Hdd full of data, but no data recoverable

[positivebit]

I am wondering to understand how it happened.
A customer bring me a 500GB WD with no phisical demages,no bad sectors,no demages in SA.
Analyzing the hard drive with hexeditor, it appears FULL FULL of datas.
BUT no softwares can recover anything, even in RAW!
i have tryed also to regenerate translator from plist, but no results still.
it is a system hard-drive from a computer with NTFS, the partition 2 is the one interesting.

Attachments

[Vulcan]

Several of your comments fit with expected results for an encrypted partition. I suggest further investigation of that possibility. Many approaches are possible - but first, ask the customer perhaps?

[pcimage]

Agree, looks like encryption of some sort.

[pcimage]

Agree, looks like encryption of some sort.

[helpdisc]

was it in external box?

[fzabkar]

Could we see the partition table? Perhaps the partition ID bytes might give us a clue.

Partition types: List of partition identifiers for PCs:
http://www.win.tue.nl/~aeb/partitions/p ... pes-1.html

[jono-ats]

It's obviously from A WD My Book. You will need the USB adapter from the enclosure to decrypt the drive.

[fzabkar]

It's obviously from A WD My Book.

That's not what the OP appears to be saying.

it is a system hard-drive from a computer with NTFS ...

[jono-ats]

It's obviously from A WD My Book.

That's not what the OP appears to be saying.

it is a system hard-drive from a computer with NTFS ...

On closer inspection, you are right!

The encryption looks very similar.

My bad.

[fzabkar]

The encryption looks very similar.

I can't see how you can conclude that.

My Books use 128-bit (or 256-bit?) AES encryption, but I can't see any repeating pattern of 16 bytes in the OP's data. In the absence of such patterns, I don't understand how you could infer anything about the nature of the data or the type of encryption.

Moreover, since at least three of the entries in the partition table appear meaningful, then LBA 0 would appear not to be encrypted. Since My Books encrypt every single byte in every sector of the visible user area, then this would suggest that the drive did not come from a My Book, even in the absence of confirmation from the OP.

[northwind]

This is definitely encrypted. Maybe Bitlocker or something similar (Safeboot crap?).

Or... client is lying?

[positivebit]

thanx guy for your suggestions.

I called my customer, a women she doesn't know what is encryption so i am in a difficoult position.

What she told me is this: she gave a kick at his PC (hp) and the pc didn't start again, so she called a informatic shop, they arrived, opened the pc and found that 1 module of ram was phisically demaged and removed it .
PC started, but windows (7) didn't boot.

To me looks like that this hp pc, maybe in his bios, has some encryption -??-

i am waiting the PC to check, just few days and i will know and let you know.

[positivebit]

Could we see the partition table? Perhaps the partition ID bytes might give us a clue.

Attachments

[dick]

If I remember correctly some HP pc's and laptops come with an HP security package. Partition encryption is one of the options and can be too easily activated by a user with administrative rights. Can't remember which one it is. Maybe like Mcafee Endpoint?

[dick]

Yep thats the one!

[northwind]

Safeboot.

[CK]

Yep, it's clearly safeboot. A lot of HP machines come with it installed.

[positivebit]

there are solutions on how to decrypt it, but only if windows is running you can prepare a bootable device.

my issue is that windows is not longer booting.

[northwind]

If I were you, i would image the drive and then i would try to repair windows. I think it is the easiest way. You said the machine won't start. BSOD?

[positivebit]

@ northwind

i will try it when i will get the hp PC from customer.