Sanity Check Recovering Data w/McAfee Encrypted Hard Drive

Using TestDisk to repair the filesystem
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Sanity Check Recovering Data w/McAfee Encrypted Hard Drive

#1 Post by TheJoeFletch »

This past Friday, my Windows 7 machine locked up. I waited for it to respond for about 15 minutes. It didn't! So I held the power button down to give it a fresh boot. The machine blinked a blue screen of death and rebooted to a standard Windows diagnostic screen. The machine automatically ran the diagnostic with no solution. This was in an endless loop. I ran CHKDSK from a DOS prompt without any success.

I then pulled the hard drive to hook up to another system to see what I could find. It asked me to reformat, which I did NOT do. I did some Google research and it appears that the MBR or partition was damaged. So I downloaded TestDisk and tried to scan the partition (Intel - without logging); quick scan and deep scan did not return anything to recover (but was able to completely scan the drive). So at this point I logged a help desk ticket with my company.

I brought the machine in Monday morning and they told me that the hard drive is encrypted with McAfee. They tried to run some software on my machine from a USB drive (I did not catch the name of it) but it locked up and they did not try it again. They pulled the hard drive to test it via an IT diagnostic machine and got an I/O error. At this point they told me that they could not do anything because the hard drive crashed. But I didn't believe it since I did not get any errors from connecting through my personal USB hard drive adapter. So I was able to get the hard drive in order to continue testing on my own (which may or may not be a good idea since they didn't want to give it up).

I ran SpinRite on it and there was one sector that was not recoverable (I'm not sure if that is causing the issue or not).

I continued doing more research, but it appears that the drive can only be recovered via my company's IT group with McAfee software and codes.

System Information
  • IMB Thinkpad Lenovo T420
  • Windows 7
  • Hard drive is encrypted with McAfee (I'm not sure what version of MEE it is)
  • 320GB hard drive
  • 2 partitions; 1 main partition, the other partition is labeled BDEDrive (which I think is a standard Windows 7 partition)
This is the current message I get when doing a quick scan on the drive.

Code: Select all

Invalid NTFS or EXFAT boot
 0 D HPFS - NTFS          239091  60 54 393213 187  7 2475977885
     HPFS - NTFS          239091  60 54 393213 187  7 2475977885

So what am I asking? Have I come to the right conclusion here? I cannot do anything else without my company's IT group. If not, any suggestions on what my next steps would be?

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#2 Post by Fiona »

I'd need Info from TestDisk / Analyse to check your current partition table and Disk Info.
I've no idea about Mcafee encryption.
Most encrypted disks are completely encrypted, so the MBR and the boot sector also.
It's a problem because disks and partitions are not Intel or GPT standard anymore.
In your case, you can have a look here, if it helps:
https://kc.mcafee.com/resources/sites/M ... _en-us.pdf
I've no idea about your mee version either?
In case, ask for?
It's only intended as a try to remove encryption first?
Please be careful.
To recover your MBR it's not a problem.

Fiona

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#3 Post by TheJoeFletch »

Fiona wrote:I'd need Info from TestDisk / Analyse to check your current partition table and Disk Info.
When I select the disk, TestDisk suggest that I pick Intel. When I analyze the disk, I get the following.
010analyze.PNG
010analyze.PNG (17.66 KiB) Viewed 5540 times
Which looks weird to be because the first partition is listed twice exactly the same.
Fiona wrote: I've no idea about Mcafee encryption.
Most encrypted disks are completely encrypted, so the MBR and the boot sector also.
It's a problem because disks and partitions are not Intel or GPT standard anymore.
I have no idea either. It's driving me crazy that my IT group just gave up on this!
Fiona wrote: In your case, you can have a look here, if it helps:
https://kc.mcafee.com/resources/sites/M ... _en-us.pdf
I will read that, thanks for sharing!
Fiona wrote: I've no idea about your mee version either?
In case, ask for?
My MEE seems to be v6. See below.
020McAffee.PNG
020McAffee.PNG (44.08 KiB) Viewed 5540 times
Fiona wrote:It's only intended as a try to remove encryption first?
Yes, that is the problem, I'm not sure how to do this without IT support.
Fiona wrote:Please be careful.
I know. I have not written to the drive at all (as far as I know). I need a 320GB drive in order to make an image. The new drive that my company gave me is half the size of my old one!
Fiona wrote:To recover your MBR it's not a problem.
ok, I have to look on exactly how to do this and if the MBR backup exists.

