Toshiba mk1633gsg

[networks]

I got this drive in to recover it imaged 100% on DDI however the drive prompts to be formatted and viewing in hex it "appears" to be encrypted at least to me it does. The end user indicates that was not the case. Its out of an HP Pro book. Any hints or tips on how to determine if this indeed is encryption or possibly some nasty malware issue ?

Attachments

Toshiba.jpg (83.47 KiB) Viewed 4055 times

[Cris]

Most HP business laptops come pre-installed with HP ProtectTools, it is possible the user enabled drive encryption without realising it (or did it when they first got the laptop and forgot about it).

http://h20331.www2.hp.com/hpsub/cache/2 ... y/ka011106

There is a possible similar discussion here:

drive-encrypted-with-safeboot-t21546.html

I think there are some forensic tools such as Encase Forensic that can mount certain encrypted volumes if you have the credentials.

[Vulcan]

Agreed Cris, I had drafted a similar reply (although yours is better ). Just to add a couple of thoughts...

@networks:

Note the word "Protect!" at offset 0x5A. That may be telling us something. Have you checked the MBR (and following sectors) for the typical pre-boot decryption code? If you managed to image the drive OK, was the real problem with the disk, or have they overwritten the MBR, or lost their password, or ... ?

[pcrecovery]

Ran across this on an HP laptop....i too noticed the "Protect!" right away. Some people will choose to use TPM chip when they set this up....of course you'll need their machine....an email from HP descibes step-by-step how to access data. It is very similar (probably same) as McAfee's...google for eetech and disktech and you will find it.

[networks]

Do you have the "email from HP step by step" ?