1 2 Previous Next 10 Replies Latest reply on Sep 12, 2011 8:05 AM by SafeBoot

    How to decrypt drive D on reimaged Windows

      Hello,

       

      I had a Windows XP PC with  two drives, C and D, both encrypted with EEPC 6. Then someone accidentally reinstalled Windows on drive C and realized he couldn't access files on drive D because it's still encrypted.

       

      Question: how to decrypt drive D if:

      A. I haven't deleted that system in ePO (so I still have xml for authentication)

      B. The system is somehow deleted in ePO (no xml)

      B. I have deleted that system in ePO and reinstall McAfee agent and EEPC on the new Windows (different xml?)

       

      I tried using EETech DVD and did force decrypt D (taking note of sector start and length) but didn't work - drive D still unreadable. "Remove EE" action is not available because no EE is detected (Reinstall Windows)

       

      Has anyone experienced the same problem? Or be kind enough to duplicate the problem?

       

      Thanks,

       

      Wisnu

        • 1. Re: How to decrypt drive D on reimaged Windows
          whgibbo

          Hi,

          Could you please let us know the following:

          1. What version of EEPC you are using ?
          2. Has the machine been reactivated ?

           

          Thanks

          • 2. Re: How to decrypt drive D on reimaged Windows
            Hemant Koli

            Hello Wisnupp.

             

            Please refer McAfee EETech User Guide before performing Decryption, this might help you.

            https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22404/en_US/McAfee%20EETech.pdf

            • 3. Re: How to decrypt drive D on reimaged Windows

              Hi whgibbo,

              1. It was either 6.1.0 or 6.1.1 (the lab is no longer available)

              2. Reactivated meaning reinstall EEPC? So here is what happened as I remember:

                   A. Installed EEPC to Win XP PC and encrypted all drives (C and D). Ran well.

                   B. Someone didnt realize it had EEPC, reimaged/reinstalled Windows XP on C --> D not accessible.

                   C. I created EETech DVD and tried to remove EE but not successful.

              IMG-20110728-00086.jpg

                   D. Reinstalled EEPC, but saw that drive D status is decrypted (new EEPC installation cant detect that drive D is already encrypted), so immediately stopped encryption process (still in progress of encrypting drive C) before the process continue to drive D to prevent double encryption.

                   E. After a while, stop effort to restore D, but saved an image of full hard drive.

               

                   In another test (Windows 7):

                   A. Installed EEPC and encrypted all drives (C and D). Ran well.

                   B. Immediately ran EETech DVD (the PC still have EEPC) and did force decrypt to drive D (taking note of sector start and length). This is just testing if force decrypt works.

                   C. Boot back to Windows and check drive D, it's not readable. Why?

                   D. Gave up and stopped the test

              Luckily this all happened in lab environment.

               

              " Hello Wisnupp.

               

              Please refer McAfee EETech User Guide before performing Decryption, this might help you.

              https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22404/en_US/McAfee%20EETech.pdf"

               

              Yes I realized I havent studied EEPC thoroughly. But can anyone give a quick advice to make sure I can restore data drive(s) when system drive is reimaged/reinstalled? Does it have something to do with Re-use machine key options? Just found out about this option, took a peak of whgibbo's previous post. Checked with EEPC product guide, the explanation is very brief.

               

              Thanks

              • 4. Re: How to decrypt drive D on reimaged Windows
                Hemant Koli

                Hello Wisnupp.

                 

                You can refer the below link this might help you with Re-Use Machine Key Option.

                https://community.mcafee.com/thread/34867?tstart=0

                1 of 1 people found this helpful
                • 5. Re: How to decrypt drive D on reimaged Windows

                  I think you are asking too many questions in one discusion - why not create a separate discussion for each scenario you want help with, so we can keep our thoughts in order - you started with three different hypothetical questions after all, which now seem to relate to two actual scenarios.

                   

                  If you really need to recover the data, please call McAfee support, but if these are write-off test machines, perhaps its better to just format them and save the support bandwidth for some person who's loosing data they really value.

                   

                   

                  • 6. Re: How to decrypt drive D on reimaged Windows

                    Hi mr Simon Hunt,

                     

                    Thanks for your reply.

                     

                    Actually it has some valuable files for our team which need some effort to get it back again when lost. The team have forgiven me for being unable to restore the files, but since then they keep reminding me about it and now I have a homework of mastering EEPC disaster recovery.

                     

                    Okay, let me change the question.

                     

                    How do I decrypt drive D of a PC which system drive has been reimaged, if I accidentally delete the corresponding system/object in ePO after reimaging?

                     

                    Thanks!

                    • 7. Re: How to decrypt drive D on reimaged Windows

                      you need to be more precise - what version of eepc was it encrypted with for example? did you re-install EEPC after re-imaging? Did the machine have the same network name, or a different name? Do you have a backup of your EPO server from the time of the first instance?

                       

                      Some versions of EEPC will over-write existing keys in the case that the product is re-activated with the same network names, thus preventing recovery unless you have a db backup etc. Some (later) versions create and preserve fresh keys each time.

                       

                      the "supported" answer though, is if you deleted the object out of EPO, then we assume you don't care about it any more, and thus it would be irrecoverable. There are sometimes ways around this though as long as other activities have not occured.

                       

                      I suggest you start a new discussion with the exact scenario you need help with.

                      • 8. Re: How to decrypt drive D on reimaged Windows
                        whgibbo

                        Hi,

                        If it was encrypted and then reencrypted using a EEADMIN version prior to 1.1.1.x.   Then it is not possible to retrieve the machine key for this machine, as it would have been overwritten if the machine was not removed from ePO.

                        In which case you will not be able to decrypt the drive.

                         

                        With EEADMIN version 1.1.1.x the recovery information is archived, but will not be accessible until EEADMIN version 1.1.2.x.

                         

                        It sounds like you reinstalled and actived the machine without key re-used enabled for the machine..

                         

                        As SafeBoot commented:

                        There are sometimes ways around this though as long as other activities have not occured.

                         

                        In which case you would have to raise a support ticket for this.

                        1 of 1 people found this helpful
                        • 9. Re: How to decrypt drive D on reimaged Windows

                          Hi whgibbo,

                           

                          Thanks for your reply.

                           

                          After testing I have learned that right after doing fresh Windows reinstall (not reinstall EEPC yet), I cannot immediately restore drive D even when I've saved the xml file (from EETech). This is NOT what I expected from the product's recovery methods.

                           

                          I'm using EEAdmin 1.0.2.1, EE PC Software 1.0.2.6.

                           

                          Will try other way and update the result.

                           

                          Wisnu

                           

                          Message was edited by: wisnupp on 9/12/11 7:25:11 AM CDT
                          1 2 Previous Next