Video Screencast Help

Can't load Windows; need DOS-based cloning utility in Windows PE

Created: 10 Feb 2014 | 20 comments
I'm running Windows XP SP3
PGP WDE 10.2.1 MP3
SSD HD 250 GB
 
It's a company laptop, and I couldn't even tell you if it has PGP Desktop WDE installed. They rolled down PGP off the network and I really never gave it a second thought. I just enter my passphrase during the boot process and that's it. I wanted to back up my data and I was doing the barbarian method of dragging-and-dropping the many, many files and folders I value. Unfortunately, it was taking too long and a select number of files couldn't copy because of IO read/write errors. I decided to try cloning the drive, but I didn't get very far because of IO read write errors. I tried running chkdsk/r a few times, and I can't tell you if any of that is what led to my troubles, but I can tell you that, right now, it doesn't boot up completely.
 
The computer boots and starts the process of loading Windows. It shows the familiar Starting Windows Logo and at about the same point, I get a BSOD STOP error 0x000000ED Unmountable_Boot_Volume. It never gets to the Windows GUI.
 
I honestly forgot that maybe the drive being encrypted could be an issue with cloning, although the IO read errors with a select number of files could be something else.
 
I was thinking about trying to fix the boot sector or MBR, but I read that Symantec replaced the MBR with this bootguard and overriting it may not be the smart thing to do right now. I couldn't even try, I think. I don't even have a Windows XP CD, since it's a company laptop.
 
The problem is I need this data and I have a feeling my company will not even try to recover it and all my data will be gone.
 
I resorted to installing a full version of PGP WDE 10.3.2 on another laptop and slaved the hard drive to it. Unfortunately, it's unable to read it. I enter my passphrase and it says disk operation is in progress but that's it. Nothing. The program basically locks up on me. HOWEVER, I am able to use the command line, authenticate, and even attempt to decrypt the hard drive. There are two problems, though. 1) Even after I authenticate in the command line, Windows still doesn't recognize the hard drive. 2) My company must have locked down the hard drive for decrypting, for my account does not have admin priviledges to decrypt the drive. I would need them to decrypt it.
 
I did try and run a 10.2.1 MP3 Recovery disc on the original laptop with the its hard drive and the decryption process seemed to be going through. I even saw that it had 1% encrypted. However, I didn't realize that this process could take that long (because it's running a 16-bit processs?). I wonder if converting the CD to a USB would decrease the decryption time. I don't have days, so I stopped it. But I found it interesting that I had no problems decrypting with the recovery disc, yet I did not sufficient priviledges to decrypt it in Windows.
 
I tried using things like Recuva and testdisk to see if I can get the data but no dice.
 
At this point, I researched and found I could create a Windows PE disc and use Hirens boot disc or I can use ubuntu live cd to clone the drive. I would authenticate with the PE disc, by slipstreaming the PGP files, and then open up Ghost with the Hirens disc. There's just one problem: I can't get any of the Hiren programs to open at the PE command line. The advantage of PE is you can dynamically load other programs and discs. The problem is I can't get anything to work.
 
The good news is that the pgp commands work in PE. I can authenticate the disk (I still don't know if I can read it). I didn't try decrypting because I would think it's the same story as using the PGP recovery disc--it would take days.
 
I was thinking there must a command line cloning tool I can use in windows PE to clone the drive to another drive. Therre is a version of dd for Windows, but I don't know how to use it; I dont' know if it supports hard drive to hard drive cloning or how I would even write the command. But if I could slipstream dd for Windows, that could possibly work. Are there any other hard disk to hard disk cloning tools that would work in Windows PE? 
 
I'm running out of options. I can't decrypt in Windows because of insufficient priviledges. PGP Recovery disc takes too long. Should I try cloning the hard disk in Windows to another hard disk again, even though the drive is encrypted? Or, is it essential for the hard disk to be authenticated or decrypted before I can do any a data transfer?
 
One last thing I tried: In Windows PE, I ran chkdsk/f but it says I have a corrupt master boot record. Should I try and fix the mbr or boot sector? I can see if it can't find the starting sector to boot Windows. But my situation is it finds the sector and attempts to load Windows before it haults with the aforementioned STOP error code.
 
