MDE

Verify Disk Information & XML File

Before decrypting a disk, per best practices is to check the state of the disk and verify that we have the correct recovery key. To achieve this, we need to get the Disk Information first. If you need help getting this information please click here.

On the following image we can see under “Disk Partitions, Partition 0, the Start Sector is 2048 and the Sector count is 83881984. This is the information we  are going to use, to get the last sector and to verify if the first and last sector is encrypted.

To calculate the disk drive end sector user must add the Start Sector + Sector Count and subtract 1 Example:
2048 + 83881984 = 83884032, then we subtract 1 = 83884031, so the end sector of this partition is 83884031. This information is documented in KB7006.

On this guide, I will be showing you how to verify the disk information, and check if the first and last sector are encrypted. To be able to do this procedure you must first authorize and authenticate with EETech/DETech, check the following guides:
Authenticate
Authorize

  1. Boot the system with EETech/DETech, make sure you are authenticated and authorize, next click on “Workspace”.
  2. On the next screen, click on “Load From Disk”.
  3. If this is the only disk on the system, under Disk number select “Disk 0”, under Start Sector type “2048”, this is our Start Sector based on the Disk Information we gather. For Number of Sectors select “1” and then click “Ok”.
    Disk Number –  This option only changes if the disk is set as a slave or secondary external disk on another system, to recover the information.
    Start Sector – Is the first sector of the partition we are trying to view. This can be any sector, but for our test, we are only interested in the information of the first sector and the last sector of each partition. On the first image above, for our example we only have one partition.
    Number of SectorsHow many sectors we want to view, in this case we are only interested in 1 sector. If we put 2, we would get the information of sector 2048 and 2049.
  4. On the next screen the information for the sector will show, if you try to read the information on the right, it is not readable. This is normal for a sector that is encrypted. Next click on “Decrypt Workspace”.
  5.  The data will change and some stuff becomes readable. This let us know that the key we are using is the correct key and that the sector is encrypted. Because this is the first sector, we are able to see readable data. The reason we select the sector where the partition starts and where it ends, is because this information will always be similar in those sectors. Since the operating system writes the information for the partition on the first and last sector.
  6. Next we are going to check the last sector of partition 0. Click on “Load from Disk”.
  7. For disk number select “Disk 0”, for Start Sector this time type “83884031” and for sector count type “1”, then click “OK”.
  8. The workspace will load and once again, on the right there is no readable data. Click on “Decrypt Workspace”.
    Note: if the data on the right was readable, it means that the sector is not encrypted.
  9. Now some information will be readable on the end sector. This is how we confirm that we have the correct key and that the disk is encrypted.
  10. The next image is an example of  sector 83884030 that is encrypted, but is not the start sector or end sector, I’ve click on “Decrypt Workspace”.
  11. We won’t be able to see readable data, or any data at all because this sector is empty.
  12. Click “Quit” to exit EETech/DETech

This concludes this guide on how to verify the disk information, and check if the first and last sector are encrypted. If you have any question or comments please let me know in the comment area.

Leave a Reply

Your email address will not be published. Required fields are marked *