All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: PGP Recovery
PostPosted: July 19th, 2017, 15:38 
Offline
User avatar

Joined: June 11th, 2013, 17:01
Posts: 1710
Location: Phoenix, AZ USA
I guess I must have been lucky in the past but this is the first time I have come across PGP so would like some advice please. This is a drive from a laptop.

The first 5 sectors seem to relate to PGP ending with a BGFS record at sector 4
Sector 6 - MBR
Sectors 13-16 - user ID information
Sector 17 has reference to UR WDE Admin Key.
Sector 62 - reference to the drive (model s/n etc)
From then on the data looks encrypted.

If I carve our an image starting from the MBR I get 2 partitions but with no file system.
I also have the recovery key from the client.
I have tried Elmcomsoft Forensic Disk Decryptor for whole disk encryption but that does not work.

Is this whole disk encryption or container?
Any other advice for me.

_________________
HDD, SSD, Flash and RAID Data Recovery
Founder of The Data Recovery Professionals Group


Top
 Profile  
 
 Post subject: Re: PGP Recovery
PostPosted: July 19th, 2017, 18:03 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
What does the customer says about the encryption method / software used ?

Did you got a 100% clone, or many parts are missing ?


Top
 Profile  
 
 Post subject: Re: PGP Recovery
PostPosted: July 19th, 2017, 18:15 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Do these URLs help?

https://support.symantec.com/en_US/arti ... 04285.html
https://knowledge.symantec.com/support/ ... ide_en.pdf

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: PGP Recovery
PostPosted: July 20th, 2017, 12:22 
Offline
User avatar

Joined: June 11th, 2013, 17:01
Posts: 1710
Location: Phoenix, AZ USA
Thanks for the replies. Here is what the client said.

"PGP Desktop Encryption was initially installed on the hard drive, it was then upgraded to Symantec Encryption Desktop 10.4.0 (PGP SDK 4.4.0)
It would be full drive encryption. When PGP was upgraded to Symantec Encryption Desktop as it was upgraded rather than being decrypted then installing Symantec Desktop Encryption."


We did get a 100% clone of the drive. Elmcomsoft Forensic Disk Decryptor sees the drive, but has an error message saying it 'cannot load the the disk'. I guess that may be corruption.

@fzabkar: I have tried the command line prompt on W10 but for some reason it does not work. All the paperwork I have seen so far only gives details up to W7 so I may have to re-install Endpoint in a VM and give it a go.

_________________
HDD, SSD, Flash and RAID Data Recovery
Founder of The Data Recovery Professionals Group


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: jeanluc.ferre and 109 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group