Data recovery from encrypted drives can be performed with the help of software and hardware tools in combination, depending on the nature and extent of disk encryption. When an encrypted disk crashes, accessibility to the root sectors gets blocked due to the locking password. This is at the logical level of the drive. Before that the technician needs to get physical access to the root sectors which may be blocked due to mechanical and electrical failures in the disk and PCB. So the first step would be to restore the disk back into accessible conditions. If that procedure fails, the next option is to mirror the image of failed drive into a functional donor drive and fix the logical errors. These two procedures require active usage of enterprise hardware tools and OEM software utilities.
Our technical experts and data recovery systems have the facilities for data salvaging and decryption processes related to SCSI, IDE, Serial ATA, Parallel ATA and other disk formats with FAT, NTFS, HFS and other types of file systems. You get your data and volume information intact in their original conditions with easy access to files and folders.
Restoration of physical disk access
First step in restoring physical disk access is to fix the mechanical and electrical bugs in the disk and PCB levels. A detailed diagnosis is conducted with the help of hardware tools. Mechanical scanning needs to be done separately for read-write head, carriage, step motor, track zero sensor, spindle motor, index sensor and the disk platters. For this purpose the technician opens the HDD casing and dismantles each component carefully, subjecting each one to hardware tool scan.
Read-write head: – Dust and moisture deposit on the heads can cause them to go below the air bearing space with the platter and rub its surface. When it happens during read write process, the damages to head and platters could be critical as the platters will be rotating at a speed of 7,200RPM at that time. The technician may recommend replacement of heads in case repair is not possible. HEAD COMB is one of the safest hardware tools used for replacing the heads, without making any contact with the disk platters. He takes the help of a donor drive from which he takes out the read-write head and replaces the damaged heads. Once the process is complete, diagnosis for the platter damage is done.
Disk platter: – Disk platters may get affected by the high level of head impact on them during read-write operation. Magnetic storage layers may be damaged which need to be replaced. But replacing of platter can be done only after the data in them has been transferred onto a set of donor platter assembly with the same configuration of failed drive. This process is performed with the help of a platter exchange tool in which failed platters and donor platters are mounted simultaneously into two separate chambers. An OEM software tool is used to transfer the image from failed platters onto the donor platters. Once this process is complete, the donor platters are assembled into the failed drive and the other parts are reassembled.
Electronic issues: – PCB firmware corruption is said to be one of the main faults during electrical short circuits. The other issues could be burnt fuses, charred cables and blown electronic components at the board and chip levels. In most cases they are simply replaced except the PCB ROM whose firmware is rewritten with the help of Firmware data from another compatible donor PCB.
Logical Error corrections
In the next stage the technician starts working on the procedures of data recovery from encrypted drive. This process could be complex as the encryption process assigns two sets of keys to the files which are the private key and admin key. Data recovery can be successful only when these two are unlocked.
The technician connects the disk as a slave to the primary disk in the computer and logs in as ADMIN after the OS has been loaded in the primary disk. Now he needs to export all the files in order to break open the private keys allocated to the encrypted files. Windows 8 with advanced service pack and decryption tools can help in this process.
- Microsoft Management Console (MMC) is one such utility which can help in breaking the private keys associated with encrypted files. The system offers many snap-in utilities like the CETIFICATES which needs to be added to the MMC console.
- The technician selects ADMIN account and chooses the certificate file located within the encrypted drive. Once the export option is selected from the menu, he needs to specify the format of the file to which the certificate needs to be exported. In most of the cases it will be in .PFX format. The menu gives options for deleting the private key when the export is successful.
- The ADMIN password is input in the next stage to enable successful export. Then he uses this password to gain access to all the encrypted partitions and files.
In case the Operating system in the primary disk happens to be a legacy version of windows like XP or others like Linux or Mac, the technician will utilize the OEM decryption tools for breaking the private and ADMIN keys allocated to the partitions, folders and files in the encrypted drive.
Encrypted File System (EFS)
Main task of the system is to search for the encrypted files in each sector of the disk and their associated private key file. Once they are found the system removes the keys from the files. Efficient OEM software will be able to open all the encrypted files even when the corresponding keys are not available.
Unlocking of logical volumes is the main task of the decryption tool before it can gain access to the folders and files within these volumes. This task is performed with the help of bitwise search algorithm which can identify the encryption key to the volume from the sectors. The decryption engine simply breaks the key and frees the volume. Since the operation is performed at the bit level, there will be no need for the technician to be aware of the previously allocated key/password to the volumes and files.