1 2 Previous Next 16 Replies Latest reply on Feb 15, 2014 7:03 AM by SafeBoot

    Force decrypt - best practices?

    karol99

      hi, after all possible solutions I had to use force decrypt to get data back from my laptop using SafeTech 5.1.7.
      I had problem with MBR (black screen only after laptop boot). Trying to restore it with "Restore EEPC MBR" (showing safe tech corrupted error 92h). In A43 I saw my 2 drives (C,D) with RAW file system. By chkdisk the C was shown as NTFS but check disk was aborted. By checking D in read-only mode it showed it also as NTFS with maybe 30 errors but did not continue (did not fix them) because of read only mode. I was not sure so I did no proceed with check disk in write mode. So I saw my drives but without files. For D I saw also that is occupied for 90% of space what is correct. For C I saw 0 bytes.

       

      From my point of view there was no way how to copy data to other disk. Unfortunately I had to use force decrypt and nobody made disk clone before it. Don't ask me why, I have really st***d IT support in company.

      It's 500GB disk (HP laptop) so I don't know how long it can take. After few minutes after force decrypt started it was on sector 95000, after next hour on 111500 and after next 2 hours on 114500. I saw in discussions here that it's slow because of bad sectors. I am almost sure that cloned disk without bad sectors would be quicker but question is:

       

      1. can I stop force decrypt? I know that lost of power for my laptop during force decrypt (or reboot) could take me far away to be successful but it's really that bad? What can really happen? I can imagine to wait for force decrypt to be done for few weeks but if there is good chance with cloned disk I would go for it.

       

      Any best practices with force crypt? How long it should normally take?

        • 1. Re: Force decrypt - best practices?
          karol99

          I have small update. It still stays on sector 145000 for almost 17 hours.
          HDD light on laptop is ON but is not blinking. I can move with mouse.

           


          My last idea is to power it off and make clone of HDD to empty one. Do you have better one?

          many thanks

          • 2. Re: Force decrypt - best practices?

            If you stop a force decrypt, it can not be resumed, so you might as well leave it running.

            • 3. Re: Force decrypt - best practices?
              karol99

              and what would happen if I switch it of? can help me if I run force decrypt from 145001 sector?

              I already heard from my IT that he switched it off before when it was on sector 45000.

              Does supprot McAfee any solution for restoring the data? So I will send the disk somewhere with needed file.

              • 4. Re: Force decrypt - best practices?

                same problem - you chose "force" so there's no safeguards. If you stop it, there's no record of how far it got.

                 

                You'd have to work out the progress by manually inspecting the sectors to see what's encrypted etc - if it was in the middle of an empty section of the hard drive that's pretty easy, if it was in the middle of something compressed, not so. Just because it displayed 45000 does not mean that's the EXACT sector, it would have been working on a 2MB block from there onwards.

                 

                I expect McAfee prof services could help you out - it's not something we typically have to do though.

                • 5. Re: Force decrypt - best practices?
                  karol99

                  I have small update. After 6 days of force decrypt it was on same place (145000) but this time with "not responding" text on window header. A was on business trip and our IT support shut it down telling me that there is no chance and we should format it and check bad sectors if we need to replace the hdd. I will try to force decrypt the D drive and also make a raw clopy of whole hdd to bigger external hdd.

                   

                  Please help me what to do now. Who should I contact at McAfee? I tried normal way but they told me I need to present myself with contract number. What should be the procedure?

                  thx

                  • 6. Re: Force decrypt - best practices?

                    You need to work with you IT department - your company has a support contract with McAfee just for their administrators, not for users unfortunately. Plus, only they have the keys and tools necessary to recover their machines.

                    • 7. Re: Force decrypt - best practices?
                      karol99

                      ok. I am on the end of this deal but I am only one who is really trying to do something. In general, support want to receive the error codes.

                       

                      I created raw backup image of my disk (without bad sector errors) and then restore it to vmware virtual machine. I am not able to run wintech because of no SATA drivers or no setting for AHCI in BIOS my virtual disk is not shown. Only safetech can see my virtual disk. I am using correct algorithm. I am using correct file. I can't authenticate with my username because it writes.user failed. I don't have disk information (e002000a) so emergency boot or other solutions will not help me. Restore EEPC MBR is always successful bud does not help. By startup is present error 92h. So only solution I found is maybe really force decrypt. Or do you see other way how can McAfee support help me?

