1. yes - you can use the original machines key to decrypt this drive with WinTech
2. yes - you can reformat it on a new machine if you want to, if EEPC is set to encrypt it, it will get encrypted with the new key.
Thanks SafeBoot - for question 2, if we load, say sector 63, into the workspace and decrypt, we do not see data. The support techs thought the drive may have been re-encrypted on the second system. I didn't think that was possible?
if the user reformatted it, it will be re-encrypted (and thus the data will be lost).
1) are they looking at the right drive?
2) does 63 look encrypted even?
3) why sector 63? Are they sure that's the actual partition start sector?
4) are they using the correct database export?
1 - I believe it is the correct drive - Disk info matches the machine id file from the server
2 - Sector 63 does look encrypted
3 - I'm not sure why they are looking at sector 63, I'm wondering since on the original machine, this drive would have been the second drive if that is why we are not seeing the usual sector 63 data?
4. - the machine id in disk info matches the machine id from the server, so unles the disk info reads the sdb file only, this appears to be the correct database export. Also the encryption properties on the server show C and D from the original machine as encrypted and on the second machine (the re-imaged and re-encrypted) it shows only C as fully encrypted - D is not encrypted.
If this is the correct key, shouldn't we be able to use the A43 and see the data?
if 63 does not decrpyt properly, then it can't be the right SDB file unfortunately. You can try another sector towards the end of the partition etc?
Yes, we did that and we were able to see some data at the end of the drive. I think that is why the question, "Can you re-encrypt an encrypted drive?" came up.
if the user plugged the drive into their machine, Windows would have told them it was not encrypted and given them the opportunity to encrypt it. In that case, you should find that the beginning of the drive will be encrypted with the new key (worth a try).
if the beginning of the drive can be decrypted with the new key, then you know the user hit the "format" button. Then, data recovery is pretty hard, as you'll have to try and work out how far the format got. Do a binary chop on the drive and you might get lucky. You'll have to use a formatted drive recovery tool though to find any files.
Thanks Safeboot. I think we're going to try and make a sector by sector image of the drive and work off of the copy. I appreciate your input.