How to deal with drives that are whole drive encrypted

[warnerr]

Had a call from a client where a virus had compromised an encrypted (software based whole drive) drive. With correct password entered the keyboard would lock out preventing them from entering safe mode to do a system restore. I relize I have no information on dealing with a recovery of this type! Fortunatly the clients data was all saved onto the server- so they reinstalled. If this had been a data recovery job I assume I would first clone the 'failing' drive but then... what would be some methods to use where we know the encryption program used and its password?

[einstein9]

what was the encryption software name? the one they used?

freeware/cracked ver. or they bought it?

[warnerr]

Commercial software- sophos safeguard. Intresting problem as the malware they say infected the computer 'disabled the keyboard'. Encryption at boot Password on entered but client could not enetr safe mode. Under this combination I can not think of what else to do as the client had not generated a key disk- so a theoretical data recovery job on the failing drive would be useless. Am I missing something?

[einstein9]

which ver. was it? 5.5?

i had a similar case with the TrueCrypt - Free Open-Source Disk Encryption Software and i managed to solve it

interesting subject for me, and working on it.

[drc]

In general, if the PBE is irreparably broken, you are out of luck unless the manufacturer has created some recovery tool(s)

Even then you can still be out of luck if the customer does not have some sort of backup of the key (like he is supposed to), it all depends on how badly the encryption system's internal data has been damaged

[warnerr]

It is likely an up to date version- so your guess is possible. In this case the encription boot started, you could enter password, but the next step- pressing f8 to simply use system restore was not avaiable. The client says the keyboard became locked out. The reason for system restore was a maleware intrusion. No key- so I figgured thats endgame. Dont know what other methods would be worth trying if there had been data to recover. This is only a software bad case.

[einstein9]

look i have a suggestion here for you which you may try

its like Apple MAC Slogan " Think Different"

try to boot normally when the OS is booting n passes the stage of the F8

remove (unplug) the power from the PC to make it look like power failure

after that when u start again the windows will go by it self to safe mode ( I hope )

what do u think?

sounds good?

[warnerr]

thats oughtright funny! Would have been worth a try in that clients case. If data recovery had been needed then a backup image just in case. Dealing with onboard hardware encription has got to be difficult on failing drives! From posts seems pc3000 is of some help on drives working with modules- my Atola is great for imaging, but havent found it very usefull in firmware areas ( what used to be there main target when it came out.) So much to learn!

[Nick_CT]

I had a case a few months back, laptop drive which had bad sectors and Windows wouldn't load, no safe mode, recovery option for Safeguard didn't work. I forget which version of Safeguard it was, but I made a BartPE disc with the Safegaurd recovery plugin and managed to access the drive (had the user password obviously). Had some hurdles with copying data off the drive but I got around it eventually.