McAfee Safeboot Drive

[Tim - Desert Data Recovery]

Interesting case. I have a Windows Laptop with Safeboot encryption installed. It used to belong to a company who went into liquidation and users of the laptops were allowed to purchase them at a discounted rate. Windows automatically asks for a new password every 4 months. Client was distracted and entered a password she did not make a note of.

So we get the initial Safeboot screen and enter the McAfee password. That gets us the the Windows log in screen, so at that time the data is decrypted. We have tried the Windows password recovery / setting up a new admin user etc, but this laptop has a security lock which prevents any of this from working (it had been to Best Buy before who came to the same conclusion). I guess I could alter the connection from the drive to the laptop so it boots from external power, enter the McAfee password, pull the SATA connection and connect to another SATA port (I presume that would work).

But wondered if anyone had any other ideas. Remember the drive has to boot to get past the Safeboot password screen.

[wayne horner]

let me see if I understand the situation

you have the mcafee preboot authorization password

this enables the decryption drive and it continues to boot to windows

you cant login to windows

she is probably not an admin - so probably cant run rstudio from there

probably cant do anything in safe mode withou the admin password

and you dont have her password

probably you will have to install the same version of safeboot ono nother system

attach the encrypted drive as a slave

unlock it with the mcafee password

then maybe you will rstudio access

unless mcafees decrypt wont let you - without knowing user o admin password also

I have a customer that sends me drives like this

but I get a decrypt disk or the user password.

Alandata Data Recovery -  (949)287-3282  
"Cleanroom Data Recovery of RAID, VMware, Network Attached Storage, Linux, Tape, Disk, Forensics"

www.AlanData.com   www.AlanDataRecovery.com

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To post to this group, send email to datarecovery...@googlegroups.com.
Visit this group at https://groups.google.com/group/datarecoverycertification.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/d3e85dd8-6107-4599-b0d2-f2974d7f7d6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Desert Data Recovery]

You have it exactly right. I think altering the laptops SATA and power connections may be a good option.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAJEn65q0fTwirKX%3D4dzsDU-geOcuD2V86EBP%2B4C488HRmT2grQ%40mail.gmail.com.

[Alandata Recovery]

Altering the Sata connection won't work.

You are taking about unlocking the drive and then hot swapping to another computer.

That could work if the drive was locked by drive encryption.

This is using a software driver provided by McAfee that live decrypts while it's running.

The decryption is running in the laptop CPU.... You can't disconnect the drive and use a normal disk driver.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAOasWzuRxmSvGqREfZzH_YJnXnzttjgg73e-JiO9%2BuFz4RYLEw%40mail.gmail.com.

[t...@desertdatarecovery.com]

Hmmm. Its an interesting one….

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAH-%2BjWT8FQ3En7vaR4goVw2f3eJi4%2B0MGzPvR4adSXD8zE-G5Q%40mail.gmail.com.

[Carlos Marmolejos]

Hi I work with safeboot encryptions from McAfee every week, and if you dont have the support for decrypt here, I  think the recovery here it's not possible, you need the XML file and the password of the day + the USB boot for decryption based on the encryption version. 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/05fc01d510b1%24e3300ad0%24a9902070%24%40desertdatarecovery.com.

For more options, visit https://groups.google.com/d/optout.

--

Carlos Marmolejos Data Recovery Engineer + DR Data Recovery Telf: 809 533 1679 Email: sop...@datarecovery.com.do Web: www.datarecovery.com.do Dirección: Avenida Tiradentes, esq. Presidente González. Plaza Galerías de Naco, local C-4, Santo Domingo, 10122 ​ Salva un árbol, no imprimas este mensaje si no es necesario Think green. Do not print if it is not necesary.

Síguenos por:

[wayne horner]

You have the driver active and decrypting the drive. So the key is in memory. If you could intercept the driver you could come the drive using the decryption driver.

One attack might be this

Boot the encrypted drive through a VM 

Enter pass code

The keys should now be in memory

Grab the vms memory

And find the key

Course now you need the algorithm..

