File Share Encryption

My company mandates the use of Symantec PGP Whole Disk Encryption, so my Windows 7 laptop is duly encrypted. A couple of days ago Windows stopped booting correctly, and immediately after entering my PGP password the machine booted into the Windows recovery environment. Running the diagnostic tools in there indicated that the Master Boot Record of the laptop was to blame. Not thinking, I ran fixmbr which obviously blew away the WDE boot loader. Booting the system then gave the message "missing operating system".

I've spent a couple of days scouring the forums and found this post which mirrors my problem exactly. I tried the PGP recovery boot disk first, but this did not detect the drive. So I plugged the disk in to a machine running the same version (10.3.0) of PGP using a SATA-USB cable, and tried the command line. This is what I see (Disk 1 is the old HDD attached via USB):

Great, I thought, now I'll try the --recover command line option. This started scanning each sector of the drive, but bombs out consistently at a particular sector with the below error.

I'm at a loss as to what to do next... but there is some important data on the drive so I haven't given up yet! Help!

Hi crawlem,

First step of troubleshooting an encrypted disk should always be to make a sector-by-sector (bit per bit) copy of the disk. This is to have a backup of the current state, in case there is the need to restart troubleshooting from the beggining. See https://www-secure.symantec.com/connect/forums/disk-decrypted-not-readable-through-windows

WARNING: Using a fixmbr will wipe a MBR clean. If you are unsure of other applications that are using the MBR you should create a ticket and explore if there are any other options before proceeding with this fix.  Backups should always be on hand before performing this operation as this could lead to a loss of data.   If backups have not been created you will need to make an image of your disk, and transfer that to a new drive.   Use the drive with the image for all testing and troubleshooting so that the original remains intact.

After, run the pgpwde --fixmbr and the pgpwde --recover, as instructed in this article: BootGuard loading stage 2... PGPWDE disk data are corrupted. - TECH149631.

Rgs,
dcats

Thanks for the quick reply. I ran --fixmbr and ran --recover again, but I get the same error at the same sector. Any advice on what to do now? Am I looking at a bad sector which needs recovery using a third party tool?

Hi crawlem,

It looks like a bad sector. Probably that is the reason why Windows stopped working properly.
The main concern here is that it is an encrypted sector. The third party tool must be encryption aware.

Some data recovery companies may be able to retrieve the disk content and then you can try to find Bootguard File System (BGFS) records with the recover command.


Rgs,
dcats

This strikes me as a flaw with whole disk encryption. Without encryption I would be able to run one of a multitude of tools (including a simple defrag in Windows) to work around this issue and keep my data.

As it is my drive is bricked because of a bad sector. Any suggestions for third party tools which are encryption aware?

Hi crawlem, Actually, it is a sequence of unfortunate events. With PGPMBR in place you could still access your data even if the OS wouldn't start. Then, the bad sector was reached before any BGFS backup record was found. Still it is true that data recovery from an encrypted disk is harder (sometimes impossible) and that is how is supposed to be. If you make a disk clone (sector by sector copy) to a good disk unit you may be able to resume the troubleshooting. The important part is that the clone must be of the same size as the source disk (ignoring errors), thus keeping the data structure intact. Please see if these help: https://www-secure.symantec.com/connect/forums/cant-load-windows-need-dos-based-cloning-utility-windows-pe http://www.tomshardware.co.uk/forum/296359-32-recovering-data-failed-encrypted HTH, dcats