How To Manually Decrypt a Drive Using EEtech

How To Manually Decrypt a Drive Using EEtech

Have you ever confused because you can’t decrypt and encrypted drive?

Is using McAfee Drive Encryption (will be referred as DE later) causing you so much pain in the ass? Because you can’t read the data on encrypted drive and EEtech saying that your drive is not encrypted?

This is gonna be a long write-up. I work as a vendor handling DE products. As a vendor, you can get help from international support line that provided by your product. But unfortunately, this product support isn’t that good.

The frustation of waiting for reply is driving me insane. I live in a third world country where fast internet is still a luxurious things and the client site has this bad signal reception so i can’t call support line using skype (life hacks, you can free-call US toll free number using skype. You’re welcome.)

Okay enough blabbering.

This is the situation that will become a beginning of my journey of decrypting the drive using limited knowledge provided by product guide.

First thing first, check disk information. My apologies the picture is kinda crappy, but you will get the idea. See yourself below.

Can you see what is interesting from the capture above?
So many unknown in a single picture

Based on two picture above, i take this conclusion:

  • Drive D is encrypted
  • There is an unusual message stating about disk power fail state. It says decrypting. This is my first time seeing this kind of information
  • So many unknown in disk info. Something isn’t right……

Let’s take a peek in the first sector. Using EEtech you can load every sector of the drive. I just type the sector number, and voila!

This is not encrypted….

The first sector of the drive look completely normal. So i assume, this drive has been decrypted before. But why we can’t access the data if it’s already decrypted? This is where things start to getting weird.

All the information we have is disk information. We must maximize the knowledge we have there. So, i create this table to help me determine which sector is encrypted and which one isn’t

Start Sector783.718.400
Sector Count
1.127.841.792
Last Sector (Start sector + sector count – 1)1.911.560.191

So we know the encrypted partition sector end. Now, let’s take a peek on last sector.

huh?

I am confused when looking the last sector. The heading says NTFS. So, this last sector of D partition is actually a start sector of next partition? What is going on in this drive? Only god and the drive itself knows at this point.

I take 10 last sector before the partition last sector. And the data there isn’t distinctive enough to determine whether it has been decrypted or still in encrypted state. Based on my previous personal research, we can determine the data has been decrypted or not based on this information:

  • null
  • A-Z string in various style
  • null in between char
  • Windows messages (logfiles, error message, anything readable)

Taking that into consideration, i need to find a sector that matched the criteria. And btw, if you see a random string, the data on that sector might be encrypted. You need to press “Decrypt workspace” to decrypt the data first, and see if you find any information after decrypting it. Please take into consideration that you can decrypt the non-encrypted data too. And known messages will become a random string and become unreadable.

So basically, i just skimmed the whole partition to get information did the decrypt process successful or not. Just because first sector is decrypted doesn’t mean the rest is successfully decrypted too.

And i got some confirmation. Most of the data on the disk is still in encrypted state.

This bring me into the next challenge. I need to determine which sector has been decrypted and which sector still in encrypted state.

I really do that, manually. Just skimmed and guessing where the decrypt process stopped. Checking the first 100 sector. And i found this.

lolwut

I found 6 sector casually encrypted in the middle of decrypted sector. I just did this randomly and thank god, this will be some answer that i needed in the future.

Finally i found the sector where the decrypt process stoppped. I hope there is no more small encrypted sector that linger around decrypted sector like our previous found. Now i know i need to decrypt sector number 783.732.527 to sector number 1.911.560.190. Keep in mind this number is different based on your partition table and i substract the last sector by 1 since we know that the last sector is a beginning of another partition.

You can force decrypt using EEtech. Here is how:

  1. Click on “Force Crypt Sector” button
  2. A warning will appear. Read carefully, and press OK after you read it
  3. Enter disk number, start sector, and number of sector (sector count)
this is the majority of decrypting process
don’t forget this group of sector too

And that’s how i get the data accessible again. Hope this simple write-up can help you recovering those data!

Leave a Reply

Your email address will not be published. Required fields are marked *