There is no DETech for OSX, because EEPC software encryption is only supported under Windows.
I'm not sure there is a solution for this - since EEPC is not supported on Mac hardware either. You could perhaps image the partition and then copy it onto a regular PC ?- Then you'll be able to use a DETech/EETech bootable version etc.
Many thanks for your response.
It has taken me a while, but I have imaged the partition to a regular PC, and
then decrypted with EETech bootable version.
With HexEditor, I can see lots of data (strings, email text etc) on the
I then re-imaged this decrypted partition back to the Mac SSD.
When I reboot, I get "Missing Operating System".
I noticed that the first sector on the original encrypted partition was not
actually encrypted(!). This sector contains the "NTFS" oem id in the
first few bytes. So, I copied just this original first sector to my decrypted partition.
Note: I can't tell for sure from which sector the encryption started.
Then when I reboot, I get " disk read error occurred. Press Ctrl+Alt +Del to restart."
Next I will try imaging the decrypted partition to a regular USB disk, and I will try
to repair it on a Windows PC (chkdsk, etc.).
If you can offer any insight, or any suggestions, that would be greatly appreciated.
Because I can see the user data on the decrypted partition, it seems tantalisingly close.
Moved to Mac and Linux Products
If you think you decrypted the partition (unless you wrote down EXACTLY what you did, it's not really possible to offer any suggestions), then the only thing I can think of is to use a file recovery tool.
The last sector of a partition is a duplicate of the NTFS boot sector so you can always copy it back from there.
Yes - I'm sure I decrypted the entire partition (including the first sector which wasn't encrypted).
So, then I unencrypted the first sector which has the NTFS boot sector.
Next I transferred it to a partition (of the same size) on an internal SSD. However I noticed the starting
sector of the target partition was different to the starting sector of the original partition.
So, I think the pointers (e.g. the address on the disk in the NTFS boot sector of the MFT, etc)
will be wrong unless the partition is restored to the exact same place (starting sector) on the SSD.
Next I will try to restore the partition onto the exact same starting sector on the SSD.
BTW, I found at least 4 NTFS boot sectors on the decrypted partition.
I'm assuming the first one is the correct one.
ok ... still not working
One thing I've noticed is that my internal SSD (which contains a sector image of the
original SSD which got encrypted and crashed) has two partitions:
Partition 0 / type 0xEE (Unknown) / Start Sector 1 / Sector count 411647
Partition 1 / type 0x07 (NTFS) / Start Sector 411648 / Sector count 976361472
The first partition was never encrypted (i.e. I can see regular text in the workspace).
It looks like only the second (NTFS) partition was encrypted.
Also the first sector on the second partition (sector 411648) contains the
NTFS boot sector, and this one sector also was not encrypted.
I have decrypted the second partition (except for sector 411648 which
has the NTFS boot sector). As far as I can see the NTFS partition looks
good, and contains MFT and files, etc. In the workspace, I can even
see text from files, and emails, etc.
Maybe the problem is now because of the first (unknown) partition.
Is that the reason I can't mount the disk..?
I wonder should I try delete the first partition (with DISKPART),
and then run CHKDSK to fix the NTFS partition..?
Any thoughts ..?
I would think your MBR is the problem. Chkdsk is not going to resurrect a partition for you. You need a disk recovery tool.
I've run CHKDSK, based on the NTFS boot sector which was at sector 0.
It has repaired and restored the BootCamp NTFS filesystem - but there are no files.
On this BootCamp partition, I had previously counted several NTFS boot sectors
in addition to the NTFS boot sector at sector 0. I know that BootCamp was installed
several times on this partition.
I think that each time BootCamp is installed, then it creates a new NTFS boot
sector in a new place - i.e. the original one at sector 0 is not re-used.
In that case, I will try to copy one of the other NTFS boot sectors (maybe
the last one I can find before the data) to sector 0, and then I'll try running CHKDSK,
which should rebuild/repair the NTFS filesystem based on the valid NTFS boot sector.
I can see now why McAfee device encryption doesn't work on MacBook (BootCamp).
If the NTFS boot sector isn't at sector 0, then when the PBFS starts, it won't
find any files (e.g. MS-Windows, etc).
so, I've counted 10 NTFS boot sectors.
I tried copying one to sector 0, to overwrite/replace the original NTFS boot sector.
But CHKDSK, reported it as invalid, and used the copy (mirror) instead.
Inspecting each NTFS boot sector, the entry for the MFT location is empty (all zeros).
So, these are invalid NTFS boot sectors.
I think that what I need to do is find the starting sector of the real MFT, and
enter this into the NTFS boot sector (at position 0x30). That way the boot sector
would be pointing to the correct MFT, and not pointing to the incorrect (empty) MFT.
The current NTFS boot sector points to MFT at cluster 0x 00 0c 00.
In decimal, this is cluster 12, (sector 96, because there are 8 sectors per sector).
Looking at sector 96, there is no MFT.
However, I can see that the MFT is actually at sector 24.
So, something wrong with my calculations maybe ..?
I guess I need to do the following...
1. Find the correct start sector of my correct MFT.
2. Convert this sector to the correct cluster number
3. Update the NTFS boot sector (at position 0x30) with the
cluster number of my correct MFT.
4. Run CHKDSK
Any comments welcome