File Share Encryption

I am running Windows 7 64 bit on a Thinkpad T420. Whole Disk PGP encryption was done on HDD (Seagate Momentus) using PGP version 10.3.0.9307 (MP3). I booted the machine a few days ago, got the PGP bootguard and entered my password. That worked fine, however Windows did not boot up properly and I got the Windows recovery screen with about 5 recovery options ranging from repairing the system, restoring an image or opening a command prompt. After trying few things to restore OS, I opened the command window and entered "bootrec /fixmbr".  When I rebooted I got a"Missing operating system" error message.  I Can't reach Boot guard screen now. Is there any way I Can recover the Data, gave HDD to external vendor but they are also unable to recover. Needless to say, drive has important data.

So after going through forums, I tried to use PGP (same version) on Other machine and using Bad HD as secondary and run some PGP utilities to recover. Using Win HEX tool, I can find some entries for BGFS (Screenshots available) however, I guess HD has bad sectors, that is why recovery is not going through.

1. Is there any Option which can be passed to PGPWDE to skip bad sectors ?
2. Disk has 2 partitions, Is it possible to recover at least from One Partition ( In Active Ones) ?
3. What is the best Way to "Clone" the PGP Encrypted disk to experiment further ? Casper ??

Has anyone experience of this problem ? and a fix for it ? It will be great if someone can provide me way forward.

Thanks & Best regards,
DJS
============================================================================================
c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --version  --disk 1
Symantec Drive Encryption, Version 10.3.0 (Build 9307)
Copyright (C) 2013 Symantec Corporation. All rights reserved.
Request sent to Version was successful

c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --status --disk 1
Disk 1 is not instrumented by bootguard.
Request sent to Disk status was successful
=================================================================================
c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --enum --disk 1
Total number of installed fixed/removable storage
device (excluding floppy and CDROM): 2
Managed disks:
  Disk Group bcbaa5b2-f84c-43a1-afc9-d02d60e21873:
    Disk 0 has 1 online volumes:
      volume C:\ SYSTEM is on partition 1 with offset 2048
Unmanaged disks:
  Disk 1 has 0 online volumes:
Request sent to Enumerate disks was successful
=================================================================================
c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --info --disk 1
Disk information for disk 1.
  Model Number: Jmicron Corp. USB Device
  Total number of sectors on disk: 976771072
Request sent to Display disk information was successful
=================================================================================
c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --list-users --disk 1
No users found!
Request sent to List users on disk was successful
=================================================================================
c:\Program Files (x86)\PGP Corporation\PGP Desktop>PGPwde.exe --recover --disk 1 -p "passphrase"

4314112 sectors searched, 972456960 sectors to go
4315136 sectors searched, 972455936 sectors to go
4316160 sectors searched, 972454912 sectors to go
ERROR: read failed, number of sectors searched so far: 4316576
Could not locate valid BGFS record

Recovery failed!
Operation recover disk failed:
Error code -11990: read failed
================================================================================

Attachment(s)

WinHex.zip   1.51 MB 1 version

There is no option for skipping bad sectors.  Your best bet would probably be to clone the drive, but you will need to make sure it is a program that uses a bit-by-bit copy process since the drive is encrypted.  If you can make it through the cloning process, you may be able to use the --recover command successfully.

Symantec does not recommend a specific cloning software, but I would try Clonezilla, since it is free and fairly straightforward to use.  I have heard good reports about Acronis too.  I haven't used Casper, but it probably would work fine as well.  The main issue will be finding a program that doesn't care that it sees an unknown file structure, and will just copy the bits anyway.  Some utilities only work when they see what they consider a valid file structure.

Hello Mike,

Thanks a lot for your response. After some attempts with Clonezilla, ddrescue actually did the trick.

This is the o/p I got from --rescue .

.....

409468928 sectors searched, 567302144 sectors to go

409469952 sectors searched, 567301120 sectors to go

Found Primary BGFS record on sector 409470976

Recovery successful!
Request sent to Recover disk was successful

Can you please help me with next steps? Shall i run decrypt or fixmbr ?

If the recover was successful, you should now be able to boot normally with the drive.  The --recover finds the backup Bootgaurd, and replaces it as well, so it should now function normally.

You definitely would not need/want to fixmbr.  That will probably put you back in the same place you were before, not being able to log in.

If you want to decrypt then make sure you can back up all of your data, that would also be a good option, but really, now that recovery completed, you should be all set on the cloned drive.