Drive encrypted with SafeBoot
December 27th, 2011, 12:41
Here is a tough one:
Someone brought in a Toshiba drive. This was inside a laptop, which when boots up and tries to go into Windows it fails (error in system partition or such).
Drive ID's fine, all tests are ok etc. Disk contains 3 partitions which also show up in disk manager. They appear almost empty, though (only some system files).
I had a look at the hex and i saw scrambled data. Then i look a little more and found that this looks like it's been encrypted with Safeboot. This is a McAfee application, isn't it?
I called client and he said they never used such application. I thought I'd try to repair the windows problem itself instead of recovering the data, but to complicate things further, they have used fingerprint identification to loginto windows, which means that there 's no much room to play with the laptop itself, or i 'd have to have the client over my head just to use his fingerprint and see if the probem persists.
Can anyone elaborate with this ?
Thanks.
Someone brought in a Toshiba drive. This was inside a laptop, which when boots up and tries to go into Windows it fails (error in system partition or such).
Drive ID's fine, all tests are ok etc. Disk contains 3 partitions which also show up in disk manager. They appear almost empty, though (only some system files).
I had a look at the hex and i saw scrambled data. Then i look a little more and found that this looks like it's been encrypted with Safeboot. This is a McAfee application, isn't it?
I called client and he said they never used such application. I thought I'd try to repair the windows problem itself instead of recovering the data, but to complicate things further, they have used fingerprint identification to loginto windows, which means that there 's no much room to play with the laptop itself, or i 'd have to have the client over my head just to use his fingerprint and see if the probem persists.
Can anyone elaborate with this ?
Thanks.
Re: Drive encrypted with SafeBoot
December 27th, 2011, 13:05
Hi, as far as I know the fingerprint reading is only for windows login..same as password...so the data does not crypt there...but usaly at power-on.
So you don't need to cut the clients finger off to proceed
In hex, does some of first sectors contain's word "safeboot"? If so, has your client a Hp? If he does not set one, then someone has put a PW on just for joy, could be a tough one to fix.
Bosse
So you don't need to cut the clients finger off to proceed
In hex, does some of first sectors contain's word "safeboot"? If so, has your client a Hp? If he does not set one, then someone has put a PW on just for joy, could be a tough one to fix.
Bosse
Re: Drive encrypted with SafeBoot
December 28th, 2011, 3:50
Hey Bosse
No, I didn't mean that fingerprint was encrypting the data, i meant that i need to cut clients' finger so i can test if, for example, chkdsk /f would fix the windows problem and when i put disk back to laptop, all would be well. If not, then i'd have to try some other thing and then use clients' finger to test again 
Yes in hex it says "Safeboot info" and yes it is from an HP. I can post screenshot if you wish.
Client swears he never used safeboot and he doesn't even know what it is. He contacted the company that originally set up his machine, and they said they didn't install safeboot, and that could be pre-installed by HP (yeah, but who triggered it).
So i am guessing someone triggered safeboot and then for some reason windows got corrupt, and then... game over?
Any ideas would be GREATLY appreciated.
No, I didn't mean that fingerprint was encrypting the data, i meant that i need to cut clients' finger
so i can test if, for example, chkdsk /f would fix the windows problem and when i put disk back to laptop, all would be well. If not, then i'd have to try some other thing and then use clients' finger to test again Yes in hex it says "Safeboot info" and yes it is from an HP. I can post screenshot if you wish.
Client swears he never used safeboot and he doesn't even know what it is. He contacted the company that originally set up his machine, and they said they didn't install safeboot, and that could be pre-installed by HP (yeah, but who triggered it).
So i am guessing someone triggered safeboot and then for some reason windows got corrupt, and then... game over?
Any ideas would be GREATLY appreciated.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 4:46
Hi,
It's not a game over, because the original company who was the notebook owner has ways for sure to decrypt it, even if the user doesn't have the login and password. They should have an admin account for it or else it might be possible the challenge-response password in order to decrypt it.
It's not a game over, because the original company who was the notebook owner has ways for sure to decrypt it, even if the user doesn't have the login and password. They should have an admin account for it or else it might be possible the challenge-response password in order to decrypt it.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 4:53
Hey David
The other company just set up the machine (ie. installed windows, software, drivers etc) and gave it to client.
They have absolutely NO idea as to how to decrypt.
The other company just set up the machine (ie. installed windows, software, drivers etc) and gave it to client.
They have absolutely NO idea as to how to decrypt.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 4:57
Hi Northwind,
I think client use one of HP's security or protection tools that are provided with the laptop.
Check this one, HP ProtectTools:
http://www.hp.com/sbso/solutions/pc_exp ... ection.pdf
It is good commercial: few clicks and your data is safe
I think client use one of HP's security or protection tools that are provided with the laptop.
Check this one, HP ProtectTools:
http://www.hp.com/sbso/solutions/pc_exp ... ection.pdf
It is good commercial: few clicks and your data is safe
Re: Drive encrypted with SafeBoot
December 28th, 2011, 5:04
I think if they move themselves a little bit, they can contact HP or Mcafee in order to try to find a solution for it.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 7:32
Kum Ruzvelt wrote:Hi Northwind,
I think client use one of HP's security or protection tools that are provided with the laptop.
Check this one, HP ProtectTools:
http://www.hp.com/sbso/solutions/pc_exp ... ection.pdf
It is good commercial: few clicks and your data is safe
Hehe, yeah, few clicks and your data is safe but maybe gone too
dmarques wrote:I think if they move themselves a little bit, they can contact HP or Mcafee in order to try to find a solution for it.
I guess I will have to be the one who does this.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 7:33
Is it possible things are worse than you think?
Perhaps the customer had problems and tried a factory reinstall which failed?
Customers tend to be economical with the truth when things go tits up.
Perhaps the customer had problems and tried a factory reinstall which failed?
Customers tend to be economical with the truth when things go tits up.
Re: Drive encrypted with SafeBoot
December 28th, 2011, 9:44
dick wrote:Is it possible things are worse than you think?
Perhaps the customer had problems and tried a factory reinstall which failed?
Customers tend to be economical with the truth when things go tits up.
True.
But I won't be able to say until i see actual decrypted data
Powered by phpBB © phpBB Group.