call your helpdesk, you will need to do a forced decryption of your partitions as the restore would have trashed the "disk information" telling EEPC where, what and how things were encrypted.
Your data is entirely recoverable as long as you don't make any other changes, and of course as long as your helpdesk have the recovery information for your machine.
Will it be a good idea to first make a clone of my laptop on an external (USB) hdd and then try that clone to decrypt forcefully. Also, as my IT department is far away ( we are in branch office ) I have to do forced decryption of my own. Please let me know what all I need apart from bootable rescue disk (containinig wintech; A43 Utility ) and SDB file ( I have both ) for forced decryption.
Also, send me the procedure/steps for forced recovery. Can you please through some light on the statement "as long as your helpdesk have the recovery information for your machine" , are you reffering the SDB file, if yes, then yes they have sent it to me.
Thanks in advance
1 of 1 people found this helpful
Any time I get into a real jam with this product, I make a clone of the drive and attempt recovery of the data on the clone. The key point is that when making the clone, it must be a RAW copy. We use LogiCube devices for speed, but there may be some other software available to do this. It must be done at the bit byte whatever level. Any resizing and/or realigning of the data will render it useless.
FYI, Acronis and similar products typically store the backup image in a compressed form and then will resize a partition if needed, when recovering. This is useless before encryption, as you've experienced. It is equally useless after encryption, as the resizing and/or even moving of data's physical block location will break things.
You really need to work with your helpdesk on this - it's not really something end users do on their own.
I am in touch with my helpdesk but seems they doesn't have expertise in safeboot; also, they are on remote location.
TechSecurityNate : Thanks for the suggestion; can you suggest if Symantec Ghost, TrueImage and Acronis can create the clone in the raw format ( RAW copy ).
" FYI, Acronis and similar products typically store the backup image in a compressed form and then will resize a partition if needed, when recovering. "
Also, just to share that the partitions I want to recover ( D, E & F ) were not imaged by acronis, the only partition which was imaged is C and this is the only partition which has been restored ( which I don't want to recover ).
Also, Please suggest the procedure for force decrypt; though I already know but still wants to be doubly sure.
Thanks in advance.
1 of 1 people found this helpful
I am not familiar with the features of those products, but suggest checking their respective sites.
If your HelpDesk is in cooperation with your efforts, then they should at least be able to log into McAfee Service Portal and gather the product documentation to assist you in the Force Decryption.
I would never allow my users to have this information or attempt recovery. We handle all such activities with trained staff and I jump in when they need help. Your implications are that your HelpDesk is unwilling to assist you. In this case, there would be clear and decisive actions I would be taking in my environment. If you feel this task is within the scope of their support model, then you should escalate the issue to someone willing to help and/or force them to help you. You can think of this and any encryption product like a bomb of sorts. It can destroy your data if not handled carefully, so please understand any hesitance to hand over the info you request.
The case is not like my support is unwilling to help me out, infact they are asking me to send my laptop to IT Support ( Remote location ), it is only my hesitation to send my laptop reasons being :
1. Nobody will pay attention to my data as careful as I can
2. They are saying they will try to recover data if will not succeded then will format the drive
I don't want to give up.
Solution : I cloned my drive and tried force decryption on one of the partition with the help of rescue cd and SDB file provided by my IT support. The partition is around 75GB and it took around 72 hrs. for the decryption to be completed.
I wanna to make one point here : if somebody is trying the force decryption and if gets stuck inbetween don't be dishearted probably it is still working in the background.
In my case, the total sectors to be decrypted were 15 crore (1.5 billion), the progress bar was showing status till 7crore ( 0.7 billion) after which progress bar got stuck but thanks to one of a discussion on this forum only where I read that one of the guy got succeded in recovering data even after the progress bar was on waiting ( wactgglass) for couple of days.
I had that clue in my mind which gave me patience and finally I got the pop up says decrytion is completed successfully and the progress bar jumped directly from 0.7 billion to 1.5 billion.
Question : Though I have got most my data back from the 75GB partition but there are few folders which are inaccessible ( ........... is not accessible. The file or directory is corrupted and unreadable. ) The point to be noted is all these kind of folders are containing images (jpg). Though I have recovered most of the images ( approx. 15GB ) but still few ( approx. 1-2GB ) are inaccessible.
As the partition is now decryted and accessible, I am thinking of running recovery tool on this partition probably I can recover the remaing data as well.
I am extremly thankful to Safeboot and TechSecurityNate for their guidance.
are you sure you decrypted the right sector range? sounds like you might have missed a few out at the beginning or the end where the MFT is?
I don't believe I have ever knowingly decrypted an incorrect sector range, except when I learned the hard way once to be patient. I have used the wrong sbd once, that was fun. I had to encrypt with the bad sdb then decrypt with the correct sdb to get any files.
I have seen on many occasions where specific files are not recoverable due to the error you mention and/or a cyclical redundancy error. In either case, I determined that the drive probably had some bad sectors and I then took what I could get and was just happy with it.
Now that it's decrypted, you should be able to rebuild the MBR and boot if you like. It would never hurt to attempt further recovery, but I would not be very hopeful. We've even sent drives out to 3rd party vendors whom specify in data recovery and rarely had any success.