Here is a tough one:

Someone brought in a Toshiba drive. This was inside a laptop, which when boots up and tries to go into Windows it fails (error in system partition or such).
Drive ID's fine, all tests are ok etc. Disk contains 3 partitions which also show up in disk manager. They appear almost empty, though (only some system files).

I had a look at the hex and i saw scrambled data. Then i look a little more and found that this looks like it's been encrypted with Safeboot. This is a McAfee application, isn't it?

I called client and he said they never used such application. I thought I'd try to repair the windows problem itself instead of recovering the data, but to complicate things further, they have used fingerprint identification to loginto windows, which means that there 's no much room to play with the laptop itself, or i 'd have to have the client over my head just to use his fingerprint and see if the probem persists.

Can anyone elaborate with this ?

Thanks.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Hi, as far as I know the fingerprint reading is only for windows login..same as password...so the data does not crypt there...but usaly at power-on.
So you don't need to cut the clients finger off to proceed
In hex, does some of first sectors contain's word "safeboot"? If so, has your client a Hp? If he does not set one, then someone has put a PW on just for joy, could be a tough one to fix.

Bosse

_________________
Rescue IT Datarecovery service Sweden
Rescue IT Dataräddning Göteborg AB
http://www.rescue-it.se

Hey Bosse

No, I didn't mean that fingerprint was encrypting the data, i meant that i need to cut clients' finger so i can test if, for example, chkdsk /f would fix the windows problem and when i put disk back to laptop, all would be well. If not, then i'd have to try some other thing and then use clients' finger to test again

Yes in hex it says "Safeboot info" and yes it is from an HP. I can post screenshot if you wish.

Client swears he never used safeboot and he doesn't even know what it is. He contacted the company that originally set up his machine, and they said they didn't install safeboot, and that could be pre-installed by HP (yeah, but who triggered it).

So i am guessing someone triggered safeboot and then for some reason windows got corrupt, and then... game over?

Any ideas would be GREATLY appreciated.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Hi,

It's not a game over, because the original company who was the notebook owner has ways for sure to decrypt it, even if the user doesn't have the login and password. They should have an admin account for it or else it might be possible the challenge-response password in order to decrypt it.

Hey David

The other company just set up the machine (ie. installed windows, software, drivers etc) and gave it to client.
They have absolutely NO idea as to how to decrypt.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Hi Northwind,
I think client use one of HP's security or protection tools that are provided with the laptop.
Check this one, HP ProtectTools:
http://www.hp.com/sbso/solutions/pc_exp ... ection.pdf
It is good commercial: few clicks and your data is safe

_________________
Sistrum Data Recovery
http://www.sistrum.mk/en

I think if they move themselves a little bit, they can contact HP or Mcafee in order to try to find a solution for it.

Hehe, yeah, few clicks and your data is safe but maybe gone too



I guess I will have to be the one who does this.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Is it possible things are worse than you think?

Perhaps the customer had problems and tried a factory reinstall which failed?

Customers tend to be economical with the truth when things go tits up.

True.
But I won't be able to say until i see actual decrypted data

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners