Becrypt Disk Protect - Advice on how to recover encrypted data on faulty hard drive

S

Simmy

Guest
Customer brings in a computer with a suspected faulty hard drive. Turns out the data is needed by Monday and oh yes, it's encrypted (which he didn't mention on the phone). The drive is encrypted using Becrypt Disk Protect and has 1000's of reallocated sectors. The software requires a username/password (which I have) at the point of booting from the hard drive. Once entering those details, it blue screens (0x7b) when attempting to boot into any of the startup options. System Repair also doesn't see the drive, so there goes my chances of recovering the data from the command prompt.

I've currently got an Acronis image of the drive, which is converted to a working vmware image. The VM boots, shows the username/password box and bluescreens in just the same way.

My next step is to restore that image to a working hard drive and try to chkdsk it or repair it from that. My concern is the chkdsk will have to run as a slave drive plugged into the server. This means the data will be encrypted at the point of running chkdsk...which I'm fairly sure won't work.

I tried phoning Becrypt, who wouldn't breathe a word to me until I proved the client had some kind of support contract with them. Basically, with the laptop belonging to one of the largest organisations in the country, getting in touch with someone who is in charge of the encryption on the drives is virtually impossible. So I don't think I'll get a chance to speak to Becrypt support.

I understand there is a Becrypt plugin for BartPE, to help recover data in these types of situations, but I'll be damned if I can find it. I'm running out of ideas now.

Any other suggestions from you bright folk?!
 
Last edited by a moderator:
My experience with situations like this is you really want to perform a complete disk decryption first. Since you have done a p2v of the disk you should be able to install their software on another machine and decrypt the volume.

You should be able to use the customer's account info to contact them to download and install the correct version. The EU may also have a separate key file (hopefully).

Yes, they do have Win PE plugins. If the data is small then that may be a solution. If not, as mentioned above, full decryption and then do what needs to be done.
 
Thanks for the link. I found that earlier, but the trouble is I don't have the installation media/software/plugins.

As I say, this is a huge company and as expected, they wouldn't sign me off as an approved user for their Becrypt support contract. Nor would they let me borrow the installation media. The data recovery was for their employees personal documents, as opposed to important company data, so it's no surprise really.

They have now collected the laptop. They will just have to go through the process of contacting Becrypt and getting the data back themselves, but it certainly won't be before Monday according to the guy who collected the laptop. Their IT department suggested a 2-3 week turnaround time.

I hate jobs like this. So many factors outside of our control, stopping us from doing the job.
 
This type of recovery is broken down into two steps:

1. Get the cleanest full sector-by-sector clone of the drive possible, disabling sector remap.

2. Deal with the encryption

We have some clients who choose to only have us do step 1 and let their IT do step 2. Others will pay extra to have us do both steps, but only if they provide us with the necessary resources to decrypt the drive.

After the drive is decrypted, there is a chance that the file system will be inaccessible and further data recovery methods will be needed to reconstruct the file system and recover the files.

In your case, you should have just made a full clone of the drive to another drive and let them take it from there. As it stands now, they are back to the starting block with a failing drive that is getting worse and you didn't get paid for anything for them to pay for.
 
I have a full clone of the drive and told them what I needed from them in order to proceed. They couldn't provide it. I still charged them an hour as they decided to collect the machine rather than provide the necessary tools. They also decdied not to buy a hard drive with the cloned image on it.
 
Simmy said:
I have a full clone of the drive and told them what I needed from them in order to proceed. They couldn't provide it. I still charged them an hour as they decided to collect the machine rather than provide the necessary tools. They also decdied not to buy a hard drive with the cloned image on it.
Click to expand...
So, what were they expecting you to do? They encrypted the drive to prevent unauthorized access to the data. So, without them providing the necessary keys, you are locked out.

In the future I recommend that everyone break it down, as I mentioned in my last comment, before the client brings the drive in for assessment.
 
I guess they were hoping I could boot back into windows on the damaged hard drive.

Duly noted though. With the varying amount of jobs that come in, it's about time I had a list of things to ask and tell the client with regards to data recovery work.
 
You must log in or register to reply here.

Similar threads

Rigo
FDE = Undecryptable Drives
2
Replies
25
Views
1K
fincoder
fincoder
thecomputerguy
What is the correct process to transplant an encrypted drive to an identical system?
Replies
17
Views
748
Sky-Knight
Sky-Knight
Velvis
Remove password from Mac external USB drive?
Replies
2
Views
318
Velvis
Velvis
ThatPlace928
How do I Ferret out a Trojan When Anti-Malware Doesn't Detect it?
2 3
Replies
40
Views
2K
frase
frase
K
Data recovery from WD 4TB ext USB drive
2
Replies
22
Views
1K
fincoder
fincoder
Back
Top