Endpoint Encryption

 

 

Hi Selvar,

Let us know what is the exact error message if possible.

Most probably you will have to:

1. Slave the drive to another machine with PGP
2. Access and copy all necessary data to have them safe if you don't have a backup yet
3. Depending on an error/symptoms follow the steps in the below KB:

Drive Encryption Diagnosis and Recovery - Symantec Drive Encryption & PGP Whole Disk Encryption
http://www.symantec.com/docs/TECH149679

HTH

 

 

 

 

Hi Adam 

Thank you so much 

I get passphrase screen and enter passphrase and then I get black screen with error 

Mater file is corrupted \x000008 boot windows with CD and boot mode to fix error like that 

 I tried rebooting with windows CD but PGP not allowing to connect to windows boot 

When I connect this hard disk via usb to another laptop I can't access this usb drive in windows explorer and am getting error 

So in dos prompt I can't get into c:programs files I order to execute the recovery steps you mentioned 

Hence can you please help me with some other solution 

Make sure the machine you are connecting it to has Symantec Encryption Desktop (or PGP Desktop) installed, otherwise it will not be able to read the file system on the disk.

Hi Selvar,

Error you are getting is hardware/software OS oriented not PGP. Master file table contains all information about a file, including its size, time and date stamps, permissions, and data content. More information you can find here please:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx

Becuase the disk is encrypted you need to follow the steps I wrote in my first post making sure that you Slave the drive to another machine with PGP a.k.a SED.

I presume you connected your drive via external USB cable to a laptop with PGP. You have stated that you are getting an error - are you able to provide what is the error please ? As Mike said if there is no PGP installed you will not be able to read files and in fact your disk should show an error to format the drive and via Compputer Management disk should be visible as RAW.

Can you also post the feedback from the following commands please:

Start > run > cmd and type as follow:

x32
C:\Program Files\PGP Corporation\PGP Desktop>
x64
C:\Program Files (x86)\PGP Corporation\PGP Desktop>

pgpwde --version  --disk 1   (presuming the connected disk is disk 1)
pgpwde --status --disk 1
pgpwde --enum --disk 1
pgpwde --info --disk 1
pgpwde --list-users --disk 1

 

Thank you so much for your prompt reponse in restoring my pgp HD Like you mentioned I connected my HD to laptop which got pgp installed and executed below command and got my username as result which is the corrupted pgp hd pgpwde --list-users --disk 1 Selp Can you advise on next step Thought I connected my HD via USB to another laptop which got pgp installed I can't access my HD In windows exporter

Here is an update on what we did

1.i connected PGP hardisk ( the corrupted one) via USB to laptop which has PGP desktop installed

and executed pgpwde --decrypt --disk 1 --passphrase {MYPASSWORDHERE}

it ran for two days and the PGP desktop icon showed description starts etc

2.when i go to windows exploer, it shows
"can't be accessed or corrupted "

then

3.pgpwde --enum executed

unmanaged disk
disk 1 had zero online volume

4.pgpwde --list-users --disk 1 - executed

 

disk1 is not instrumented by bootguard

5.pgpwde --list-user --disk 1

no users found

 

6. i also executed pgpwde --recover -p <passphase>

and got below

could not locate valid BGFS record

please advise what can be done to recover data from my PGP corrupted hard disk

 

Hi Selvar,

Your commands are stating that the disk is not instrumented by the bootguard so should be decrypted.

You in fact started decryption on your won without making a bit by bit copy of the disk. Do you have any backup in place ?

Can you show us the Computer Management part of the disk:

1. Start  > Run > Cmd > type compmgmt.msc and navigate to Disk Management section and paste the screenshot of your disk(s) . Do you see if the File System is RAW

2. Let me know what happens when you click on Start > Computer and click on the disk. Is it aksing your to format the drive.

3. On PGP a.k.a do you see the disk 1 with the blue padlock or not

 

 

After all you can still verify as below:

 

 

4. Can you verify for me the BGFS records on the disk

4a. Download any of the HEX tools like WinHex or HxD or Disk Editor
( http://www.x-ways.net/winhex/ or http://mh-nexus.de/en/hxd/ )

4b. Install WinHEX ( let ise this tool for example ) and run as administrator

4c. Navigate to Tools > Open Disk and chose affected Drive Disk 1 from Physical Media

4d. You should see Offset (000000000) sector 0

4e. Menu Search > Find Text > type capital letters BGFS and leave Match case ticked.
Search will take time depending on the size of the disk and we will try to find all places on the disk were BGFS records are stored. You might have to click F4 (search next)

4f. If you see that BGFS records are found in many places on the disk I would take the snapshot of each place where it finds making sure that you take a screenshot with sectors as well.

8. If NO BGFS records are found on the disk which was in fact confirmed by the pgpwde --recovery command - please confirm. We will try to use any Recovery Software like below

Recovery Software like provided before:
http://www.cgsecurity.org/wiki/TestDisk

 

 

 

 

1. Start  > Run > Cmd > type compmgmt.msc and navigate to Disk Management section and paste the screenshot of your disk(s) . Do you see if the File System is RAW

Yes


2. Let me know what happens when you click on Start > Computer and click on the disk. Is it aksing your to format the drive.

The disk structure is corrupted and unreadable

3. On PGP a.k.a do you see the disk 1 with the blue padlock or not
 

 
After all you can still verify as below:
 
 
4. Can you verify for me the BGFS records on the disk
4a. Download any of the HEX tools like WinHex or HxD or Disk Editor
( http://www.x-ways.net/winhex/ or http://mh-nexus.de/en/hxd/ )
4b. Install WinHEX ( let ise this tool for example ) and run as administrator
4c. Navigate to Tools > Open Disk and chose affected Drive Disk 1 from Physical Media

Drive F: Cannot open "$MFT". Unexpected data at offset C0000000 and offset 2000, Res=9, Res2=9
Drive F: Cannot open "$MFT". Unexpected data at offset C0000000 and offset 2000, Res=9, Res2=9

4d. You should see Offset (000000000) sector 0

EB


4e. Menu Search > Find Text > type capital letters BGFS and leave Match case ticked.
Search will take time depending on the size of the disk and we will try to find all places on the disk were BGFS records are stored. You might have to click F4 (search next)

Attempting to Build the Encryption Chain.

pls find attached screen shots

 

pls find attached

Hi Selvar,

I see as follow:

a) structure of the disk is corrupted and unreadable - that is why you see MFT error

c) disk still has got some BGFS records

d) disk is NOT instrumented as per your pgpwde commands but you have opened a WinHex disk Edit Mode showing a Logical Volumes/Partitions. Can you do it the same for the sector "0" but with the Physical Media as I requetsed in point 4c. I need to verify if the PGPGUARD is exsting or not in fact ?

So check the Offset (000000000) sector 0 via WinHex - Physical Media  choosingy our disk and check if there is a PGPGUARD

My worry here is that you might have the disk still encrypted but on top of it corrupted sturcutre of MFT
This doesn't look nice and I don't know if any recoverable will be possible.

Anyway check the point d) first