Any suggestions? Thank you.
Operating Systems:

Comments 20 CommentsJump to latest comment

dcats's picture

Hi JackAllTrades,

"However, I didn't realize that this process could take that long (because it's running a 16-bit processs?)."
- Yes.

"I don't have days, so I stopped it."
- This *may* have left the encrypted disk without any reference to where it should retake the process, thus there are high chances it is no longer possible to decrypt.

"I resorted to installing a full version of PGP WDE 10.3.2 on another laptop and slaved the hard drive to it."
"But I found it interesting that I had no problems decrypting with the recovery disc, yet I did not sufficient priviledges to decrypt it in Windows."
- Is this new installation also managed by your company?

For creating the WinPE with WDE tools you need to follow the instructions exactly as described in the documentation (including the WinPE version, which for the version you have should be at most 2.0)!

Cloning the hard drive ("as is") is a good thing to do before troubleshooting an encrypted disk. It must be a "good clone", one that keeps the target image with the same size as the origin (ignoring possible errors).

Yes, prefer to clone the hard disk to restart troubleshooting so that you have a "snapshot". However, at this stage you may have already an irrecoverable disk if you did some decryption attempts with the recovery CD in the original hard disk.

Some things that you can attempt with a WinPE with WDE tools (or by slaving the disk to another machine):
- Authenticate to the disk
- Copy the content out of the disk
- Decrypt (will take long time), if you have permissions

Some usefull commands are (assuming that the disk is presented as disk 1 after the enum command output):
pgpwde --enum
pgpwde --status --disk 1
pgpwde --list-users --disk 1
pgpwde --info --disk 1

WARNING: Using a fixmbr will wipe a MBR clean.  If you are unsure of other applications that are using the MBR you should create a ticket and explore if there are any other options before proceeding with this fix.  Backups should always be on hand before performing this operation as this could lead to a loss of data.   If backups have not been created you will need to make an image of your disk, and transfer that to a new drive.   Use the drive with the image for all testing and troubleshooting so that the original remains intact.

Please keep in mind that it is possible that no user records are found in the healthy-sectors of the disk. This means no way to recover the encryption-related data once the MBR is overwritten.

You may attempt to repair the MBR and recover the PGP user records with these commands:
pgpwde --disk X --fixmbr --passphrase <passphrase>
pgpwde --recover --disk X --passphrase <passphrase>

See also:
BootGuard loading stage 2... PGPWDE disk data are corrupted. - TECH149631

and

https://www-secure.symantec.com/connect/forums/dis...

HTH,
dcats

JackAllTrades's picture
Thank you for your quick response.
 
Please allow me to clarify something. I installed a trial version of PGP WDE first on the 2nd laptop. I slaved the disk to this 2nd laptop, authenticated, but I was unable to browse the contents of the disc. Disk Management and My Computer windows would lock up trying to query the disk. In Disk Management, I could see it querying all devices, but nothing displayed on the screen. It's as if it locked up because it couldn't read the encrypted disk. It was at this point I moved onto the PGP recovery disc on the 1st laptop and stopped decryption prematurely, at 1% decrypted, because I didn't realize it would take days (and my company would want the laptop and hard drive back much sooner than that). Finally, I decided to purchase the full version of PGP WDE for the 2nd laptop and attempt to decrypt. Unfortunately, it said I have insufficient privileges to decrypt, but it sounds like it would've decrypted if I had admin rights. All the user records were there.
 
The installation on the 2nd laptop was purchased by me, not my company, and is managed by me. The 2nd laptop is a personal laptop. The 1st laptop is ostensibly company property.
 
The WinPE and WDE tool disc works well. That's not an issue at all. The WDE commands you posted above all end with request to ...was successful. I was able to authenticate in WinPe, see the users (me and the admin), and the status said the disk was in the process of decryption. But I didn't see any errors or warnings returned from issuing those commands. The problem is when I CD to the encrypted drive, a message says that the disk structure is corrupt and unreadable. Actually, the status says that the encryption removal process is running in the background.
 
I was never able to read the contents of the drive, regardless, even before using the recovery disk. But it is still possible to decrypt, I feel. I just need time. I can't copy the contents of the disk, but I guess I can copy the encrypted drive to another disk, format the original, and give it back to the company.
 
