8 Replies Latest reply on Sep 1, 2011 11:51 AM by Grace

    Encrypted External hard drive data recovery

      We have an external hard drive which was connected to an encrypted system to backup data. Because it was not USB connected, EEPC encrypted the drive. The external device was disconnected, the primary hard drive was re-imaged and re-encrypted. When we attempted to restore the data, it was discovered that the external device was encrypted with the original key.

       

      Questions:

      If I have the original key, can we decrypt the external drive using WinTech?

      Is it possible for EEPC to re-encrypt (on the second machine) a drive which is already encrypted?

       

      I'd appreciate any insight.

        • 1. Re: Encrypted External hard drive data recovery

          1. yes - you can use the original machines key to decrypt this drive with WinTech

          2. yes - you can reformat it on a new machine if you want to, if EEPC is set to encrypt it, it will get encrypted with the new key.

          • 2. Re: Encrypted External hard drive data recovery

            Thanks SafeBoot - for question 2, if we load, say sector 63, into the workspace and decrypt, we do not see data. The support techs thought the drive may have been re-encrypted on the second system. I didn't think that was possible?

            • 3. Re: Encrypted External hard drive data recovery

              if the user reformatted it, it will be re-encrypted (and thus the data will be lost).

               

              1) are they looking at the right drive?

              2) does 63 look encrypted even?

              3) why sector 63? Are they sure that's the actual partition start sector?

              4) are they using the correct database export?

              • 4. Re: Encrypted External hard drive data recovery

                1 - I believe it is the correct drive - Disk info matches the machine id file from the server

                2 - Sector 63 does look encrypted

                3 - I'm not sure why they are looking at sector 63, I'm wondering since on the original machine, this drive would have been the second drive if that is why we are not seeing the usual sector 63 data?

                4. - the machine id in disk info matches the machine id from the server, so unles the disk info reads the sdb file only, this appears to be the correct database export. Also the encryption properties on the server show C and D from the original machine as encrypted and on the second machine (the re-imaged and re-encrypted) it shows only C as fully encrypted - D is not encrypted.

                 

                If this is the correct key, shouldn't we be able to use the A43 and see the data?

                • 5. Re: Encrypted External hard drive data recovery

                  if 63 does not decrpyt properly, then it can't be the right SDB file unfortunately. You can try another sector towards the end of the partition etc?

                  • 6. Re: Encrypted External hard drive data recovery

                    Yes, we did that and we were able to see some data at the end of the drive. I think that is why the question, "Can you re-encrypt an encrypted drive?" came up.

                    • 7. Re: Encrypted External hard drive data recovery

                      if the user plugged the drive into their machine, Windows would have told them it was not encrypted and given them the opportunity to encrypt it. In that case, you should find that the beginning of the drive will be encrypted with the new key (worth a try).

                       

                      if the beginning of the drive can be decrypted with the new key, then you know the user hit the "format" button. Then, data recovery is pretty hard, as you'll have to try and work out how far the format got. Do a binary chop on the drive and you might get lucky. You'll have to use a formatted drive recovery tool though to find any files.

                      • 8. Re: Encrypted External hard drive data recovery

                        Thanks Safeboot. I think we're going to try and make a sector by sector image of the drive and work off of the copy. I appreciate your input.