9 Replies Latest reply on Aug 22, 2012 8:28 PM by SafeBoot

    Restored MBR without Removing EE

      Hi everybody!

       

      We are in the process of deploying McAfee Endpoint Encryption for PC v 6.2 into our company. We had a lab set for several weeks with great results so we moved into production. One user had a problem and the machine wouldn't boot after that. One of the IT guys took the disk and was going to remove the encryption with the EETECH CD, but by accident, he first restored the MBR... before removing the Encryption!!! Now the disk it's not even recognized as encrypted.

       

      Does any of you has a procedure I can follow to recover the data on this disk? I can try many things as I have a physical Disk Cloner and I have made a couple of copies sector by sector of the original disk.

       

      thanks a lot!

        • 1. Re: Restored MBR without Removing EE

          you could just decrpyt the partition with EETech (the WinPE version is much faster than the standalone), or you could emergency boot the machine with EETech standalone as long as the disk information can be found on the drive.

          • 2. Re: Restored MBR without Removing EE

            In the EETECH menu I can force decrypt. I tried that and then connected the disk as a slave to another PC but couldn't read it. Should I only decrypt the partition where the data is located or all partitions? After decrypt is just connecting the disk to another as a slave and read or we have to something else?

            • 3. Re: Restored MBR without Removing EE

              You need to decrypt whatever was encrypted - which will be one (or more) partitions.

               

              You can't just decrypt the entire disk - the MBR etc won't be encrypted and that contains the partition tables etc.

              • 4. Re: Restored MBR without Removing EE

                So I Decrypted the partition that was encrypted. To understand what partition was encrypted I used the workspace and took a look at it. After decrypting the right partition, I plugged in the hard drive into a new PC but I couldn't see any files.

                 

                So after that, what we did was:

                1. In the BIOS the SATA Operation was Raid  (in the new PC with the master HDD)

                2. We changed the SATA Operation to AHCI as it was with the old PC that failed in the encryption

                3. We had to format the master HDD of the new PC

                4. Connected the corrupted HDD as a slave in the new PC and it worked!!! we recovered the files normally

                 

                Is it possible that the AHCI mode in the Failed PC was the cause of the incident?

                1 of 1 people found this helpful
                • 5. Re: Restored MBR without Removing EE

                  No, it's very unlikely indeed.

                   

                  Why did you have to format the hard disk of the new machine after changing the bios to AHCI? Was it blue screening? If so, you just needed to install the right drivers for the hardware you have THEN change the mode over.

                  • 6. Re: Restored MBR without Removing EE

                    It was blue screening and this was the only way we knew. Thanks for your help!

                     

                    We are trying to find out what went wrong with this PC to prevent it from happening in others. What can we do to understand what went wrong? Is there a log we can review?

                    • 7. Re: Restored MBR without Removing EE

                      You never really told us what the original problem was, other than "One user had a problem..." 

                      • 8. Re: Restored MBR without Removing EE

                        You are right! For the moment that was the only important thing, to recover data. We made a phased deployment:

                         

                        1. Install the EEAGENT and the EEPC (Wait 2 days)

                        2. Encrypt the drive with no preboot (wait 2 days) and load domain users

                        3. Enable preboot.

                         

                        When we enabled preboot in this particular PC and restarted the machine was hung up in a black screen. Couldn't boot at all. After waiting we changed the SATA Operation to ATA instead of AHCI and the McAfee preboot loaded but the Windows Operating system didn't. It was a Dell Optiplex 790. The only different thing we have noticed between this PC and others with same characteristics is the AHCI and a USB token called SafeNet Sentinel (It's sort of a physical license key to work with a smart card printer). How can we be sure what was it?

                         

                        Thanks again!

                        • 9. Re: Restored MBR without Removing EE

                          My gut feeling would be to look at the BIOS version - there were a few problems with Dell AHCI support a while ago which resulted in BIOS fixes.