 03/02/2011 13:35

                ====================================================================
                           MBR Partition Information (HD0 - 0x0324776B)
                                         (CHS: 973/254/63)
                +====+====+=============+====+=============+===========+===========+
                | 0: | 80 |    0   1  1 |  c |  973 254 63 |        63 |  15663041 |
                | 1: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                | 2: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                +====+====+=============+====+=============+===========+===========+
                                           BOOT SECTOR INFORMATION
                -------------------------------------------------------------------------------
                File System ID: 0xC   LBA: 63  Total Sectors: 15663041   ID: 0x1
                                          Jump: EB 58 90 (EB 58 90)
                                      OEM Name: MSDOS5.0 (MSDOS5.0)
                                 Bytes Per Sec: 512 (512)
                                 Sec Per Clust: 8 (8)
                                   Res Sectors: 34 (34)
                                      Num FATs: 2 (2)
                                 Root Dir Ents: 0 (0)
                                       Sectors: 0 (0)
                                         Media: 0xF8 (0xF8)
                                  Secs Per FAT: 0 (0)
                                 Sec Per Track: 63 (63)
                                         Heads: 255 (255)
                                   Hidden Secs: 63 (63)
                                  Huge Sectors: 15663041 (15663041)
                             Huge Secs Per FAT: 15267 (15267)
                                         Flags: 0x0 (0x0)
                                       Version: 0 (0)
                                Root Dir Clust: 2 (2)
                                   FS Info Sec: 1 (1)
                                   FS Bkup Sec: 6 (6)
                                      Reserved:  0  0  0  0  0  0
                                     Drive Num: 0x80 (0x0)
                                           Res: 0x1 (0x0)
                                      Boot Sig: 0x29 (0x29)
                                        Vol ID: 0x7867E70C (0x7867E70C)
                                  Volume Label: NO NAME     (NO NAME    )
                                       FS Type: FAT32    (FAT32   )
                                     Boot Flag: 0xAA55 (0xAA55)
                -------------------------------------------------------------------------------
                ====================================================================
                           MBR Partition Information (HD1 - 0xA42D04A3)
                                         (CHS: 1023/254/63)
                +====+====+=============+====+=============+===========+===========+
                | 0: | 80 |    0   1  1 |  7 | 1023 254 63 |        63 | 155653722 |
                | 1: |  0 | 1023   0  1 |  f | 1023 254 63 | 155653785 | 156906855 |
                +====+====+=============+====+=============+===========+===========+
                                         Volume Information
                +----+----+-------------+----+-------------+-----------+-----------+
                | 0: |  0 | 1023   1  1 |  7 | 1023 254 63 |        63 | 156906792 |
                | 1: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                | 2: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                            MBR Partition Information (HD1) Continued:
                +====+====+=============+====+=============+===========+===========+
                | 2: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                | 3: |  0 |    0   0  0 |  0 |    0   0  0 |         0 |         0 |
                +====+====+=============+====+=============+===========+===========+
                                           BOOT SECTOR INFORMATION
                -------------------------------------------------------------------------------
                File System ID: 0x7   LBA: 63  Total Sectors: 155653722   ID: 0x1
                                          Jump: EB 52 90
                                      OEM Name: NTFS   
                                 Bytes Per Sec: 512
                                 Sec Per Clust: 8
                                   Res Sectors: 0
                                        Zero 1: 0x0
                                        Zero 2: 0x0
                                          NA 1: 0x0
                                         Media: 0xF8
                                        Zero 3: 0x0
                                 Sec Per Track: 63
                                         Heads: 255
                                   Hidden Secs: 63
                                          NA 2: 0x0
                                          NA 3: 0x800080
                                 Total Sectors: 0x09471659
                                       MFT LCN: 0x0C0000
                                  MFT Mirr LCN: 0x0947165
                                 Clust Per FRS: 0xF6
                              Clust Per IBlock: 0x1
                                     Volume SN: 0xFE14C56014C51C91
                                      Checksum: 0x0
                                     Boot Flag: 0xAA55
                -------------------------------------------------------------------------------
                File System ID: 0x7   LBA: 155653848  Total Sectors: 156906792
                                          Jump: 8C 31 2D
                                      OEM Name: †áˆvé …Ð
                                 Bytes Per Sec: 29244
                                 Sec Per Clust: 218
                                   Res Sectors: 4892
                                      Num FATs: 226
                                 Root Dir Ents: 41793
                                       Sectors: 25364
                                         Media: 0xF
                                  Secs Per FAT: 62635
                                 Sec Per Track: 50555
                                         Heads: 55425
                                   Hidden Secs: 1412520014
                                  Huge Sectors: 2339004613
                                     Drive Num: 0x4A
                                           Res: 0x96
                                           Sig: 0x4D
                                        Vol ID: 0xAAA681C3
                                  Volume Label: M+l<£|T¬æ t
                                       FS Type:  kh` ó ]
                                     Boot Flag: 0x5750
                -------------------------------------------------------------------------------

                 

                Message was edited by: Odgeuk on 02/03/11 03:00:24 CST
                • 5. Re: Decrypt Partition
                  TechSecurityNate

                  Again, I'm not familiar with v4, as we've only used v5 and the Wintech CD.  Inside Wintech, I would expect to get information similar to this line from your report.

                   

                  | 1: |  0 | 1023   0  1 |  f | 1023 254 63 | 155653785 | 156906855 |

                   

                  Then when decrypting, I would provide the Start, which is 155653785, and the count which is 156906855.  However, if you expect to know the First and Last then the Last would be 312560639.

                   

                  I would say that the OEM Name of the D:\ drive being scrambled is a good indicator that it's encrypted.  The LBA seems to be exactly 63 sectors higher than my suggested Start, while the total is exactly 63 sectors less, resulting in the same ending sector.  It's as if the report is reserving the first 63 sectors as if it's a bootable partition, which it is not.

                   

                  I would suggest that if you can decrypt the drive and recover your files, you should then fully reimage the drive to get things back to normal.