I am wondering to understand how it happened.
A customer bring me a 500GB WD with no phisical demages,no bad sectors,no demages in SA.
Analyzing the hard drive with hexeditor, it appears FULL FULL of datas.
BUT no softwares can recover anything, even in RAW!
i have tryed also to regenerate translator from plist, but no results still.
it is a system hard-drive from a computer with NTFS, the partition 2 is the one interesting.

Several of your comments fit with expected results for an encrypted partition. I suggest further investigation of that possibility. Many approaches are possible - but first, ask the customer perhaps?

Agree, looks like encryption of some sort.

_________________
PC Image Data Recovery
http://www.pcimage.co.uk

New!! HDD-PCB.COM for all your PCB and donor HDD requirements!

Agree, looks like encryption of some sort.

_________________
PC Image Data Recovery
http://www.pcimage.co.uk

New!! HDD-PCB.COM for all your PCB and donor HDD requirements!

was it in external box?

_________________
HddSurgery - Professional Data Recovery Tools

Could we see the partition table? Perhaps the partition ID bytes might give us a clue.

Partition types: List of partition identifiers for PCs:
http://www.win.tue.nl/~aeb/partitions/p ... pes-1.html

_________________
A backup a day keeps DR away.

It's obviously from A WD My Book. You will need the USB adapter from the enclosure to decrypt the drive.

_________________
http://www.datasaversllc.com

That's not what the OP appears to be saying.

_________________
A backup a day keeps DR away.

On closer inspection, you are right!

The encryption looks very similar.

My bad.

_________________
http://www.datasaversllc.com

I can't see how you can conclude that.

My Books use 128-bit (or 256-bit?) AES encryption, but I can't see any repeating pattern of 16 bytes in the OP's data. In the absence of such patterns, I don't understand how you could infer anything about the nature of the data or the type of encryption.

Moreover, since at least three of the entries in the partition table appear meaningful, then LBA 0 would appear not to be encrypted. Since My Books encrypt every single byte in every sector of the visible user area, then this would suggest that the drive did not come from a My Book, even in the absence of confirmation from the OP.

_________________
A backup a day keeps DR away.

This is definitely encrypted. Maybe Bitlocker or something similar (Safeboot crap?).

Or... client is lying?

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

thanx guy for your suggestions.

I called my customer, a women she doesn't know what is encryption so i am in a difficoult position.

What she told me is this: she gave a kick at his PC (hp) and the pc didn't start again, so she called a informatic shop, they arrived, opened the pc and found that 1 module of ram was phisically demaged and removed it .
PC started, but windows (7) didn't boot.

To me looks like that this hp pc, maybe in his bios, has some encryption -??-

i am waiting the PC to check, just few days and i will know and let you know.

If I remember correctly some HP pc's and laptops come with an HP security package. Partition encryption is one of the options and can be too easily activated by a user with administrative rights. Can't remember which one it is. Maybe like Mcafee Endpoint?

Yep thats the one!

Safeboot.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Yep, it's clearly safeboot. A lot of HP machines come with it installed.

_________________
Data Recovery Ireland

there are solutions on how to decrypt it, but only if windows is running you can prepare a bootable device.

my issue is that windows is not longer booting.

If I were you, i would image the drive and then i would try to repair windows. I think it is the easiest way. You said the machine won't start. BSOD?

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

@ northwind

i will try it when i will get the hp PC from customer.