How To Remove Encryption With The Option Force Crypt Sector

Posted Leave a commentPosted in MDE

This option is mostly used when the Crypt List Count is set to 0 or other methods for recovery have failed. Force Crypt Sector should be the last option to be used to remove McAfee Drive Encryption.  This option if it fails or is interrupted, the disk will be partially encrypted and almost impossible to recover. Before attempting to ran this option, it is recommended to make sector-by-sector backup of the disk. Some tools to do this type of backup are Acronis or Ghost. The reason to have a sector by sector backup,  you’ll have the opportunity to try “Froce Crypt […]

How To Remove Encryption With The Option Remove DE

Posted Leave a commentPosted in MDE

On this guide, we are going to remove encryption from a disk that was encrypted with McAfee Drive Encryption. This option will only work if the Crypt List Region Count is 1, to check the Crypt List Region Count please see the guide on “How To Get Disk Information“. The Crypt List, contains the information of where the encryption starts and ends for each partition. If the Crypt List Region Count is 0, this procedure to remove encryption will fail. After we confirm that the Crypt List Region Count is set to 1, boot the systems using the EETech/DETech tool. […]

Verify Disk Information & XML File

Posted Leave a commentPosted in MDE

Before decrypting a disk, per best practices is to check the state of the disk and verify that we have the correct recovery key. To achieve this, we need to get the Disk Information first. If you need help getting this information please click here. On the following image we can see under “Disk Partitions, Partition 0, the Start Sector is 2048 and the Sector count is 83881984. This is the information we  are going to use, to get the last sector and to verify if the first and last sector is encrypted.

How To Restore MBR With The EETech/DETech Tool

Posted Leave a commentPosted in MDE

When a drive is encrypted with Drive Encryption (MDE), MDE replaces the Windows MBR with PreBoot File System (PBFS). If PBFS is change by third party software or is corrupted, EETech/DETech has the option to restore the drive encryption MBR or the original Windows MBR. On this guide, I will be showing you how to restore the  Drive Encryption MBR, the same steps are done for restoring the Windows MBR. To be able to do this procedure you must first authorize and authenticate with EETech/DETech, check the following guides: Authenticate Authorize Note: To restore the Windows MBR the disk needs […]

Create A DLP Policy To Block A Word From Been Copied

Posted Leave a commentPosted in DLP

Today I will be showing you how to create a DLP policy to block a word from been copied to a txt document, warn the user with a pop-up message and report the incident to ePO. This rule can be useful to block from copping critical text onto another document. For this policy to work we are going to do the following: Create a classification for the word we want to block. Create a rule-set and assign the classification to DLP Policy Manager Test the rule/policy on a system Create a Classification First we are going to create a classification […]

How To Do An Emergency Boot With EETech/DETech

Posted 1 CommentPosted in MDE

The first recovery option to try, is to do an emergency boot on an encrypted systems that is having problems booting up. To be able to do an emergency boot, the Crypt List information should bee present. This option will bypass preboot (PBFS) and go straight into to the OS. Once the OS loads, Drive Encryption will go into recovery mode and fix any issue related to preboot. To check if the crypt list information is available, to authorize and authenticate check the following guides: Disk Information Authenticate Authorize Start your computer with the bootable EETech/DETech USB or CD, after authenticated […]

How To Get Disk Information Using EETech/DETech

Posted 9 CommentsPosted in MDE

To be able to decrypt a disk, is important to check the status of the disk drive. To be able to check if the disk is encrypted or not, or if you have the correct key, is important to get the disk information first. To get disk information you must boot the system to CD or USB using the EETech/DETech tool. The EETech/DETech tool can be download from McAfee Website , and by following the “Drive Encryption 7.1 DETech User Guide” on page 54. I also have couple of the ISO’s on my google drive, that can be downloaded here. […]