cryption always starts at the lowest sector and moves towards the highest. In your case, if the forced decryption was left to run across the whole drive you have
x-57% double decrypted
57-end decrypted correctly
It all depends on what sector range the person used for the force decryption. If they started at sector 0, then you have
0-partition start - incorrectly decrypted (needs encrypting to revert to plain text)
partition start-57% double decrypted (needs encrypting to revert to plain text)
57%-end decrypted successfully.
Your challenge then is to estimate where 57% is, and try to find the end sector location of the first pass, then you know how much to decrypt.
And finally, you probably need to work on a mirror of the original drive, as if it has bad sectors, things are only going to get worse.
Thanks a lot for your prompt answer!
Do McAfee posses such tool that can help us identify the end sector of the x-57% cut ?
Thanks again !
You need to just look at the data and make a guess - if it's encrypted, it will have no patterns whatsoever.
Unfortunately, compressed data looks much the same, so it's all about visual clues.