                       

                      In disk Information I see that C partition begins from sector 2048. When I go to workspace and decrypt it, I don't see any change but after second decrypt of workspace I see some words! When I go to sector 2064 I need to decrypt it for third time to see some words. Sometimes is really hard to say if the sector is really encrypted. Is there some hint for it? Or I am just lucky when I see words? Of course if sector is filled with some binary data I will not see any words. So I am just trying to find some range where it ends but it's really hard job and it would really help if there is a way how can I be sure that some sector is really still encrypted or not.

                       

                      For D partition it looks like it is whole encrypted twice or at least in first 50 sectors it looks so.

                       

                      The disk is really big and encryption will take a lot of time (was already canceled twice before). Normally there is a way how to mount the disk but I need to have disk information for this operation. Can I decrypt somehow this information only? I know that on NTFS drive it can consume 20GB but maybe you have an idea. Please try to comment my question marks. Thank you.

                      • 8. Re: Force decrypt - best practices?

                        When I go to workspace and decrypt it, I don't see any change

                         

                        do you literally mean this, or do you mean that the sector does indeed change, but you can't make sense of it?

                         

                        basically when you are testing for decryption, if you see english words then it's decrypted for sure - the chances of that happening by random is astronomically small. But, if you see ANY patterns, it's likely to be decypted - even the same byte repeated a few times in a row is very unlikely with encrypted data.

                         

                        How did the drive get encrypted twice do you think? Nothing you mention in your original post indicates you encrypted a second time - you mention you decrypted once before though.

                         

                        You really need to get WinTech working - the VMWare drivers are included on the VMWare tools CD, just include them when you create your WinPE image.

                         

                        There's no shortcuts here - you need to work out the crypted ranges and reverse the operation. Force Decrypt does not track its progress so the only way to resolve this is to work out by inspection what is and is not crypted and reverse it.

                         

                        just take it step by step and write down what you do so you can reverse it if needed, but if you have an image, you can always go back to that.

                         

                        Try and work out ranges of activity or it will take you a lifetime to resolve. Start at the ends of the drive and divide by two each time, then work out what state that point is in. Once you've identified how to resolve each block you can use the force option to get it back to plain text.

                         

                        You're not looking for words remember, you're looking for patterns. Encrypted data NEVER has any patterns.

                         

                        you can't mount the disk unless it's in a single encryption state. Yours is too messed up it would seem.

                        • 9. Re: Force decrypt - best practices?
                          karol99

                          For your firs question: By decrypting workspace there is always some change to see but after first decrypt there are no readable patterns.

                          You wrote if "I see ANY patterns". What kind of patterns should I see? Please write some example so I can be more sure about it. Repeatable text really helps.

                           

                          I was also using your idea how to find border between two and three times decryption. Now on C drive I am fighting with 144 sectors where is hard to say if its encrypted 1 or 2 times. Sector 1 in this area shows lot of UUUU UUUU after first decrypt and sector 144 in this area shows such pattern after second decrypt. You wrote that I can mount the disk only if one decryption is made. Can I mount it when there is no encryption in some sectors and in some sectors is? Let's say I will decrypt whole area so somewhere between 1-144 will be the border between no encryption and first encryption. Then I haven't to care on which place is the border exactly.

                           

                          How did this happen? As I wrote there was made 2 times force decrypt and canceled. Also by this I am not sure if my colleague from IT did not click on encrypt button instead decrypt button. My other colleague told me that he saw focus on this button (rectangle border on button when it's pressed). So I am not sure with anything.

                          They don't have time to go through all sectors. They would only reinstall my laptop and that is the solution. It's stupid? Maybe. Or maybe they are only to busy. I don't care. I need to have it done and it looks like I am alone in that now. Or do you think that McAfee support can help me more?

                           

                          I spent few hours today to find solution for wmware machine to see the SATA in WinTech to speed it up. I did not find solution. VM tools can't be installed because of some missing dlls. SCSI drivers are not enough.

                          What about to use some win 7 virtual machine, connect there mi SATA vmdk file as second HDD to see it in system and run wintech in win 7 environment? Normally in my win xp I see message by get disk info "Endpoint Encryption disk driver not present". Maybe I need only some software which my IT desk has.

                          How quicker is wintech vs safetech by force decrypt? I gave there now all sectors from C drive (80GB) and speed is like 8% in 5 hours (force decrypt in safetech). Good on that is that now I see it moving. It doesn't stay on same place like it was before on original laptop.

                          lot of thanks for your support.

                          1 2 Previous Next