Thanks for replying!

I will post back with details from the log after I complete the quick scan and deep scan (again).

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#4 Post by TheJoeFletch »

So after the quick scan, I get the following, which is missing the partition with the actual data on it.
030quick.PNG
030quick.PNG (18.57 KiB) Viewed 5528 times
If I look at the files on BDEDrive...
040quickP.PNG
040quickP.PNG (18.95 KiB) Viewed 5528 times
I see that there are some files listed from when I started running into problem. I think that may be the last time that I tried to boot the machine since it initially happened at about 1PM EST on 18-Jul-2014.
050Boot.PNG
050Boot.PNG (25 KiB) Viewed 5528 times
Is there anything here that could potentially help?

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#5 Post by TheJoeFletch »

And here is my TestDisk log. Any feedback is appreciated!

Code: Select all

Tue Jul 22 13:46:10 2014
Command line: TestDisk

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows 7 (7601) SP1
Compiler: GCC 4.7, Cygwin 1007.17
Compilation date: 2013-07-30T14:08:52
ext2fs lib: 1.42.2, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20120504
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=320072933376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=320072933376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=159713853440
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\D:
filewin32_getfilesize(\\.\E:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\E:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\E:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\F:)=319744376832
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\G:)=314572800
Hard disk list
Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63, sector size=512 - HITACHI HTS723216A7A, S/N:--------------, FW:EC1Z
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63, sector size=512 - ST320LT0 07-9ZV142

Partition table type (auto): Intel
Disk /dev/sdb - 320 GB / 298 GiB - ST320LT0 07-9ZV142
Partition table type: Intel

Analyse Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
Current partition structure:
Invalid NTFS or EXFAT boot
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument
Search for partition aborted

Results
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB

interface_write()
 1 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Partition table type (auto): Intel
Disk /dev/sdb - 320 GB / 298 GiB - ST320LT0 07-9ZV142
Partition table type: Intel

Analyse Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
Current partition structure:
Invalid NTFS or EXFAT boot
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
file_pread(5,2,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument

Results
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB


dir_partition inode=5
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=97
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /System Volume Information
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 Chkdsk
      98 -r--r--r--     0      0     20480  3-Mar-2012 07:24 tracking.log

dir_partition inode=17
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /System Volume Information/Chkdsk
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 .
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      18 -r--r--r--     0      0      4096 18-Jul-2014 17:01 Chkdsk20140718210112.log
      19 -r--r--r--     0      0      4096 18-Jul-2014 17:02 Chkdsk20140718210218.log
      20 -r--r--r--     0      0      5120 18-Jul-2014 17:03 Chkdsk20140718210315.log
      21 -r--r--r--     0      0      4096 18-Jul-2014 17:10 Chkdsk20140718211021.log
      22 -r--r--r--     0      0      3072 18-Jul-2014 17:25 Chkdsk20140718212522.log
Directory /System Volume Information
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 Chkdsk
      98 -r--r--r--     0      0     20480  3-Mar-2012 07:24 tracking.log
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr


dir_partition inode=5
   P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

interface_write()
 1 P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#6 Post by Fiona »

It looks like your partition table is ok?
Invalid NTFS or EXFAT boot means that your boot sector is not ok.
If testdisk displays this message it displays the affected partition too.
That's why your partition appears twice.
But this could be a normal behavior because your boot sector is encrypted and not standard anymore.
Otherwise your disk looks ok.
Can you check your disk using crystal disk info?
http://crystalmark.info/software/Crysta ... dex-e.html
Please download the portable version, because the windows installer (exe) contains adware open candy.
It's only intended to check your disk and exclude anything wrong?
I've no idea why you've got a BSOD?
Would it be possible that mcafee causes problems?
Until yet, it's for me difficult to judge.
Did you run chkdsk driveletter: /r
Did you consider to set back your system to a previous restore point within your startup repair tool?