I just spoke with Symantec and the technician informed me that because the hard drive was encrypted with 10.2.1 MP3, it may not be possible to clone the hard drive. But I will try.
 
I will read the links, ingest them, and comment in this space on my progress.
 
One last thing: What cloning tools do you recommend to clone an encrypted hard drive?
 
Thank you.
JackAllTrades's picture

I tried running clonezilla to do a disk to disk copy but I an error, before it even started, of NOT NTFS partition, ntfs error 5. Is anyone here an expert on clonezilla or cloning hard drives, especially ones who are encrypted?

Thank you for any help.

JackAllTrades's picture

I ended up using the advanced/custom mode with clonezilla and selected the q1 option. It couldn't clone because it reported the disk was damaged or had bad sectors and said to ues the rescue option. I selected the q1 and rescue option and the clone took a while. Lots of errors. I think it was copying over with the errors. I don't doubt that there bad sectors on the disk, and I don't know if that's due to physical damage (it's an SSD hard disk). But I had no issue opening up files, except for a select number (more than 10 but certainly no more than 50) -- a total of less than 1% of all files (and the drive was mostly full). 

I spoke with symantec and they informed that I should continue to run the recovery disc, preferably on the same computer I ran it on. I believe the drive is cloned. So, now I just have to plead with my IT staff to let me keep the laptop and hard disk to decrypt it, then they have it back when I get my data.

dcats's picture

Hi JackAllTrades,

I did a quick search and from what I found "-q1" is the correct option for this usage of Clonezilla (it will force a sector-by-sector clone).

External link: http://sourceforge.net/p/clonezilla/feature-reques...
"There is an option "-q1" in the Clonezilla live 1.2.6-54 in the testing release, you can find that in the expert mode. It provides an option for you to do raw (sector-by-sector) cloning."

External link: http://news.softpedia.com/news/Clonezilla-Live-1-2...
"Added the option "-q1" (to force the use of dd) in the expert mode of Clonezilla, in order to achive device to device cloning. This is very useful if someone wants to clone an encrypted hard drive partition;"

The important is if the disk is still containing a reference to the encryption status (including the highwatermark). If so, this means you can resume decryption and gain access to a decrypted disk.
After, you can use regular troubleshooting methods to recover data from damaged disks - fixmbr and if needed forensics tools.

Rgs,
dcats

JackAllTrades's picture
Thank you for your help and knowledge transfer. 
 
Well, my company IT staff did not bark at me decrypting the data. So, I can decrypt it. The question is should I decrypt the clone or the original? I ran clonezilla but, like I said, the q1 option was not sufficient. It determined the disk was damaged. Based on my research, that could mean the disk is physically damaged, the bad sectors are just false positives, or a combination of the two. Either way, I was required to check the rescue option, which doesn't copy over the bad sectors, to continue cloning.
 
I want to attempt to recover those bad sectors, as well. Is there a clone/imaging tool out there which will enforce copying of the bad sectors?
 
I think forensic tools, both software and hardware based, are capable, based on my research, but they are ostensibly too expensive.
 
Like you said, the Clonezilla can work with encrypted hard drives. I verified the clone by slaving it to my personal laptop with PGP WDE 10.3.2 installed. When I hooked the HDD up, it asked me to enter the passphrase. I still couldn't read anything, and a message came up that the drive is RAW and needs to be formatted. This is an improvement because I was able to open the My Computer and Disk Management windows without them freezing. So, it's likely there is physical damage to the original disk. In addition to the PGP BootGuard, I was able to observe that myself and the admin were listed as users on the disk and the status of it was it's in the process of encryption removal, exactly the same as the original disk. The only problem is Clonezilla likely did not copy over the bad sectors.
 
I wanted to also reiterate the original disk is an SSD. I have read that some programs which do deep-level scanning (i.e. SpinRite) are designed for mechanical drives (i.e. magnetic) because they try to determine the value of the bad sector by scanning said sector continously and SSDs don't respond well to this stress and can degrade performance. I don't know if that's the case but it doesn't sound off-base.
 
