Performing Manual Decryption with EETECH Standalone Disk

Prerequisites:
1. Same or higher version of EETECH Standalone Bootable CD (WinPE / BartPE with EETECH plugin may also be
used).

2. USB Device to copy the Recovery file (XML).

3. Authorization code (Code of the Day). This can be obtained from the EETECH Code Generator

4. The machine should be connected to the main power source and ensure that the decryption operation is not
interrupted once started.

5. Most Importantly, Clone the affected Hard drive using a Sector to Sector cloning Software.

Steps involved:
1. Clone the Hard drive using Sector to Sector cloning software and remove the original drive from the machine
(Need to perform the decryption operation on the cloned copy of the drive).

2. Export the Recovery Key from the ePO Server.

3. Boot the machine with the EETECH bootable CD

4. Authorize and Authenticate on EETECH Window

5. Verify the Recovery key in the Workspace

6. Start manual decryption operation.

Step 1: Export Recovery Key from the ePO Server:

a) Login to the ePO Console

b) Click on Menu -> Systems -> System Tree

c) Check Mark the system to be recovered

d) Click on Actions -> Endpoint Encryption -> Export Recovery Information (refer screenshot below)
e) Check mark “Export Old keys if available” and click OK (this will show you any old keys related to this
machine still available in the ePO)

f) Save the XML files to a USB Device. We need to connect this device to the affected machine where recovery
is to be done.
Step 2: Boot the machine from the EETECH Standalone disk

Step 3: Authenticate and Authorize

a) Click on Enable USB

b) Under Authentication, click on File button and select the XML file from the USB Device.

c) Click on Authorize and enter the code of the day (taken from the EETECH Code Generator)
 d) On successful authorization, you will see the below screen with status for Authentication and Authorization.

Step 4: Verify the Recovery Key in workspace

Note: It is important to verify the recovery file before proceeding with manual decryption as using incorrect recovery
file may result in further encrypting the drive and the data may not be recoverable.
a) Go to Disk Information and note down the Sector information.

b) In the Disk Information window, verify the below entries:

 The Crypt List Region count shows the number of partitions encrypted

 The Crypt list Region Start and Crypt list Region Count indicate the start and number of sectors that
are currently in encrypted state. We need to perform the decryption based on this sector
information.

 In some cases, the Crypt Region count information may not be available and you may see error
message. This indicates that the PBFS is corrupt. In this case, we need to decrypt each partition
using their start sector and total sector count.

 Under Disk Partitions, note down the Partition Start sector and Partition Sector Count.

 Note down the details for each partition listed there.

 If the Crypt list Region Start sector does not match with the start sector of the first partition, it
indicates that Partitions are in partial encrypted state. (Maybe a decryption operation was
attempted before). Use the Crypt list Region start and Crypt list Region sector count information to
perform decryption.
c) Verify the Recovery file (XML) in the Workspace. Click on the Workspace button in the EETECH Window.

d) Click on Load From Disk button.

e) Enter the Disk number, Start sector and set the Number of sectors to 1.

 Start sector will be the Crypt list Region Start or Partition Start sector

f) Click OK
g) Workspace will now look like the below screenshot (notice the right column in workspace). An encrypted
sector will typically look like this.

h) Click on Decrypt Workspace. You should now see readable text in the right column. You should be able to
see readable text (Windows error message most likely)
 i) Click on Load from Disk and repeat the above step for the last sector of the partition. You will see similar
Windows message on the last sector as well. Use the below formula to identify the last sector:

 Last sector = (start sector) + (sector count) – 1

 In our screenshots, the last sector will be:

Last Sector = 56 + 41926024 - 1 = 41926079

j) If the sector is not readable (only garbage text is seen) after decrypting workspace than either:

 The XML file is incorrect. (Try authenticating with any other XML file that was exported from the
ePO). If there is no other xml file available then, decryption will not be possible at this point.

 An attempt to decrypt the drive was made earlier and but failed somewhere in between (too many
bad sectors on the drive can also cause the decryption to fail).

 In either of these cases, you need to contact Data Recovery Services for further assistance in data
recovery as we will not be able to determine the current status of the drive (You will still be required
to have the correct xml file without which Data Recovery will not be possible).

Step 5: Force Decrypt Sectors:

a) In EETECH Window, click on Force Crypt Sectors button

b) Read the warning message and Click on OK to proceed

c) Enter the Disk Number,start sector and Number of sectors (sector count) obtained from the Disk
Information window. (the start sector and sector count will be from the Crypt list Region or the Partition
start sector and sector count).

d) Click on Decrypt button to start the process

e) The decryption process may take considerable time (often few hours) depending on the size of the hard
drive and system performance. Wait till the decryption completes.

f) Once the decryption operation completes, you can boot from the hard drive and access the data or connect
as a secondary drive to another machine and backup the data.