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CADbSzr3dcu8-0f4emhKh01zzQY9UCOA4VDxP6R2ZNN2gLp6tcA%40mail.gmail.com.

[Chris Berge]

Tim, You can get past the preboot encryption system and the os starts booting correct?

If so, when windows boots after entering the password you can intentionally kill the power and restart. This will set a trouble flag and on reboot will give you the recovery menu with the drive unencrypted from the preboot. (This is a theory based on experience but may not work with this software). You should be able to get the password reset from that point and access system files from the command prompt. And then do a trick like this https://4sysops.com/archives/forgot-the-administrator-password-the-sticky-keys-trick

On Wed, May 22, 2019, 8:31 AM Carlos Marmolejos <cmarm...@gmail.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CADbSzr3dcu8-0f4emhKh01zzQY9UCOA4VDxP6R2ZNN2gLp6tcA%40mail.gmail.com.

[Chris Berge]

The default algorithm is AES-CBC-256 according to what I saw. Could possibly be a bit stronger if configured as such. 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAJEn65rmJPfoAb7%3DzZkqP5owP4-xYeth2h7iURV-6M1EFbWSdA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Chris Berge - Owner

Neuralearth Technology Services

503-683-3801

5311 SE Powell Blvd STE 102

Portland, OR 97206

[t...@desertdatarecovery.com]

We did get into the system with that trick……  However it looks like the company who had this Laptop had it tied down pretty tight. The usual methods to change the password such as utilman and sethc are not on the list of available files. Whenever I try to launch R-Studio (or any other program) from a USB I get ‘The subsystem needed to support the image type is not present”. This happens with both 64bit and 32bit versions of all programs.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpSOtP3pysdHn4SOuS1KOBor-_EdNrQTd7Z6d_qNa%2B_b-A%40mail.gmail.com.

[Chris Berge]

Tim,

Try the sticky keys hack. Essentially you rename a system file to cmd exe. Then boot normally and press shift at the login prompt. 

You can then use net user and net local group to add a new local admin account 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/064b01d510cf%24ec865940%24c5930bc0%24%40desertdatarecovery.com.

[t...@desertdatarecovery.com]

I thought the sticky key hack used sethc.exe which is not available, or is there another one?

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpROWbs%3DzSA3wRSYLEQmJkUenD%3DXpUZ8JyYG%3DyXkFnQ0Qw%40mail.gmail.com.

[Chris Berge]

Yes, any of the accessibility apps will work. What version of Windows ?

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/065a01d510d3%24edb629e0%24c9227da0%24%40desertdatarecovery.com.

[t...@desertdatarecovery.com]

If you are referring to linking through from the error report, this error report is greyed out and has no available links.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpROWbs%3DzSA3wRSYLEQmJkUenD%3DXpUZ8JyYG%3DyXkFnQ0Qw%40mail.gmail.com.

[Chris Berge]

here is a newer guide that will also disable windows defender

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/065a01d510d3%24edb629e0%24c9227da0%24%40desertdatarecovery.com.

For more options, visit https://groups.google.com/d/optout.

--

[Chris Berge]

https://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/  

[t...@desertdatarecovery.com]

W7

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpRWQ0APVAQKofBOECCEyN5SN3uMUd%3DJczUcq-Nc_JantA%40mail.gmail.com.

[Chris Berge]

At login screen if you press shift 5 times fast do you see the sticky keys prompt?

Sethc.exe should reside in system32 on Win7. 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/066601d510d5%2487c598d0%249750ca70%24%40desertdatarecovery.com.

[Alandata Recovery]

if you slave the drive to another system with safeboot installed

then you should be able to enter the preboot password and access the drive normally

You dont have to encrypt the new system just have safeboot installed

it should recognize that the drive is safeboot encrypted and allow you access with the pw

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpSJgW%3DX0XOR8roESu9k-u26ATe7rVnSCumQRHLC3HeQnA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Alandata Data Recovery -  (949)287-3282  

"Cleanroom Data Recovery of RAID, VMware, NAS, Linux, Tape, Disk, Forensics"

www.alandata.com   www.alandataRecovery.com

[Philip Shaw]

Wayne, I tried that yesterday with a customer with a Safeboot issue and it just asked if I wanted to format the drive. 

