File Share Encryption

Hi,

  Here's my problem.  The hard drive on my laptop died and I sent it off to be recovered.  They were able to get a new drive similar to the original and put an image of the original on it.  So basically, they cloned the hard drive.  When the laptop boots up it goes to the PGP login screen, but does not take my password.  The people here who installed PGP (version 10.0.1 for Windows) tried some backdoor passwords that also do not work.  They tried a recovery disk, but despite the disk being in there and being selected to boot from, it goes to the PGP login screen asking for the password.  Does anyone know what may be going on?  Is there anyway to decrypt the drive?  I really need to get the data off there.  Thanks for any help you can give.  Hope I posted this correctly, if not, please place it where it needs to go.  Thanks again.

Hi wsegars,

Please attach that disk as a slave in another machine with the same version of PGP Desktop installed.
Open a command prompt and go to: C:\Program Files (x86)\PGP Corporation\PGP Desktop>

Check the output of these commands:
pgpwde --enum
(from here I'm assuming that the slaved disk is presented as disk 1, in the above output)
pgpwde --disk 1 --disk-status
pgpwde --list-users -d 1
pgpwde --auth --disk 1 -p password_here

HTH,
dcats

Hi Wsegars,

Unfortunately, a restored encrypted image may or may not work. However you can try the solutions mentioned in the article : 

http://www.symantec.com/business/support/index?page=content&id=TECH198084

Why imaged encrypted hard drives may not work as expected after deployment : 

" Unfortunately, one of the greatest strengths of PGP WDE, its transparency, ends up being a bit of a problem for backup images. Why? Any time data is read from an encrypted disk (such as by an imaging program) it gets decrypted into memory automatically. When the imaging application writes the data out to a new location, it writes the unencrypted data, not the encrypted data. This leaves you with an unencrypted backup of an encrypted disk.

Sadly, since this unencrypted backup may be an external drive that slips easily into a pocket, it may actually be more vulnerable to theft than the laptop itself. Additionally, if you need to do a "bare metal" restore onto a blank disk or new machine, the resulting system would need to be re-encrypted."

Source : https://www-secure.symantec.com/connect/blogs/encryption-and-disk-imaging-part-i

However, recently there was a beta release of the software "Casper Secure" by Future Systems Solutions, Inc. This software is intended to allow the backup of encrypted drives. You can get more information on this product usage with SED you may refer to the below link :

https://www-secure.symantec.com/connect/blogs/encryption-and-disk-imaging-part-ii

Hi, 

  Thanks for the help.  We managed to decrypt the original (repaired) drive and the clone drive using a PC. The only thing is when we attach the decrypted clone drive to a PC using a USB enclosure to see whats on it, the PC asks if we want to format the drive.  When we look into the drive after saying no to that question, it shows no data.  It says 0 bytes used of 0 bytes. When the original drive is attached via the enclosure, it shows 60 Mb used of 170 GB.  So we are not seeing the data that should be there.  Do y'all have any ideas on why that would be?  I appreciate all the help.  Sorry for the massive delay in responding, I had to get a USB enclosure then we had to work on the decrypting.

Hi wsegards,

It may happen that the cloning process was not successful, some utilities like dd will shrink the output if there are block errors in the source, thus not producing a reliable clone as output, unless the proper switches are used.

From (external link): http://www.forensicfocus.com/linux-dd-basics
"By default dd will happily copy out data until it locates a sector or block on the source device that it can't read. Then it will just stop what it is doing and you won't have a full image. Using conv=noerror,sync will adjust this behaviour so that dd will pad the bad sectors with zero characters and then carry on copying the rest of the data that it can read. The second part of the switch, sync provides the zero padding and also ensures that the sectors on the target device are aligned with those from the source device, thus ensuring an accurate replication of the original media. notrunc simply tells dd to keep copying to the end of the target device rather than truncating the image early."
 

It may happen that essential encryption information was not possible to be recovered from the original disk or, it was corrupted and copied, resulting that you have exactly the copy of the first hard drive.

WARNING:  Using a fixmbr will wipe a MBR clean. If you are unsure of other applications that are using the MBR you should create a ticket and explore if there are any other options before proceeding with this fix. Backups should always be on hand before performing this operation as this could lead to a loss of data. If backups have not been created you will need to make an image of your disk, and transfer that to a new drive. Use the drive with the image for all testing and troubleshooting so that the original remains intact.


If you are sure that the disk is decrypted you can attempt to wipe the MBR and then rebuild it. Booting the machine from and using Windows Recovery and repairing the master boot record.

Troubleshooting: Drive Encryption Recovery - TECH149345


Or attempt to recover access to the disk in case it is still encrypted:

BootGuard loading stage 2... PGPWDE disk data are corrupted. - TECH149631

Raw disk with PGP encrypted disk - TECH182887
 

Rgs,
dcats