The other note is I have doubts the disk is physically damaged. There have been a number of abrupt shut-downs on this laptop and, to me, it sounds more likely the filesystem was corrupted by way of chkdsk marking lost sectors as bad. In other words, I'm thinking these are "soft" surface errors, not "hard" surface errors.
 
Like I said, thanks for your help.
JackAllTrades's picture
I want to add another interesting observation.
 
Before I even started doing any backup or cloning of this drive, before all this nonsense started, I had no issues with the laptop, other than it would occasionally shut off abruptly (which is probably at least one reason all this mess started). But what I'm saying is it's not like I was opening up files for work or anything else and it wouldn't allow me. I never had an issue opening up any file. Yet, and this is what's puzzling me, when I tried copying certain files to another hard drive -- either through drag-and-drop or when I first tried to clone the hard drive by using a Windows program (I don't recall if it was file-by-file or sector-by-sector but I suspect it was the former) -- it would hang and eventually report an IO read/write error. Again, I had no problem moving the file around the same hard drive or viewing it. It could even be a picture, video, or audio file. No problem opening it. Yet, when copying it to a different medium, the copy would fail due to a IO read/write error.
 
Does that mean at least some of these bad sector errors are not physical and are related to Windows marking them as bad? I mean, wouldn't it make sense that a file which can't be copied to a different medium shouldn't be able to be opened? That would make sense to me. Yet, that's not the case here.
 
What I'm trying to ascertain is it the file system or is it the hard drive that's bad? It just sounds strange that a file can open with no problems yet it cannot be copied.
 
Opening any file could be read, write, or read/write. So, why would copying the file present an IO error? Has anyone ever experienced this or have a possible answer?
 
Another important thought comes to mind. Again, the encrypted disk is an SSD. I'm not sure if it is equipped with TRIM or if it's even enabled. It ran on Windows XP SP3, which is not compatible with TRIM. And I think encryption screws with TRIM. So, it's a moot point.
 
What isn't a moot point is the failure of SSDS. They don't have mechanical parts. You won't hear metal or banging noises, the bearings won't go bad. The logic controller could just die one die. And from what I read, deep probing scanning like in Spinright can actually be bad for SSDs because such tools were designed for mechanical (magnetic) drives that can take repeated read attempts, whereas SSDs are more sensitive to read operations, which can degrade performance.
 
There's a very good article here that expands on SSD recovery.
 
http://forensic.belkasoft.com/en/why-ssd-destroy-court-evidence
 
My question is for those experts out there, what recovery tools other than expensive data recovery tools, like hardware data extractors, work well with SSDs? Since this encrypted disk is being reported as damaged, and I absolutely can't determine if those are soft (filesystem) or hard (physical) errors, I'm concerned about using data recovery tools that scrub the drive and may not be designed with SSDs in mind.
 
What do you some of you use to recover damaged, and possibly encrypted, SSD hard drives?
 
...
 
Finally, an update on my progress. Per the recommentation of Symantec, I'm continuing decryption of the damaged hard drive by using the PGP recovery disc and the company laptop. Hopefully, it doesn't run too long.
 
Thank you.
dcats's picture

Hi JackAllTrades,

Thank you for keeping us posted.

There might not be a physical damage of the disk sectors as we understand it for disk plates in the traditional hard disk drives, but probably the "state" (Solid Disk State) was lost due to the power outages. In addition, it may have overloaded the circuits with the "transient effects" and could even cause damage to the semiconductors that compose the disk "sectors".

Rgs,
dcats

JackAllTrades's picture

Thank you very much.

According to that link I posted in my last post, encryption software is more taxing on SSDs than mechanical drives because of the repeated reads that your WDE software does within Windows, as is the nature of encryption software, as I understand it. And with overheating, that could explain why my SSD drive MIGHT be physically damaged. But I still have my doubts.

With WDE, is there a recovery key? Like, if I didn't know my passphrase, could I authenticate or decrypt with a recovery key? The reason I ask is I don't have admin rights to decrypt in Windows (yet I can decrypt off the recovery disc).

Since my company wouldn't give me the admin password for this hard disk, is it possible I can enter a recovery key on a CLI (command-line interface) and decrypt?

