8 Replies Latest reply on Sep 7, 2011 4:41 AM by jmcleish

    Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

    jmcleish

      Hi,

      With regards to Dan's post here about copying or ghosting  off an encrypted disk:

       

      https://community.mcafee.com/message/2421#2421

       

      How do you do that in EETech since there is no 'mount disk'.

      On my test machine, i've authenticated and authorised and tried selecting the apporpriate volume in diskpart, but can't seem to mount it successfully (not that familiar with it !), and it still says raw format and i can't read it in the A3 file mgt util.

       

      Basically I've now had a few machines where the encryption agent can't read the registry key and won't boot then spent 4 hours or so waiting for the thing to force decrypt before i can access the data.

       

      Obviously beging able to ghost (preferable)\ extract data off without the need to decrypt is advantageous.

       

      Using Dan's WinPEv3 EETech v6 disk.

       

      Thanks for any help

       

      Jane

        • 1. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

          if you present the correct XML file to EETech, it will mount the host drive for you automatically? Have you checked using the workspace that your XML export is correct?

          • 2. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2
            jmcleish

            To be honest I've never used the workspace. It says i have authenticated and the only way i could get the disk to appear unencrypted is to start a crypt sector and cancel it. (obviously this is my test machine, so i can do what i wish with it but wouldn't do that on a production machine)

             

            And i was told that there was hardly anything on EETech on the encrytion course and can't face talking to gold support.....

             

            It would be really handy to have some sort of idea of what to use what for and how to use it, so that us starting out using EEPC can play about with test systems to find out what we can do in EETech. A guide on how to use the components in EETech (obviously with a big disclaimer included) would be very useful.  Either that or a nice mount button. :-)

             

            I saw this post: https://community.mcafee.com/message/149954#149954 and wonder if they mean the EETech from v6.1?

             

            Any idea?

            (yes... flailing in at the deep end here....)

             

            Thanks

            Jane

            • 3. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

              One thing I've noticed is that you have to "refresh" the file management utility after you authenticate (authorization is not necessary for mounting the disk). So maybe you just need to hit F5 or click around in the file manager GUI. As Simon said, the "mount disk" button is gone in EE Tech. Now it just happens automatically after you authenticate. So if that isn't working, then you may be using the wrong key. Here's how to test your key with the workspace functions. Forgive me if the menu names are different, I'm not looking at it right now ... but my memory is pretty good.

               

              1. Authenticate in EE Tech, using an XML file from ePO
              2. Open workspace
              3. Choose "load sector from disk"
              4. Enter 63 in the start sector, and 1 in the sector count.
              5. The screen will then read that sector of the disk and display it. You will be looking at encrypted data. Only pay attention to the far-right column - this is the actual data on the disk.
              6. To decrypt this sector, you have to go back to the Workspace menu and hit "decrypt"
              7. Look in the far-right column and see if you now see cleartext data. If it is cleartext, then you are using the right XML file.

               

              I say to use sector 63 since that is typically the first sector of the first partition and has predictable text in it - usually "NTFS" is seen. If you load sector 63 and it is blank, then you'll have to go fishing for sectors. I just increase by a factor of 10 while I'm looking ... so 63, then 630, then 6300 and so on. Eventually you'll find a sector with some data that looks like clear text after you decrypt it. If you don't, then you're using the wrong XML file.

              1 of 1 people found this helpful
              • 4. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2
                jmcleish

                Thanks for that Dan- thats very helpful.

                I'm off for a week, so will try that when i get back.

                 

                Thanks again

                Jane

                • 5. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2
                  jmcleish

                  Hi,

                   

                  Ok- so i loaded and decrypted the workspace.

                   

                  At the top of the right hand colum there was R.NTFS and lower down it said: "a disk read error occurred. NTLDR is missing...." so it did show cleartext so i'm assuming its the correct file.

                   

                  So, leaving  EETech open (authenticated but not authorised), I open A43 and see the c:\ drive in the list, but no matter where I click, refresh or restart A43, I still can't read the disk.

                   

                  Thanks

                   

                  Jane

                  • 6. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2

                    It could be that you don't have the SATA drivers for your hard disk installed in your PE environment. That's what usually causes this symptom. You can try getting the SATA drivers from Intel, or whomever makes your hard disk(s). Another trick is to go into the BIOS and switch the disk operation to ATA or something that resembles "legacy mode".

                    1 of 1 people found this helpful
                    • 7. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2
                      jmcleish

                      Thanks Dan,

                       

                      the one i was testing on is in ide mode - but i think its a solid state drive. I'll try and find and add the drivers tothe winpe image for it.

                       

                      thanks

                      Jane

                      • 8. Re: Extracting data \ghosting from an encrypted disk using EETech EEPC v6.0.2
                        jmcleish

                        Dan,

                        Just to let you know (or anyone else) that i eventually managed to get this working.

                         

                        I had tried injecting AHCI drivers into the winPE wim but still had no joy...... until this week.

                         

                        We had a requirement to try and extract data on the fly so I created a new BartPE with EETech v 6.1.1 (one with no drivers for my ata disks, and one with AHCI drivers). When booting from this i am able to read the encrypted disk on the fly fine.

                         

                         

                        I'm unsure whether it is something to do with the WinPE v's Bart or EETech 6.0.2 v's 6.1.1, but anyway, thanks for all your help on this matter. This makes life MUCH easier!

                         

                        Thanks

                        Jane