Could be tough indeed. Afaik you now have encrypted files on a plaintext drive, so the sector chain data we need to reconstruct them from the mft is in plain text, whereas the data sectors themselves are encrypted.
Not sure how you can get out of this - I'd clone the drive, then do a forced decrypt of the partition and see what a file recovery tool finds.
Thanks Simon! Do I need to clone it to a like-HDD or do you know of any tools where I can just create and mount a file based drive or something?
Humm no, as long as you don't try to change the partition size, then the sectors should be in the same locations. Geometry is not important but absolute sector number is.
As for a soft image, sorry I don't have any experience - I guess ghost might allow that, but then you have to mount it in an environment where you can use wintech etc.
An update for anyone following. I've now had two drives with this issue. The first drive I cloned and tried to Force Crypt Sectors (Decrypt) and then data recovery and it didn't see the drive. I'm decrypting the second one now and we'll give that a run through as well. I've left the originals alone in case they have to go out to professional recovery folks.
Simon - my process has been:
- Clone the Drive using a Sector-by-Sector Clone Tool (EaseUS).
- Boot a laptop with the drive installed off the WinTech CD.
- Do a Get DIsk Information to get the Start Sector & Sector Count.
- Force Crypt (Decrypt) the Drive with the start sector & count from Step #3
- Slave the drive and use recovery software (we have a few) to scan it for data.
If you have any suggestions on a better way to do this, or if I'm doing something that's obviously not going to work, I'm happy to hear any suggestions :-)
There's no need to do a force, if the disk information is valid - just do a remove or follow the region list to be safe.
I'm not sure it's going to succeed though, as the hardlinked files are going to be encrypted, and when you build the new OS and restore them, the drive is not. I'm not sure how that could ever work, and how you would even go about recovering them.
So, post-"it broke", I believe we're left with a plaintext empty drive, but encrypted data. If I decrypt it all, don't I end up with garbage plaintext (which is useless anyway) and decrypted data that (maybe) some recovery software would detect?
Or are the components that the disk needs to be able to know what that encrypted (now plaintext) data gone and it's all useless?
Yes, you will end up with an encrypted drive, and plain text files.
unfortunately, there's no links between the sectors you can follow to reconstruct the file - all that's stored in the MFT, which is now in plaintext and will get encrypted when you decrypt the drive.
So, I guess it's worth a try, but I don't hold up most hope unfortunately.