With EETECH 6 and the daily key and XML file in hand I can look at both the pre-boot and boot partitions. I also performed a sector level backup of the users laptop HDD utilizing Acronis TrueImage.
The users laptop is Windows 7 Enterprise with a single boot partition on a 500GB HDD.
I'm certain this is neither the first nor last time an authorized power-user will accidently step on their encrypted HDD partitions.
If the pre-boot is no longer functional and the MBR of the boot partition has been modified such that decryption of the HDD and recreation of the file system is not so straight forward ... is this a recoverable situation such that at least files can be recovered? Being that this a remote support situation, what technical references and additional software tools should I ask our central support organization for? I don't see me being able to get them without our corporate account information with McAfee.
Being that the end-user's need to recover the data is critical I'm beginning to think that we just send the drive off to one of the more reputable recovery services and encourage our power-users to take more care especially as this is their first experience with full drive encryption being deployed across all organizations.
For me, it highlights the need for backups and off-site storage of the end-user's data.
From what I can tell ...
1. Make a backup and operate on that ... I'm assuming a sector level backup is necessary
2. Using EETech or other available tools decrypt the partition (using the backup written to some other HDD)
3. Any number of commercial recovery tools can then be used on a decrypted partition to recover the partition (as in maybe) or at least recover critical files.
It would be great if someone else can verify my musings from all my reading ... especially someone from McAfee.
yes, decrypt the partition, then you can use any standard file recovery tool to recover the data.
Third party data recovery companies won't be able to recover the files until the drive's encrypted either.
Thank you for confirming this for me SafeBoot. I'm very much appreciative of your time! ;-)
I hope to perform the decryption and recovery this afternoon.
I'll report back as to my results later.
Again, Thank You!
Hi, any updates as to how it went ?