Encryption bypassed

It only took me four working days but I’ve finally managed to retrieve the data from an encrypted drive. I was so stressed out from this ordeal that I couldn’t sleep at night. The impact of the whole thing didn’t set it right away but once I realized that the data on the hard drive is being used for a $25 million project, I start to feel bad. For a while, my guilty conscience got the best of me. I didn’t know when it was going to end.

This morning, I start to pack the hard drive and get it ready to be shipped out to a data recovery company. We’ve been sending hard drives to them for a while and they were pretty successful. Even with that track record, it wasn’t known for sure if they would be able to get the data out of an encrypted drive. If they did, there would be a pretty hefty price tag for their work. For a $25 million project, it’ll be worth it.

Before shipping out the drive, we had one last thing to try. I’ve managed to decrypt the drive last night but the information on the drive was unreadable. Windows wasn’t able to mount the drive and wanted to format it. I couldn’t mount the drive with Ubuntu because it couldn’t find the NTFS signature and I couldn’t mount a RAW drive. The hard drive didn’t have any physical defects to it so it’s working fine. The only problem was that none of the data on it could be read easily. I assumed that once the drive has been encrypted, Windows would load back up and everything would be fine. Unfortunately, that wasn’t the case here. After the decryption, the operating system wouldn’t load. After that point, things started to look a bit gloomy.

What I tried to do was get the Master Boot Record (MBR) repaired using an MBR from another machine. Theoretically speaking, if you move the MBR from another machine that has been encrypted in the same manner and overwrite the bad MBR, the hard drive should be working again. I was expecting that once I’ve booted up, I’ll be presented with a login screen and I can log in and access the files. So I used Linux to do a sector by sector copy of the MBR. First I tried the first 512 bytes and then I took a bigger chunk. I did the same to the corrupted MBR and then I overwrote it with the good version. At the time, all I was hoping to do was to get a login prompt so I can get into the hard drive and copy the important data. Unfortunately, the kernel from one system didn’t match the kernel from the other system and things came to a halt so back to the drawing board. Even though I used the same configuration and password for both machine, something was slightly different.

The slightly different kernel was a good thing though. When I booted up with the emergency, it detected some inconsistently and attempted to repair the kernel. That was a good thing because if the kernel is working, I can back that up and use it to decrypt the drive. Once I’ve decrypted the drive, it’s just a matter of getting the operating system to load so I can back up the drive. Unfortunately, something happened during the encryption process and messed up the boot sector where Windows reside and this caused another error. So with no OS, I assumed that I could connect the hard drive as a secondary and boot up using my computer. Once I’ve loaded the OS, Windows could connect to the drive and open up the files. This didn’t work because Windows couldn’t detect a file system on the drive and it wanted to format it before doing any further. That’s not exactly what I had in mind.

Nothing appears to be working the way that I thought it would work. I didn’t have many options left. I was surprise that I had options at all. I am not familiar with the software so I don’t know exactly what goes on in the background. I emailed my counterparts in Orlando and they have still yet to reply. I got a response from one guy but he told me to email some other guy. I don’t know why he didn’t just forward that guy the email to give him a heads up.

I didn’t have much choice but to send this drive out to a data recovery company in hopes that they will be able to do something. I packed up the drive and left it on my coworker’s desk so he can send it to the company. But before we sent it off, I came up with one last idea. I wanted to see if the encryption software could somehow repair the corrupted kernel. Once it has repaired, I can reboot the machine and use an emergency disk to log in a backup that repaired kernel. After the backup, I would reimage the machine and repair the kernel with the backup kernel. Now that the kernel has been repaired using a good backup kernel, I could attempt to decrypt it and get some data.

At first, I came to the same conclusion has my previous attempts but I did one thing different. I gave the hard drive to my coworker and asked him to use software to scan the drive for recognized files. As soon he started the scan, the software was able to find a few files. After a few minutes, more and more files were being recognized. Once the scan was completed, we were able to retrieve the user’s whole profile and recovered three gigabytes worth of information. I took everything that was found and stuck it on the server for the user to access. I hope that everything was recovered successfully. He should be happy with the data that we managed to get back. We don’t have to worry about sending it out and it saved $1500 in fees.

What I’ve learned from all of this is the importance of backing up. I’ve encrypted so many laptops before and they were all successful but that doesn’t mean that something can’t go wrong. If something can go wrong, it will. Murphy’s Law comes through every time. It has changed the way I do things around here and I back up just about everything before I do anything with the hard drive. If it was the user’s fault, I wouldn’t feel so bad but when part of the fault is on yourself, I’m sure you’ll have trouble sleeping at night too. I’m just glass that I was able to retrieve everything and that my hard work didn’t go in vain.

4 replies on “Encryption bypassed”

  1. ey man, nice work.
    Is 1500$ the usual price for data recovery on a hard drive? or does it depend on how bad it is ganked?

  2. The company that we deal with charges about that much… I’m not sure what’s included in the quotes but it could go as high as $2000… so yes, I guess it depends on how bad the drive is damaged.

  3. In this case, the OS wasn’t the problem. The encryption malfunctioned and the data was almost lost. Even if XP wasn’t working, the data can still be retrieved by connecting the hard drive and using it as an external drive.

Comments are closed.