if the disk was not encrypted, just do a fixmbr from a normal Windows rescue CD and that will flush out the MBR.
What does EEM say about this machine? Any encryption set?
Thanks for your fast answer...
FIXMBR wouldn't help either because, even when I DON'T authenticate, and try to access the harddisk I get the error, that it's not formated !
Ho do I check with EEM if an encryption is set ?
find the machine in EEM, and look at its properties.
Without knowing what the user did to get into this problem in the first place makes it hard to fix. If you can read the partition boot sector (are you sure it's sector 63?) that would indicate there's no encryption.
so, how did they get into the position that the drive reported full encryption, yet the first sector of the partition is not encrypted? The most obvious explanation is someone tried to reinstall the OS.
I think you need to get to the truth from your user before proceeding.
The user works also in it so I don't think that he just tried to reinstall the windows.... he said that internet explorer was really slow so he restarted the computer and got this error. He installed nothing, he just was working as usual (editing excel files and other standard stuff). so you think there is no way to rescue the data ???
I think it's very likely possible to rescue the data - you just have to find it, work out if it's encrypted or not, and if it is, decrypt it with the right key.
did you look deeper into the drive - sector 64, 65 onwards etc?
Here are some pictures:
Sector 63 - Without Authentification
Sector 64 - Without Authentification
Sector 64 - With Authentification
The disk is 100% encryptet. The user didn't uninstall the software. he just rebooted and got this error message. What maybe could have happened, is that after a restart the computer tried so start from the network and startet the windows installation, and overwrited the boot sector. you said also that it seems that the user tried to reinstall windows from cd, but I'm 100% sure he didn't play with the configuration........
What would you propose as next step ??
Thank you very much for your help and your patience !!
sector 63 is not encrypted as you probably know - you have to go find what is, and what is not by inspection. Authentication does not matter - it changes nothing. What you need to do is load in the machines sdb file and decrypt the workspace after loading in a test sector(s) - then see if it looks like plaintext after decryption or not.
If the user has been through an OS install, either by starting it themselves, or from the network, the first thing it would have done is formatted the partition, so do a binary chop on it - look at the ends and work out if it's encrypted, then divide in half and look etc, until you find out how far the format went.
You might find out that the whole partition has already been formatted, and thus the users data is lost.