Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
July 19th, 2017, 15:38
I guess I must have been lucky in the past but this is the first time I have come across PGP so would like some advice please. This is a drive from a laptop.
The first 5 sectors seem to relate to PGP ending with a BGFS record at sector 4
Sector 6 - MBR
Sectors 13-16 - user ID information
Sector 17 has reference to UR WDE Admin Key.
Sector 62 - reference to the drive (model s/n etc)
From then on the data looks encrypted.
If I carve our an image starting from the MBR I get 2 partitions but with no file system.
I also have the recovery key from the client.
I have tried Elmcomsoft Forensic Disk Decryptor for whole disk encryption but that does not work.
Is this whole disk encryption or container?
Any other advice for me.
July 19th, 2017, 18:03
What does the customer says about the encryption method / software used ?
Did you got a 100% clone, or many parts are missing ?
July 20th, 2017, 12:22
Thanks for the replies. Here is what the client said.
"PGP Desktop Encryption was initially installed on the hard drive, it was then upgraded to Symantec Encryption Desktop 10.4.0 (PGP SDK 4.4.0)
It would be full drive encryption. When PGP was upgraded to Symantec Encryption Desktop as it was upgraded rather than being decrypted then installing Symantec Desktop Encryption."
We did get a 100% clone of the drive. Elmcomsoft Forensic Disk Decryptor sees the drive, but has an error message saying it 'cannot load the the disk'. I guess that may be corruption.
@fzabkar: I have tried the command line prompt on W10 but for some reason it does not work. All the paperwork I have seen so far only gives details up to W7 so I may have to re-install Endpoint in a VM and give it a go.
Powered by phpBB © phpBB Group.