The other thought is I still don't understand exactly why my hard drive failed. The possibilities I can think of: 1) The cloning program in Windows wrote to the source disk, even though it failed. 2) Modifying the boot.ini file, somehow, screwed with the MBR. 3) Computer shutting down abruptly and overheating damaged the disk. 4) A combination of two or all three.

Maybe the Windows cloning program and boot.ini modification were the straw that broke the camel's back, because of an already unstable filesystem structure and/or physical damage. Or, it's just a coincidence that these events happened right before I had issues logging into Windows.

But here's something you might be able to answer. Consider this: Your PGP BootGuard is the first sector in the MBR table. When the user enters the proper credentials, it redirects to the boot sector corresponding to the Windows OS. Assuming my understanding of how your program works at boot time is correct, is it possible that modifying the Windows boot.ini file corrupted the MBR because of how your PGP WDE integrates with the MBR?

Thank you.

JackAllTrades's picture

Another thought I wanted to detail is I found something at this link that gave me pause.

 http://forums.techarena.in/vista-help/911208.htm

The person is using Windows Vista and has the same error code. I think what MAY have happened, why I got the STOP ED error and couldn't finish loading Windows, is either modifying the boot.ini file, via msconfig and/or chkdsk tried to repair the Windows boot sector and this, somehow, caused a conflict PGP WDE. I could be wrong. I'm just putting it out there. Then again, I was able to get to the Windows logo screen, which means it did find the Windows boot loader. IIRC, once the boot loader finds the OS, it hands it off to the OS, which loads, and the MBR is out of the picture at that point. I'm still not quite sure what happened.

I wanted to add that before I went ahead and resumed decryption with the recovery disc (still running), I tried booting the hard disk. Instead of loading Windows, right after I authenticate with the PGP BootGuard, it goes to a blank screen with a cursor blinking. And it just sits there. I'm guessing that means it can't find the Windows boot sector; the MBR table is out-of-sorts.

JackAllTrades's picture

I think my last post didn't save or got deleted. Let me try this again.

I found a link that gave me pause about this STOP ED error and PGP WDE

http://forums.techarena.in/vista-help/911208.htm

Now, I have Windows XP SP3, not Vista. But what struck me is that either modifying the boot.ini file, via msconfig, and/or chkdsk tried to repair or marked bad sectors which are associated with the MBR or Windows boot sector. Maybe it tried to rebuild it. I'm not sure. That might explain why I got the ED error. That or the drive just was nudging slowly  off a cliff and the file system just eventually gave up. I could be wrong. It's just some food for thought. Then again, Windows was loading and then the ED error appeared. IIRC, the Windows boot loader contains code to load the OS. From there, it hands off and the OS is on its own and the MBR and Windows boot loader have nothing to do with the process anymore. Their jobs are done. So, maybe it's just the file system is corrupt because Windows couldn't find or open the files it needed to finish loading.

I also wanted to mention that just before I resumed decryption with the PGP recovery disc on this bad hard disk, I tried booting from it. I got the PGP BootGuard screen, authenticated, and expected to get the STOP ED error at some point while Windows was loading. Instead, it went to a blank screen with a blinking cursor. It just hung from there. I hope that doesn't mean the disk is getting worse. But since I was able to get to the PGP BootGuard, which is supposedly the first sector of the MBR table, that means the MBR still exists in some form, no? Otherwise, how would Bootguard load without an MBR table?

dcats's picture

Hi JackAllTrades,

"With WDE, is there a recovery key? Like, if I didn't know my passphrase, could I authenticate or decrypt with a recovery key? The reason I ask is I don't have admin rights to decrypt in Windows (yet I can decrypt off the recovery disc)."
- Yes, if previously configured by the encryption administrator. If it exists, Symantec does not have access to this key or admin passphrase.

"Since my company wouldn't give me the admin password for this hard disk, is it possible I can enter a recovery key on a CLI (command-line interface) and decrypt?"
- It depends on how the environment is configured. If the policy was stored on the disk or not and if the user has permissions to decrypt slaved drives.

During the first step of encryption the disk is instrumented, this is basically the replacement of the MBR by PGP Bootguard. Bootguard takes control of the OS loader and when it cannot find the MBR in its new location it simply hangs as you noticed.

