1 of 1 people found this helpful
yes, restoring the MBR was a very bad idea.
You're basically using the wrong key - that's why nothing is working. Force decryption with the wrong key was almost as bad as clearing the MBR.
Before you cleared the MBR you could have used the disk information to get the keycheck value, then you could have found that in EPO. Now, you're going to have to find all the keys associated with this machine and try them one by one.
Before that though, you need to force *encryption* with the wrong key to get things back how they started, then find the right key.
Why are you testing Sector 63? Is that where the PBR is according to the disk information?
Thanks for the reply.
When I restored MBR, idea was maybe drive is not encrypted yet.
I regret it right after reboot.
So I made a copy image after that. I understand I need right key. I have 2 old version of key on this machine.
If this two failed. Will there be no other way to recover data?
Talking about sector 63. I assume if I used right key than I can see some plane text. Because the sector is use as the windows start sector.
Without the right key there is no way to recover the data.
I question your use of 63, as most OS's use 2048 now. As long as you're sure you're trying to decrypt a PBR then it is indeed the right sector.
Luckily, I was able to recover data with one of old xml file.
Which is odd that I always thought the latest recovery file should be the right key all the time.
I guess there was communication issue with client between sever.
You are correct, the XML always has the latest keys for the machine. The only way the XML would have the wrong key, is if another machine had activated with the same agent GUID.
You're not cloning machines by any chance are you?
I'm glad you got the data back though.
I had the same exact issue where the MBR is overwritten.
Can u let me know if i have the relevant XML, how do you recover the data?
The eetech 6.1 does not have any option to browse the HDD.
As I know there are two kinds of eetech.
1. Stand alone - When you boot with this image, it directly launch eetech program.
2. EEtech on Windows PE - This image will road Windows PE. you can see command window after all. you can launch eetech program by DOS command.
With second one, you actually can browse your computer with windows explorer. And it returns popup window when you trying to access encrypted drive.
Hope it helps.
I only found the standalone copy from mcafee, can u send me the link for the 2nd eetech u mention?
i had the same exact issue like u and the standalone copy is not able to recover using the emergency boot since the MBR is gone.
i trying to find a way to copy the data off the encrypted HDD with no avail until i saw your similar post.
appreicate your guidance here.