3 Replies Latest reply on Jun 14, 2012 8:16 AM by SafeBoot

    Double decryption attempt

      Hello all ,

       

       

      Hope you are all doing well and i would very much appreciate if someone brings more clarity to me in regards to the following situation.

       

      Lets take for an instance that you have McAfee EEPC installed  6.1   and for some reason you would have to go for decryption of the HDD in order to fix some windows issue.

      You boot the machine with EETech standalone , authorize and authenticate - everything is going smooth and you go for Remove EE .

      Decryption starts normaly.Full BIOS HDD self test and clone of the HDD  should have been made before going for decryption , but for the sake of the question lets imagine that in our case this hasn't been done and the decryption process freezes at 57%.  The issue is caused by  bad sectors on the HDD most probably , but  the person working on this PC decides to restart the process and goes for another decryption ( boots the PC again and goes for  Force crypt ). My questions is how exactly the encryption algorithm works in this case? By my understanding it runs on the whole HDD and for the first 57% of the HDD it decrypts the sectors ( including the MBR ) , but for the rest it encrypts it even more - double encryption.  

       

      Have i got this right ?

      How would you proceed in order to get the data recovered? I am fully aware that we are talking about faulty HDD in this case , but still i would very much appreciate if someone brings some clarity how is the encryption alorithm behaving in this scenario.

       

      Thank you guys in advance !

       

      BR,

       

      T

        • 1. Re: Double decryption attempt

          cryption always starts at the lowest sector and moves towards the highest. In your case, if the forced decryption was left to run across the whole drive you have

           

          x-57% double decrypted

          57-end decrypted correctly

           

          It all depends on what sector range the person used for the force decryption. If they started at sector 0, then you have

           

          0-partition start - incorrectly decrypted (needs encrypting to revert to plain text)

          partition start-57% double decrypted (needs encrypting to revert to plain text)

          57%-end decrypted successfully.

           

          Your challenge then is to estimate where 57% is, and try to find the end sector location of the first pass, then you know how much to decrypt.

           

          And finally, you probably need to work on a mirror of the original drive, as if it has bad sectors, things are only going to get worse.

          • 2. Re: Double decryption attempt

            Hi Simon,

             

            Thanks a lot for your prompt answer!

             

             

            Do McAfee posses such tool that can help us identify the end sector of the x-57% cut ?

             

            Thanks again !

            • 3. Re: Double decryption attempt

              You need to just look at the data and make a guess - if it's encrypted, it will have no patterns whatsoever.

               

              Unfortunately, compressed data looks much the same, so it's all about visual clues.