1 2 Previous Next 17 Replies Latest reply on Oct 6, 2016 9:08 AM by SafeBoot

    Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)

    denis.m

      I have a laptop which was encrypted with MEE and it got a boot failure.

       

      The Mcaffee screen was working fine until someone was trying to repair and using a Windows 7 CD and he corrupted the EE screen

       

      When i try to boot from WinPE bootable CD  and go to files i can see the drives but they are encrypted.

       

      The Option to remove EE using the code of day all are not working, and also  when i download the Recovery file from the EPO server, it authenticates but i don't get to read the data.

       

      Kindly guide me on getting data from these the encrypted Drives

       

       

      Regards

      Denis

        • 2. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
          jhall2

          The MBR has been overwritten. This results in the loss of the crypt list. The crypt list informs the driver of what sectors are encrypted, without it it assumes there are no encrypted sectors. I would suggest restoring the MDE MBR. However, this functionality was not added until 7.1 and being you are running ePO 5.0, you are not running MDE 7.1.

           

          It still may be possible but will require editing the recovery XML. EEPC 7.0 DETech disks have the ability to restore the original MBR. The recovery XML contains both the original MBR and EEPC MBR. Open the XML in a text editor and replace the value between <data> and </data> for the original MBR with that of the EEPC MBR, boot to DETech, authorize and authenticate with the XML and then click Restore Original MBR.

           

          If this doesn't work a force decrypt will be required. This process is outlined in KB66433. If you have any questions, please give us a call to assist.

           

          Also, I would highly recommend that start the planning process to upgrade ePO to a supported version. ePO 5.0 went end of life December 2014.

          • 3. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
            denis.m

            Hi Jhall2,

            I have been trying to create the DeTech CD, but am still unsuccessful and all options are still not working.

             

            I came across something which says trying to restore the MBR on encrypted drives can lead to permanent loss of data.

             

            Any Help please

             

            Regards

            Denis

            • 4. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)

              Please give more details "all options are still not working" - we can't help you without knowing what the exact problem is.

               

              Regardless though, the only options which would work would be the workspace and force decrypt. Since the MBR was changed, none of the automatic removal functions will work now.

               

              You should follow jhall2's advice.

               

              The data is perfectly recoverable as long as you have the correct key for the drive, and encryption had finished. If you are not comfortable doing this yourself, contact your platinum support person and raise a ticket for assistance.

              • 5. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
                ja2013

                Hi Denis, Well your system has had something done but not sure yet as I try to sift out where to start.

                 

                1. It sounds like you got the tools to boot but one of your comments made me unsure of that. If you want to do a drive recovery make sure you use the correct tools based on the version of de that you have. Try my ezpe32 builder to make that happen. EZPE32 & EZSA32 Builder - Recovery Tools Builder  Version 7.5 July 16, 2017

                2. Boot the cd or bootable usb.

                3. After you boot the system in question, start with the code of the day, from the EZ tool menu.

                4. Add that unique code from the day you try to do the recovery and after you add to the upper right side

                of screen click to authenticate. Should say it is authenticated.

                5. Now add the machine key (xml) file obtained from ePO.

                 

                If you got the right xml it will automatically authenticate without any fanfare and say authenticated. If you get ANY pop up while trying to check the xml in, you do not have the correct one. Don't continue in that case.

                 

                6. If that goes well, bring up the a43 browser or the explorer ++ and try to browse the drive you believe to have been encrypted. If you see the data, that is good news. Drag and drop data to a usb drive. Don't bother decrypting until you have every opportunity to copy the data off. Better safe than sorry.

                 

                7. Now if you can't see the drive at all you might have an opportunity to restore the de mar.

                 

                Trying to give you something to go on instead of nothing. Keep me posted!

                 

                Jay

                • 6. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
                  denis.m

                  Hi Jay,

                  I have this errors when i try to use  EZPE32 builder to make a DETech bootable CD such that i may authorize using code of the day to get data from the encrypted Disks

                  EE.JPG

                  When i used WinPE EEtech Cd created by my predecessor am in position to view encrypted Drives under work space . But both code of the day or XML file don't function.( They show authorized but i get nothing)

                  IMAG0929-Optimized.jpg

                  Please advise on why i have all those errors while i use the builder to build  DETech CD and should i do.

                   

                  It really has important data

                   

                  Thanks Denis

                  • 7. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
                    ja2013

                    Hi Denis,

                                   In your original post I wasn't sure if you had built the tools correctly. If the code of the day and more importantly the xml are correct you should be able to see data unless someone has messed around with the mbr or there are other factors I am unaware of. I would open a ticket with McAfee and let them guide you through this further. I feel like some checks and balances need to be done to make sure everything is right before proceeding. Never mind the EZ tools at this point if you have a known working and correct version of the tools. The EZ will help you with various version build of the tools.

                     

                    btw it looks like the Microsoft Assessment kit isn't installed from the picture you provided.

                    • 8. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)
                      denis.m

                      Hi Jay,

                      When  i authorize using code of the day and authenticate using the XML file, Remove EE and all the Other Disk Operations become active. But when i try to remove EE i get an error. I can also see the drives but they are still encrypted.

                      I would try to use Restore MBR but these will result into disappearance of the encrypted disks

                       

                      Do u think creating DETech CD will enable me to authorize and authenticate to enable me copy the data. 

                      In regard to the building tool, i have  mounted and installed the KIT,  and we are doing it on windows 10

                       

                      Regards

                      Denis

                      • 9. Re: Recovering Data From A Disk (McAfee ePolicy Orchestrator 5.0.1)

                        It would really help if you could mention which specific error message you are getting.

                        1 2 Previous Next