I will need to test messing up with the boot.ini. This has the potential to render the OS unusable, but shouldn't have any impact in the Bootguard itself.
In a quick search I found that if the boot.ini is missing the NTLDR will try to load the OS from the first partition of the first hard disk of the machine - the point is that it will not be in that location in an instrumented disk.

You could use pgpwde commands to attempt fixing the MBR, but there is always a change to lose data with this type of operation.

BootGuard loading stage 2... PGPWDE disk data are corrupted. - TECH149631

Rgs,
dcats

JackAllTrades's picture

Thank you very much for your response and assistance.

FYI, my company gave me a loaner laptop with PGP Desktop installed and the disk was in the process of encryption at that time. I let it finish.

I also did some digging. I searched in Google for "pgp command user guide" and I also accessed Help -> Help Contents and Index in the PGP WDE Desktop software. What I found was the disk can be authenticated, encrypted, or decrypted with a passphrase or auth token key. If my company's PGP admin permitted the creation of a recovery token when the disk was instrumented, the recovery token would be sent to them, to their PGP server. However, according to your program's documentation, I cannot decrypt the disk with the recovery token, only authenticate and authenticate one time.

Note that the recovery token is used only to gain access to an encrypte disk or partition (on Windows systems). You cannot use the recovery token to encrypt or decrypt data.

Source: PGP Desktop for Windows Online Help

As an aside, I noticed from the PGP Command User Guide PDF, as well as the GUI program, that I can encrypt a disk with Power Failure Safety checkmarked (-safe-mode with the CLI), but there is no Power Failure Saftey flag for decrypting. Is this something you plan to remedy in future version? Is there a particular reason why Power Failure Safety is not supported with decryption -- is it by design or is it a logical obstacle? One would think this would be helpful if you're decrypting a disk and you lose power.

Thank you for researching that boot.ini nugget. I don't want to risk losing my data so, perhaps, I will avoid fixing the MBR until the end. If the disk is encrypted and I try to fix the MBR, I could also risk losing the PGPMBR (i.e. PGP WDE recover command fails) and be left with an encrypted disk and no way to decrypt it, correct?

Lastly, just to clarify my understanding of the PGPMBR, when the disk is instrumented, the MBR is backed up or replaced with the PGPMBR. It loads the PGP BootGuard boot loader. Upon successful authentication, it then points to the original MBR, which calls a boot loader like NTLDR and the OS loads. Is my understanding correct?

Thank you.

dcats's picture

Hi JackAllTrades,

I'm seeing if find more details about the decryption with power failure safety option.

Regarding messing up the boot.ini, that's correct, the machine won't find the OS. PGP Bootguard will load properly, but then the loader is not able to load the OS because the boot.ini is not correctly configured and it cannot use the "backup plan" to find the OS in the default location. Thanks for this hint, we're always learning something new.

I would also prefer to let the machine complete the decryption process.
You understanding of the PGPMBR is correct.

Rgs,
dcats

JackAllTrades's picture

Thank you for your response and help.

Today is friday. Decryption via the recovery disc started Tuesday evening, around 8-9PM. Yesterday, I noticed that the screen changed slightly. Instead of saying I have to wait till decryption is finished... It said the disk is 97% encrypted and I have to wait until the decryption process is completed. If you recall, before I (re)started the decryption process on Tuesday, the disk was supposedly 3% decrypted. If what I am reading is gospel, then nothing has changed. Either the decryption process can't find the mark or it's taking a really long time because the disk's bad sectors.

I did make a clone of it, using Clonezilla's rescue option, before the decryption began on Tuesday. I may be screwed. I suppose I can try authenticating the clone and then try recovering data. I could also make an image of the clone and try to rebuild the MBR of the clone and hope the file system recovers and I can get my data back.

If nothing works, assuming the worst, I could get the clone or image sent out to a professional data recovery services. Would the passphrase be sufficient to access the disk or is that something I should investigate with a data recovery company?

Thank you.

dcats's picture

Hi JackAllTrades,

The encryption/decryption process cannot be reverted in the middle. You need to complete encryption to be able to decrypt and vice-versa. Is it possible that when you resume it was actually resuming from the encryption process (instead of the decryption)?