Fiona

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#7 Post by TheJoeFletch »

Fiona wrote:It looks like your partition table is ok?
I have no idea!
Fiona wrote:Invalid NTFS or EXFAT boot means that your boot sector is not ok.
If testdisk displays this message it displays the affected partition too.
That's why your partition appears twice.
But this could be a normal behavior because your boot sector is encrypted and not standard anymore.
Otherwise your disk looks ok.
Hmmm...ok. I will dig a bit deeper into it.
Fiona wrote: Can you check your disk using crystal disk info?
http://crystalmark.info/software/Crysta ... dex-e.html
Please download the portable version, because the windows installer (exe) contains adware open candy.
I sure can! See below!
070Crystal.PNG
070Crystal.PNG (104.8 KiB) Viewed 5521 times
Fiona wrote: Did you run chkdsk driveletter: /r
I did. See screenshot below.
080chkdsk.PNG
080chkdsk.PNG (1.98 KiB) Viewed 5521 times

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#8 Post by TheJoeFletch »

I also finished the deep scan. See below for the results.
060deep.PNG
060deep.PNG (19.34 KiB) Viewed 5521 times
060deepP.PNG
060deepP.PNG (13.16 KiB) Viewed 5521 times

Code: Select all

$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
Failed to startup volume: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
Failed to startup volume: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
NTFS at 38911/189/62
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS found using backup sector, blocksize=4096, 314 MB / 300 MiB
NTFS at 38913/37/36
filesystem size           32768000
sectors_per_cluster       8
mft_lcn                   786432
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
file_pread(5,2,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,8,buffer,625142528(38913/82/18)) lseek err Invalid argument
file_pread(5,1,buffer,625142528(38913/82/18)) lseek err Invalid argument
file_pread(5,8,buffer,625142656(38913/84/20)) lseek err Invalid argument
file_pread(5,8,buffer,625142784(38913/86/22)) lseek err Invalid argument
file_pread(5,8,buffer,625142912(38913/88/24)) lseek err Invalid argument
file_pread(5,8,buffer,625143040(38913/90/26)) lseek err Invalid argument
file_pread(5,8,buffer,625143168(38913/92/28)) lseek err Invalid argument
file_pread(5,8,buffer,625143296(38913/94/30)) lseek err Invalid argument
file_pread(5,8,buffer,625143424(38913/96/32)) lseek err Invalid argument
file_pread(5,8,buffer,625143552(38913/98/34)) lseek err Invalid argument
file_pread(5,8,buffer,625143680(38913/100/36)) lseek err Invalid argument
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument

Results
     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Not an exFAT boot sector.

     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
Can't open filesystem. Filesystem seems damaged.


dir_partition inode=5
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

interface_write()
 
No partition found or selected for recovery

TheJoeFletch
Posts: 9
Joined: 22 Jul 2014, 14:38

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#9 Post by TheJoeFletch »

I also looked at the Boot Sector and found this.
090bootsector.PNG
090bootsector.PNG (17.01 KiB) Viewed 5521 times
I'm not sure if this is because the partition is encrypted or not. Would it be best to Rebuild BS or Dump it?

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: Sanity Check Recovering Data w/McAfee Encrypted Hard Dri

#10 Post by Fiona »

Your disk looks absolutely ok.
TestDisk Advanced and the message that your boot sector and its backup are bad are probably a result of mcafee encryption.
If your boot sector and file system are encrypted, datarecovery software nor testdisk wouldn't probably find any reasonable result, like a valid boot sector nor file system (MFT).
There shouldn't be anything changed using testdisk.
Did you already have a look for that link above and the description how to create a win PE builder CD and have a try to decrypt your disk?
It should be done first.

Fiona

Locked