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAH-%2BjWT7Dup00ryAiHJWeybvmDfiQpWPFackPrYSfUmj_Q1vNg%40mail.gmail.com.

[t...@desertdatarecovery.com]

I know Safeboot is very sensitive to the version used. From what I can gather this is Safeboot 7.0 which is pretty old and no longer supported. If anyone know where I can find a copy I would appreciate IT.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAPG2QkbN19Bv532b-BWRNtSZJ5oh8APxdC-UGTXX-KGscvK59w%40mail.gmail.com.

[Alandata Recovery]

below are some notes I have on this

What version do you have?

Is it SEE symantec endpoint

I think this was originally PGP until symantec bought and renamed it

There should be admin command line tools to check the drive

call eeadmin

or wdadmin .... something like that

You should be able to get to safe mode after entering the preboot by hitting f8 then check for the commandline tools

what does the boot sector of the NTFS volume look like

Does it look like below with the word protect in line 0x50 ?

article with possible solution

https://www.symantec.com/connect/forums/does-not-boot-bootguard-top-left-corner-flashing-cursor

diag and repair

https://support.symantec.com/en_US/article.TECH149679.html

symantec how to

https://www.symantec.com/connect/articles/symantec-endpoint-encryption-v1101-recovery-procedure-unexpected-corruption-os

===

The flloppy pgp encryption disk has a starting ntfs boot sector with the word PROTECT!

at 0x64: is a sector pointer to the encryption startup code keys etc....

Sector 0 (Parent: WDC WD10JPVX-00JC3T0 01.01A01 Record: 206848)

0: E9 ED 00 4E 54 46 53 20 - 20 20 20 00 02 7F 00 00 éí.NTFS ..... .一䙔⁓† 缂.
10: 00 20 00 00 00 F8 00 00 - 3F 00 FF 00 00 28 03 00 . ...ø..?.ÿ..(.. ....?ÿ..
20: 00 00 00 00 00 00 00 00 - FF 2F 35 3A 00 00 00 00 ........ÿ/5:.... .....㨵..
30: 00 00 0C 00 00 00 00 00 - 02 00 00 00 00 00 00 00 ................ ........
40: F6 00 00 00 01 00 00 00 - D5 12 46 52 52 46 52 3A ö.......Õ.FRRFR: ö...ዕ剆䙒㩒
50: 00 00 00 00 FA 33 C0 8E - D0 BC 50 72 6F 74 65 63 ....ú3ÀŽÐ¼Protec ...軀볐牐瑯捥
60: 74 21 20 00 40 F3 17 00 - 3F 03 18 00 00 28 03 00 t! .@ó..?....(.. ⅴ ......

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAPG2QkbN19Bv532b-BWRNtSZJ5oh8APxdC-UGTXX-KGscvK59w%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[t...@desertdatarecovery.com]

This is Safeboot 7.0 (I think).

The start of the main NTFS partition is fully encrypted.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAH-%2BjWQD66%2B7p8gu9tJswSbJLOb6LYiFzEaATXNMU1RXEtO0KQ%40mail.gmail.com.

[t...@desertdatarecovery.com]

Sethc.exe or utilman.exe are not shown in the system32 folder list. I think this is part of whatever security was attached to this laptop.

Carlos Marmolejos Data Recovery Engineer + DR Data Recovery   Telf: 809 533 1679 Email: sop...@datarecovery.com.do Web: www.datarecovery.com.do Dirección: Avenida Tiradentes, esq. Presidente González. Plaza Galerías de Naco, local C-4, Santo Domingo, 10122

​ Salva un árbol, no imprimas este mensaje si no es necesario Think green. Do not print if it is not necesary.

Síguenos por:

 

--

You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To post to this group, send email to datarecovery...@googlegroups.com.
Visit this group at https://groups.google.com/group/datarecoverycertification.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/CAMR4GpSJgW%3DX0XOR8roESu9k-u26ATe7rVnSCumQRHLC3HeQnA%40mail.gmail.com.