"I could also make an image of the clone and try to rebuild the MBR of the clone and hope the file system recovers and I can get my data back."
- This is a good idea.
You can check the disk status of that "image of the clone". Among other details you should get:
  Disk 0 is instrumented by bootguard.
  Current key is valid.
  Drive encrypted
  Total sectors: <number> highwatermark: <number>

"If nothing works, assuming the worst, I could get the clone or image sent out to a professional data recovery services. Would the passphrase be sufficient to access the disk or is that something I should investigate with a data recovery company?"
- Yes, if they have the passphrase and can recover the user records in the disk, they should be able to decrypt data assuming they can recover it from the disk.

Rgs,
dcats

JackAllTrades's picture
Hello,
 
Thanks again.
 
Unfortunately, no. The disk had been fully encrypted for some time (I've had this company laptop for a while). 
 
When it failed, as you recall, I began decryption with the recovery disc and I felt I had to stop it because I thought I could get in trouble if I left my laptop at home and IT needs it in order to give me a loaner. As it turned out, they left me alone and gave me a loaner. I wish I knew that or would've been brave and let it decrypt and not touch it, but I couldn't get in touch with IT over the weekend and I was afraid they would forcibly take away my laptop, not letting me fix it, and they would try and likely not go through the trouble of recovering my data. In short, I took a calculated risk and I guessed wrong.
 
With both the bad drive and the clone, I had checked their status and it said the encryption removal process is running in the background and gave a low and high watermark. I can't paste in the exact response right now, but I will when I get the chance to query the clone drive. I can say the clone and the bad drive seemed to be exactly the same, minus data from the bad sectors and judging by the PGP WDE commands. Both had the same status, same user information, same total sectors. Both said current key is valid. Both queried for my passphrase when slaved. The only difference is the clone didn't lock up when Windows was querying the drive.
 
What's interesting is the first time I ran the recovery disc on the drive and stopped it, the drive was reportedly 1% decrypted. Then, through the various processes of slaving it to another laptop, putting it back in the original, running it inside Windows, trying (and failing) to decrypt it in Windows and Windows PE, it somehow rose to 3% decrypted, the next time I checked it. Again, this was after I ran the recovery disc for the first time and stopped it and I restarted the recovery disc decryption when the drive was reportedly 3% decrypted. Does that mean that it's possible the drive kept decrypting either in Windows or Windows PE? The status read that it was decrypting in the background. I thought that's make sense your program is reporting that because I stopped it during the process when you're not supposed to stop it. I never actually thought it was actively decrypting at that point. But maybe it was. Is that possible? If it was, the only thing I can't confirm is if it was continuing decryption in Windows, Windows PE, or both.
 
Thank you.
dcats's picture

Hi JackAllTrades,

I will check that, it is likely that the decryption process was resumed once the drivers were loaded and the authentication was successful. This is likely to happen in Windows, but I'm not sure for WinPE with WDE tools.

Using the PGP Desktop / Symantec Encryption Desktop (SED) client, when you are encrypting a machine you can orderly shutdown the machine that the process will be resumed once the machine is started. The same is valid for decryption.

I will attempt to verify this behavior and will update this thread.

Rgs,
dcats

JackAllTrades's picture
Hello dcats,
 
I appreciate your response.
 
My company gave me a loaner laptop with the same exact PGP version as my original laptop (v10.2.1 MP3, I don't remember the build number but it's the same). I opened PGP Desktop and noticed that there is a power safety failure option for encryption but not decryption. And with the recovery disc, there is no option to even pause the decryption, let alone have a power safety failure option. At least with the Windows client, you can pause decryption and resume later, I believe. Is this by design or a limitation of the cryptographic algorithm?
 
I think what you're saying regarding the drivers loading and authentication success being integral to the drive resuming decryption -- explaining how it got from 1% decrypted when I ran and abruptly stopped the recovery disc for the first time and, then, later on, I noticed it was at 3% decrypted -- is spot-on. As you recall, I had the disk slaved a few times to another laptop with the latest version of PGP Desktop installed (10.3.2).
 
