1 2 Previous Next 12 Replies Latest reply on Jan 24, 2013 9:21 AM by SafeBoot

    USB slaving an Endpoint Encrypted drive using Windows 7

      Hi all,

       

      For the last few years, my company used WinXP, the standard issued OS. Under XP my group have always used Safeboot Wintech (SbWintech.exe) taken from the Safeboot recovery disc to "mount" a drive using the safeboot SDB file, which allows our host machine to access safeboot encrypted drives' data, without the need of actually decrypting the drive itself.

       

       

      Fast-forwarding to today: Standard issued OS is now Windows 7. Our information security team allegedly contacted McAfee and find out that the functionality of USB slaving an encrypted drive under Windows 7 is no longer supported.

       

      My question is, is there any way to unlock EE encrypted drives without having to boot into the drive or spending the time and effort of decrypting them?

       

       

      A little background:

      Team role: eDiscovery

      Task: forensically collect/retain data from encrypted drives.

      Application used for Task: Norton Ghost/FTK Imager/RDI/other commercial HDD image tools

       

       

      Thanks

       

      -Harry

        • 1. Re: USB slaving an Endpoint Encrypted drive using Windows 7

          You got bad info I think - everything that was possible, is still possible, though Win7 admin rights might make it tricky.

           

          As long as your host machine didnt boot through EEPC, you can still mount a drive as you did before. I don't think we formally "support" that process though, as you are meant to boot off a CD on the host machine itself. That's the only process our support teams are familier with.

          • 2. Re: USB slaving an Endpoint Encrypted drive using Windows 7

            Thanks for your reply Simon, I will try that out when I get back to office next week. We disabled "admin approval mode" in local security settings of our host machines, so hopefully that will clear the Win7 admin privileges issue.

             

            What did you mean "as long as your host machine didn't boot through EEPC"? Are you saying that the host PCs must not be encrypted themselves for us to mount slaved EE drives?

             

            Thanks again.

             

            -Harry

            • 3. Re: USB slaving an Endpoint Encrypted drive using Windows 7

              The host machines cannot have eepc active, encrypted or not. That would have never worked.

              • 4. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                Update/FYI:

                 

                Here is the error that we get on our EEPC enabled (but not encrypted) host machines. When doing a SafeBoot-->Authenticate from SDB file.

                 

                AccessToDriverNotPermitted.png

                • 5. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                  Hi Simon,

                   

                  When you say "The host machines cannot have eepc active, encrypted or not " - Does that mean that EEPC should not be installed at all, or that the client should be there, but not Activated?  How can we keep the EEPC client from Activating itself (assuming that we're staying connected to ePO)?

                  • 6. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                    Well, EPO is neither here or there with EEPC5 - you need to break the connection to EEM. I would just delete sdmcfg.ini before the first reboot.

                     

                    this is of course NOT FORMALLY SUPPORTED!

                     

                    You don't need EEPC installed really, you need the drivers for WinTech to be installed - they just happen to be the same though.

                     

                    Your WinTech issue is caused by not running under admin rights though.

                    • 7. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                      Simon,

                       

                      Sorry for the delayed response. I have tried to run SbWintech by logging in as the admin, as well as logging in as a user granted with admin rights. Under admin account I got the error "Invalid Database Type" when I mounted the SDB. Under fully privileged user the errors were "Safeboot disk driver not present" or "Access to safeboot driver not permitted", like before. I'm inclined to give up but there are 2 more things I could think off that may impact this behavior.

                       

                      1. The version of Safeboot Wintech we are using is v5.1.0.1. Is there a newer version somewhere out there?

                      2. To make Sbwintech.exe work on slaved drives under XP host machines we installed this file "NoEncryptionUS_Silent_Reboot_EEPC.EXE". We refer to it as the safeboot client, or safeboot driver--not sure exactly what it is for. But it's a silent installer that autoreboots after about half a minute after execution. Is there an updated version of this too? maybe this installer is incompatible with Win7?

                       

                      Thank you Simon for helping despite the fact that this feature is not officially supported.

                       

                      -Harry

                      • 8. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                        1. yes - every version of EEPC ships with a matched version of WinTech, so you can get it off the latest download.

                         

                        2. That must be something special you made yourself, or got professional services to make? It's not a standard part of the product.

                         

                        you need to run it "as administrator", being logged in as an admin is not enough - you need to right click it and use the menu option there.

                        • 9. Re: USB slaving an Endpoint Encrypted drive using Windows 7

                          Hi Simon,

                           

                          I have a SafeBoot encrypted drive from my old laptop that I am trying to get data off of. (Windows XP has become corrupt and will not boot.) I'd rather not decrypt the whole drive and this thread seems to suggest that there is a way to slave the encrypted drive and authenticate through WinTech running from a system that is not running Endpoint Encryption.

                           

                          I understand that this is not supported, but I am hoping that you can help.

                           

                          I am using my new laptop, whichis running Win7, to try to read the drive. It recognises the other drive through USB, but suggests formating to be able to access. I am running WinTech off of the recovery CD. It asks me for an Authorisation Code which I do not have. I cancel and try to authenticate through SBFS, but get this:

                          Untitled.jpg

                          It looks like WinTech is only seeing the local drive.

                           

                          If I boot from the recovery disk in my old laptop, I am able to authenticate through SBFS, but then my only option is to decrypt the entire drive. How do I get the version WinTech that is running on my new laptop to authenticate to the encrypted drive which is connected via USB?

                           

                          Thanks,

                           

                          John

                          1 2 Previous Next