1 2 Previous Next 17 Replies Latest reply on Mar 6, 2014 8:16 AM by SafeBoot

    Need help/advice data recovery from Endpoint encrypted laptop

    capri

      Company issued laptop encrypted with McAfee Enpoint Encryption V5.2 and story like others , I'd like to get my data back.

      I am working with my IT Dept. but I think this is first for them (for me too).

      One day when trying to power  up my laptop I get  " the following file is missing  windows/system32/windows/config ".

      To make long story short , stupid me I ran "fixboot" on the machine.

      Now the machine shows my 160GB drive as 10MB HD, FAT12 .

      The  folders are there but their names appear like wierd hieroglyphic characters , dates like October 20 2089 ???

       

      Trying subsequently to boot the machine I get the McAfee Endpoint Encryption screen and I can log in OK with my ID and password

      but the message this time is the the OS is missing.

      I made a clone of the drive and gave the laptop to our IT Dept.

      The IT guy says he removed the encryption from the HD but sees nothing on it ?

       

       

      What is the proper procedure/steps to be taken here ?

       

      I am a bit confused because McAfee in the KnowledgeBase of the product states that fixboot disables preboot authentication and an

      emergency procedure must be used, but as stated above I do get McAfee log in screen ????

       

      Thanks in advance for any help.

        • 1. Re: Need help/advice data recovery from Endpoint encrypted laptop
          rbdudani

          Hi

           

          1 What is current status when you boot system ? (safeboot screen ? or blank screen ?)

           

          PS:. if safeboot screen is not there you will need .SDB file for this machine from server to decrypt it

          • 2. Re: Need help/advice data recovery from Endpoint encrypted laptop

            fixboot just resets the MBR - so far more changes than that must have occurred.

             

            if usually you have to authenticate with the pre-boot, then one day you got that windows error without authenticating then somehow an OS was installed on your machine - perhaps a recovery console?

             

            regardless though, the correct response from your IT team was an emergency boot, or a decryption - that will fix the problem you describe.

             

            However, if something other than fixboot has affected the machine, we would need to know what that was to suggest the solution to it.

             

            You can't usually get the pre-boot screen after doing a fixboot - that's impossible as fixboot changes the MBR - how did you run fixboot though? Off a recovery CD?

             

            are you sure you're not suffering from a root kit virus?

            • 3. Re: Need help/advice data recovery from Endpoint encrypted laptop
              capri

              First of all thank your for your replies, keep them coming !

               

              I booted off  Windows XP CD and ran fixboot from recovery console.

              My laptop is/was set up in such a way that I always have to authenticate with pre-boot (have to enter my ID and password into a McAfee window before

              laptop boots).

              This McAfee window (I need to be very graphic here) always shows up .

              Even after I ran fixboot and tried to boot the machine again this window came up, I have entered my credentials than I got "missing operating system "message.

               

              Nothing elese was done on the laptop so I have no clue what could have affected it ?

               

              The laptop is protected by McAfee anti-virus , never had any issues.

              Hoe does root kit virus manifest itself ?

               

              Thanks again.

              • 4. Re: Need help/advice data recovery from Endpoint encrypted laptop
                capri

                When I boot the machine first I have to authenticate, I get  (McAfee window/screen ) , I enter my ID and password, it accepts it

                Next goes to a black screen and on the top of it it say "missing operating system"

                • 5. Re: Need help/advice data recovery from Endpoint encrypted laptop

                  sounds logical. Your IT team will either need to decrypt the machine and then re-fix the boot sequence, or copy the data off and reimage. The fact the pre-boot still works is a good thing since they won't need to use any possibly outdated information from their systems.

                  • 6. Re: Need help/advice data recovery from Endpoint encrypted laptop
                    capri

                    Yes it works , and lets hope it is a good thing but the question is WHY does it work ?

                    I read in McAfee FAQ's (BTW can you copy and paste on to this site , if so how ?)

                    about the Endpoint Encryption  product that fixboot command destroys pre-boot and an emergency

                    procedure need to be used, (there is no McAfee window/screen) therefore why my pre-book works ?

                     

                    The IT guy tells me that he removed the encryption but sees 160GB HD with no data on it.

                     

                    BTW to make it clear we are working with 2 clones here , original drive has NOT been touched.

                    One drive has IT one drive I have at home.

                     

                    Last night I ran EaseUS Partition recovery on the encrypted clone and it found FAT16 partition

                    so I have restored it.

                    The drive looks llike this now:

                    IMG_1484.JPG

                    IMG_1485.JPGIMG_1486.JPG

                    This drive is connected via USB dock to my home laptop.

                     

                    So right what I have at home and what you see on the pictures is a drive with a restored boot sector but still being encrypted.

                    Should I give it to IT guy to decrypt this one ?

                    • 7. Re: Need help/advice data recovery from Endpoint encrypted laptop

                      nope - your partition recovery tool found the FAT32 records for the pre-boot file system. Unfortunately, it's not stored as a real partition, so all it will be able to do is recover the root folder structure - none of the files will work or be recoverable. It's messed things up even more so discard this - it's worthless and no help whatsoever.

                       

                      You need to give your IT team a full binary image of your whole drive, not a partition image (or the real drive) and they need to do either an eboot or a decryption. Tinkering will get you nowhere.

                      • 8. Re: Need help/advice data recovery from Endpoint encrypted laptop
                        capri

                        What tool/program would you recommend for taking "full binary image" ?

                         

                        As far a tinkering , I am learning and it is a good thing ..

                        • 9. Re: Need help/advice data recovery from Endpoint encrypted laptop

                          I used to use Ghost many years ago - but sorry, It's not something I've done in years.

                          1 2 Previous Next