Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
June 2nd, 2009, 3:45
Hello, I've been given an HP 3-in-1 docking station to recover data from it, and it's full of data but no disk scan recovered even a single file, so I took a look to the drive and it seems to be encrypted... (all I can see is the NTFS boot record). Then, the customer said me that he had to enter a password, so... the problem is that I don't know how to use that password (e.g. with WinHex) to recover the data, without asking for the docking station and the laptop to plug it...
June 2nd, 2009, 5:47
Use the same application that encrypted data. Simple.
June 2nd, 2009, 6:16
I have no idea how the docking station performs the encyption, there's nothing about the encryption type in the documentation, only "encrypting capability" (I'll keep searching, though). Moreover, the docking station seems to be burnt.
I've carved some MB with WinHex and now I can try to decrypt them using the password, but I don't know if it's an AES encryption or whatever... and neither the beginning of the encrypted area (might be after the boot record, but I really have no idea).
June 2nd, 2009, 16:49
Is there just a single partition on the drive, or more than one?
Can you post an image or bin of the MBR/PT and boot sector of the partition
If it was in the docking station, then presumably it is a data drive and not the boot drive
Do you have the laptop that goes with it, to see what it does when it boots
eg if it runs some encryption driver or program
June 3rd, 2009, 6:19
Unfortunately, I don't have the laptop, and as I said I think the docking station is burnt. It's single-partitioned, and I can say that sector #0 contains NTFS partition information, sector #1 the NTLDR and it's mostly the same as another non-encrypted NTFS drive until sector #382, sector which seems to be the beginning of the encrypted area (analysing te data between #382 and ~#800 I get almost equal symbols probability).
June 3rd, 2009, 6:50
I suspect it could be pointsec.
Try to insert the drive into any working computer as boot disk. If this is pointsec, you will see a screen prompting the passwords. Booting it up from a different hw could be difficult though.
Powered by phpBB © phpBB Group.