Since the last time I updated my progress, much has occurred. I tried to decrypt the disk once more. I booted up WinPE w/WDE tools, authenticated, and then I thought -- and I can't recall if I tried it in the past in WinPE -- I can use the WDE resume command. It fired successfully. I checked the status of the disk and I noticed the low watermark was increasing each time I fired the status command. This means decryption was resuming, something that didn't happen when I ran the recovery disc for 4+ days. I ran it overnight. I woke up and checked if it finished or how far it got. It turns out it stopped not long after I went to sleep. I ran it again and it stopped shortly thereafter again. However, when I tried to resume, it said the operation failed, unknown error.
 
I rebooted the computer and back into WinPE. I authenticated, checked the status. Then, when I initiated the resume command, it returned with an operation failed, unknown error. I tried other PGP commands like info and status and they all returned operation failed, unknown error. I rebooted the computer and, again, went back into WinPE. This time, from the start, none of the PGP commands were working -- authentication, status, info, none of them. They all returned operation failed, unknown error. I gave up with WinPE.
 
From here, I slaved the SSD to the loaner laptop with v10.2.1 MP3. I authenticated and PGP Desktop resumed decryption automatically. It may have resumed decryption due to the SSD being encrypted with the same version, v10.2.1 MP3, because I don't recall seeing the SSD resume decryption with the laptop with PGP WDE v10.3.2. But I suppose it's possible the laptop with PGP WDE v10.3.2 had resumed decryption in the background, even though the PGP Desktop windows application didn't show it (that would explain the 1% to 3% decryption jump). I don't recall exactly but I think the SSD was at least 90% decrypted, at this point. So, WinPE definitely resumed decryption, even though I documented earlier decryption stopped due to unknown reasons.
 
Anyway, the SSD was decrypting at a rate of 0.01% per 3-5 seconds. I let it run and I think it finished in something like 10-12 hours, somewhere around that range. 
 
Then I reconnected the SSD to the 10.2.1 MP3 loaner laptop and the 10.3.2 laptop and PGP did not ask me to enter a passphrase. I believe the SSD, at this point, is uninstrumented, even though stopping decryption the very first time using the recovery disc should have made decrypting impossible.
 
Real quick: I ran a SMART tool on the SSD and it indicated its health status was good and drive life was at 95%. In short, it indicated the SSD was in good shape. From my research, just because SMART doesn't see any problems doesn't mean the drive won't fail. It's just a guide, not a be all end all. It may still be physically damaged but evidence, so far, points in the opposite direction. If I assume the drive is not physically damaged, just logically, that would rule out things like overheating.
 
The laptop shutting down abruptly, STOP errors, all of that would definitely cause logical errors. I'm thinking Windows essentially crashed due to logical errors, damage to the registry, and chkdsk trying to repair the file system.
 
But what I want to rule out is did my windows cloning program (I don't recall the name of it) write back to the source when it tried to start and failed because of some IO read/write error and did adding the safe boot option in the boot.ini file, via msconfig, somehow trigger a rebuild or caused a conflict with the PGPMBR or PGP Boot Guard. 
 
Would you be able to tell me if it's safe to edit the boot.ini file using msconfig without causing conflict with PGP WDE? I think you pointed out that PGP Boot Guard occupies the first sector of the active partition, which is normally occupied by the Windows boot loader.
 
Thank you.

 

dcats's picture

Hi JackAllTrades,

"At least with the Windows client, you can pause decryption and resume later, I believe. Is this by design or a limitation of the cryptographic algorithm?"
 - Yes, it is possible with the Windows client. I am not aware of the ground behind this, but for the recovery disk, this looks like a design decision. Using the WinPE with WDE tools you should be able to run the --resume and --stop commands.

 - Correct, the PGPMBR occupies the space which is normally used by the MBR.
I haven't done extensive testing with editing the boot.ini, but from what I saw it depends on what you are modifying there. I believe the switch to modify the memory allocation should present an issue for the disk encryption.

You mention a windows cloning program, if by this you mean a system recovery, then there is a space for conflict. For instance, during a recovery it may overwrite the PGPMBR.
Please have a look at this article: Restoring Symantec System Recovery images of machines that have been protected by Symantec Drive Encryption (previously PGP Whole Disk Encryption) - TECH198084.

 

Rgs,
dcats