3

I recently messed up with my McAfee Encrypted Laptop (2 Drives) and got MBR overwritten by Linux (Ubuntu). I used DETech CD on C: but after 2% it failed due to Bad Sector. Using a safety precaution i have cloned the drives using Clonezilla and the D:> i have restored onto the Virtual Hard Disk (VHD)

I have also kept VHD file for decryption using a VirtualBox and DETech ISO but takes lots and lots of time.

  1. I'm Looking out for a Windows/Linux Tool which can take VHD file as an input and Decrypt it with 256 AES Algorithm.

  2. What are the best Data recovery Tools.

Mitesh Manani
  • 33
  • 3

1 Answers1

0

For the first question you can use openssl for decryption:

$ openssl enc <MODE> <ENC/DECRYPT> -in <INPUT_FILE> -out <OUTPUT_FILE>

As an example:

 $ openssl enc -aes-256-cbc -d -in encrypted.VHD -out decrypted.VHD

See this list of system recovery tools for linux distributions: SystemRescueCD, gddrescue and testdisk.

The later can be found in the main repository in ubuntu/debian:

$ sudo apt get install gddrescue testdisk
Sebi
  • 1,391
  • 10
  • 16
  • openssl will decrypt a Hard Drive encrypted with a Mcafee End point encryption ? i'm sure on the algorithm but the command mentioned nowhere mentioens the Key used... – Mitesh Manani Jul 26 '15 at 16:11
  • Yes, as long as it's using a standard implementation of AES. The key is requested upon running openssl(in the form of a password). – Sebi Jul 26 '15 at 16:15
  • Wow ! This is a news to me. Ill definately try this.Many Thanks ! – Mitesh Manani Jul 26 '15 at 16:22
  • Sorry, but this will most likely not work. You are attempting to use a CBC algorithm without knowing how to align your blocks. You are working with raw data, if you are off by a single byte, it won't work. – Nate Jul 26 '15 at 19:24
  • @Francois Renaud-Philippon The ciphertext is assumed to be obtained using standard AES, meaning that all blocks are already aligned. – Sebi Jul 26 '15 at 19:28
  • When you say ciphertext, I guess you are referring to the encrypted portion of the image of the hard drive. I was referring to the whole image. I believe a computer cannot boot without an unencrypted boot-loader (as we are referring to a software encryption solution). Thus shouldn't the encrypted portion of the drive be offset by the bootloader size ? – Nate Jul 26 '15 at 21:42
  • That is correct, the boot loader is 512 bytes on linux(grub). The actual ciphertext can be obtained using tail -c (partition_size - 512) partition.VHD – Sebi Jul 26 '15 at 22:00
  • One more possibility i thought in my mind is that : VHD File will have some Headers of its own and its not a RAW AES-Encrypted Data File. – Mitesh Manani Jul 27 '15 at 07:17