4 Replies Latest reply on Feb 3, 2013 11:03 PM by ccollie

    Data lost on passport drive when encrypting device

      HELP.

       

      Today my company enforce the use of endpoint encryption which write protected my Western Digital passport drive.

      Previously I had only received warnings that the drive was not encrypted but I was still able to work.

      I didn't want to encrypt the device as I share this between my work PC and my home computer.

      I was adviced by our ITS department that the only thing that would happen was that password control would be placed on the device and I simply needed to enter the password when accessign the drive from  my home PC.

      I proceeded with the encryption process.

      It asked me to enter a password and confirm it all good.

      It then told me there was data on the device and did I want a copy taken in a secure location. I said "No" seeing no reason why a device level password should affect data on the drive.

      The encryption process completed, but when I went to access my passport drive, all data was deleted.

       

      What I need to know is, did the software simply overwrite the boot directory or wipe my entire drive?

      Given the relatively short time it took, I'm hoping the former.

       

      I have many many years of collateral and prior experience on the drive, along with current project work and personal files.

      I cannot afford to lose this data.

       

      Could McAfee please confirm URGENTLY that this data is recoverable.

        • 1. Re: Data lost on passport drive when encrypting device
          petersimmons

          If it was encrypted then it can be unencrypted. Your IT staff can do so with their management tools. The problem I have is that I don't know if you have  Full Disk Encryption (EEPC) or File & Folder (EEFF). The only way you could lose data is if you choose to encrypt removable media and answered YES to creating a secure container on the drive. But you would have had to say YES.

           

          Since it all happens in the background you wouldn't notice anything happening.

           

          Plug it in to your computer and ask your IT department to decrypt it.

          • 2. Re: Data lost on passport drive when encrypting device

            With response to your reply.

            The endpoint encryption deployed in our firm is File and Folder (EEFF).

            I have engaged our internal IT department who will seek to recover the data if possible.

             

            Of great concern is:

            - your claim that I shouldn't lose my data - I DID

            - IT's claim that I shouldn't lose my data - I DID

            - IT's claim that encryption shouldn't be suddenly enforced when previously I had been able to read and write to that device - IT WAS and did not permit me either read or write to the device unless it was encrypted

            - the number of other posts that report data loss associated with McAfee Endpoint Encryption

            - the McAfee replies to previous posts with regard to data loss that seem to be based on "plausible deniability" and simply refer people to their IT department.

             

            Finally back to my main concern, the lack of a straight answer - what happened when this encryption took place?

            Did it simply overwrite the file allocation system and leave the data on the drive? Or did it physically delete the data on the drive?

            Given that the encryption process took less than a minute, I'm hoping the former but fear the latter.

             

            Two things I can report after the encryption process completed:

            1. The only two things visible of the device were an ODB$ folder and one other file

            2. When vieing the device properties via Windows Explorer, the entire device250GB was showing as FULL. Prior to encryption my actual data on the device consumed less than half of the drive capacity.

             

            So it's unanimous. Everyone claims I shouldn't have lost my data, but I did.

            Question now is can I get my data back and how?

            • 3. Re: Data lost on passport drive when encrypting device

              What you are seeing is expected with EERM.

               

              It does not permit you either read or write to the USB device unless it was encrypted - this is because of a policy setting that your IT team has configured with the EEFF/EERM.

              If you try to encrypt a USB drive which has data in it, the initialization wizard prompts you whether you want the existing data to be put in the Secured Area or not. If you choose ‘No’ it will warn you that you are going to lose all the data after initializing. If you are still accepting it and proceeding further all the data will be removed after initializing the device. There is no way that you can get those files back. This is the way EEFF/EERM works. if you want to retain data after encrypting/Initializing the device you have to choose YES to put the data in the Secured Area.

               

              You may confirm this by using another USB pen drive with some data in it . ( Pick a drive with only a few files to make the process faster)

              1. Plugin the device - Choose 'yes' when it prompts to initialize the device

              2. Set the Authentication Password and Recovery password in the next screen- Click on 'Initialize'

              3. Then it pops up a warning message " You currently have xMb of existing data on this device. Do you want thi data to be put in the secure area" - Choose YES

              4. Initialization progresses , it may take a few minutes as it has to move all data back to the secure Area right after the Initialization.

              5. Open the USB device drive , you can see all the files are back there.

               

              on 1/23/13 9:04:56 PM CST
              • 4. Re: Data lost on passport drive when encrypting device

                For those interested in following this thread, thought I'd just close it out with the following comments.

                 

                The initial response from McAfee provided by Peter Simmons was incorrect. In his response he states that you will only lose data "if you type 'YES' to creating a secure container on the drive. But you would have had to say YES."

                 

                The second response from McAfee provided by satheeshhpd was also incorrect on three fronts:

                1. He reports on the expected behaviour of EERM, when I had in fact confirmed thta the product in question was EEFF.

                2. He states that it does not permit you to either read or write to the USB device unless it was encrypted. Our policy settings were set to enable read but not write. However, for 3 months after installation it permitted both read and write then suddenly would not permit either.

                3. He states "There is no way that you can get those files back."

                 

                Most importantly, neither of the above posts provided a response to the question I was seeking an answer to, namely:

                     Finally back to my main concern, the lack of a straight answer - what happened when this encryption took place?

                     Did it simply overwrite the file allocation system and leave the data on the drive? Or did it physically delete the data on the drive?

                     Given that the encryption process took less than a minute, I'm hoping the former but fear the latter.

                 

                What has eventuated since then?

                 

                1.  I have had all of the data (files and folders) on the USB device recovered. I did, however need to use the services of a Forensic Data Recovery Service.

                2. Whilst I got all the data back, many files lost their original name, but did retain the original format of the application that created them. Not sure why this has occurred. I now have a major job ahead in opening all of these files to determine their content and appropriate name.

                3. Points 1 and 2 above therefore suggest that, as suspected, the encryption process did not over-write the full drive contents, it simply over-wrote the File Allocation Tables pointing to those files.

                4. The Forensic Data Recovery service used did advise that they have had several cases of data loss / recovery requests associated with McAfee endpoint encryption software. Their experience suggests that there are issues with large volume USB devices (i.e. passport drives as opposed to thumb drives). Data loss can occur even when selecting "YES' to backup the contents of a drive prior to encryption.

                 

                Based on my experience:

                1. I would not recommend McAfee endpoint encryption

                2. I would suggest to McAfee that given the potential for catastrophic data loss, they take the choice away from end-users as to whether data should be backed up or not and auto backup any files found before encrypting any drives. This would probably be the right option in 90%+ of cases anyway.

                3. For those that may have already lost data, do not despair, the data can be recovered despite the advice provided by McAfee, albeit it will require support from a specialist forensic data recovery service.