I do a bit of data recovery for my clients, and I'm hoping you guys can help me with this case.
Sometime ago, a client gave me a drive from her laptop, asking me to recover her data, which seemingly has a corrupt Windows installation. After analyzing the drive for sometime, I realized the drive was encrypted. Now by pure coincidence, I used to work for a firm that uses Endpoint Encryption, so when I saw folders like 'SbAlgs' etc, I knew what I was up against. The client isn't technical, and to this day, she and her IT manager say the drive isn't encrypted, but whatever...
Now, the drive was actually encrypted with HP ProtectTools. From searching this forum, I know I'm supposed to contact HP, but that laptop ins LONG past warranty expiration.
Fortunately, I have access to Safeboot Wintech and the Code of the Day, so I'm able to boot into WinTech, authorize via the Code of the Day, and mount the Safeboot File System, which gave me access to the Safeboot folders:
Next step of course was to Authenticate so I could mount the actual data partition and simply copy the data to the external HDD I had attached. This is where the problem is: I don't know her username, and she doesn't remember it exactly.
I have her Safeboot password, and have verified that it works by actually booting from the disk. When it boots, the HP Protect Tools boot menu appears, with the username already filled in like "Jane Doe". I enter her password and it's accepted, but Windows gives and error and doesnt boot. in WinTech, I try to enter "Jane Doe" for the username, but it doesn't accept it, giving me the good old "Authentication Parameters Incorrect" error.
So I'm in the somewhat hilarious position of having an intact hdd, able to authorise, I know the password, but don't know the username. Ain't life something?
I explored the folders I listed above, and in 'DataStore', there are two folders:
- Plus a file named 'DATASTORE.DAT
Each contains a folder called '00000001' which has the files 'ATTRIB.DAT' and 'NAME.DAT'. In the first folder, the NAME.DAT files has a single line with "nameofcompany-userlaptop\userfirstname" (It's publicly identifiable information, so I can't say what it is.). Anyway, I tried that and it didn't work. I also tried the part after the '\'. Doesn't work either. The ATTRIB.DAT file just shows me rows of digits grouped by 4, but when I change the file encoding, I see lots of gibberish, but it has the following: TokenType=01008004, UserID=00000001, Username=nameofcompany-userlaptop\userfirstname as listed in the NAME.DAT file. However, that doesn't work as the username.
So guys, how can I find the Safeboot Username? I have all the files on the SBFS, including AuditLog.dat (gives me gibberish when I try to open it in a text editor). Can AuditLog.dat and ATTRIB. DAT be decoded, so I can possibly see any other username values?