Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 10438 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard and the case of the accidental re-image

ABCR-TRP

Good afternoon Sophos SafeGuard community,

I am passing this story along to ask IF there is any other way to approach the likely loss of the MBR (Master Boot Record) of a Sophos SafeGuard Enterprise (version 5.40.0) protected & encrypted desktop.  I am posting this on behalf of a small team with limited time and resources.  We typically "get things right" and do not make "educated guesses", but in the scenario I am about to describe, lesser procedures were employed by not-as-experienced Contractor help.

The scenario goes like this:

A Windows 7 migration Technician accidentally begins the imaging process of a Lenovo T420 laptop without backing up the End User's data.  The laptop was previously encrypted with the version mentioned above (Desktop Sophos agent shows version 5.50.8.13), and the "5.40.0" version number appears with the Sophos "Enterprise" listing in the "Add/Remove Programs" > Control Panel.

Once the mistake was realized, the imaging process was stopped and we were able to Boot the laptop up to the blue background screen Sophos normally shows just before displaying the POA login window.  However, no login window appeared!

It was at this point other Technicians presumed the MBR had become corrupted or removed entirely, but it was also hoped the User's data remained intact on the hard drive!  Next the MBR was repaired through the BIOS and with the use of another third-party tool called, "Spotmau".  The partition was scanned and "repaired" using Spotmau.

The next observation made was of a bootable laptop (positive!) which led to an error indicating "NTLDR" is missing.  This is a more commonly encountered error message which personnel supporting Windows XP will recognize.

SCENARIO QUESTIONS:

1).  What general steps can be performed for data recovery with this machine?

2).  Does Sophos have an ability to "heal thyself" using "BE_Restore.exe" or the version specific Emergency CDs?

3).  Do any of these options require the use of the Sophos Server Console?

  • Perhaps there is an Emergency Procedures handbook that may be downloaded (or paid for?) to avoid calls to Sophos support IF the steps within it are followed properly?

Respectfully submitted,

~ Dennis C.

:50860


This thread was automatically locked due to age.
Parents
  • 0

    In my experience the only way you would be able to recover data off an encrypted HDD is using the Sophos console. You would need it either to assign the key to another device to slave the hard drive or would need it to perform a challenge response to unlock the drive using the SGN PE Disk.

    BE_Restore.exe will fix the POA but wont help if Windows has become corrupted.

    Try the following steps using WINPE SGN which is available here: http://www.sophos.com/en-us/support/knowledgebase/108805.aspx :

    1. In the Sophos console click on Keys and Certificates > Virtual Clients > Add Virtual Client
                              
    2. Name the client after the hostname of the laptop
    3. Next click on Virtual Clients, select the correct hostname from the list and then select Export Virtual client.
    4. This will export a file called recoverytoken.tok. Save it to your USB drive.
    5. Boot into WINPE SGN on the laptop.
    6. Copy the recoverytoken.tok from your USB drive to X:\Tools\SGN-Tools
       
    7. Open the KeyRecovery in the Quick Launch.
    8. The recover keys window will appear. Select “Import By C/R” at the bottom of the Recover Keys window.
       
    9. Write down the challenge code:
    10. On the encryption console click Tools > Recovery
       
    11. Select “Virtual Client”and enter in the nameof the virtual client. (In this example VC1)
       
    12. Select “Key requested” and click “Next”
    13. Select “Recovery key for Safeguard Enterprise Client managed
    14. Click “Find Now” to list all of the encryption keys available. You will be able to find the key for the laptop you are on by finding a key matching the hostname under the “Key Name” column. Failing that the “Key ID” will also match the key displayed in step 8.
       
    15. Select the key and click ok. Then “Next”.
    16. Type in the challenge code you wrote down earlier 
    17. A Response code will be generated
    18. On the laptop enter the response into the response field
       

    You can now browse the encrypted drive and copy the data across to a USB drive.

    :50934
Reply
  • 0

    In my experience the only way you would be able to recover data off an encrypted HDD is using the Sophos console. You would need it either to assign the key to another device to slave the hard drive or would need it to perform a challenge response to unlock the drive using the SGN PE Disk.

    BE_Restore.exe will fix the POA but wont help if Windows has become corrupted.

    Try the following steps using WINPE SGN which is available here: http://www.sophos.com/en-us/support/knowledgebase/108805.aspx :

    1. In the Sophos console click on Keys and Certificates > Virtual Clients > Add Virtual Client
                              
    2. Name the client after the hostname of the laptop
    3. Next click on Virtual Clients, select the correct hostname from the list and then select Export Virtual client.
    4. This will export a file called recoverytoken.tok. Save it to your USB drive.
    5. Boot into WINPE SGN on the laptop.
    6. Copy the recoverytoken.tok from your USB drive to X:\Tools\SGN-Tools
       
    7. Open the KeyRecovery in the Quick Launch.
    8. The recover keys window will appear. Select “Import By C/R” at the bottom of the Recover Keys window.
       
    9. Write down the challenge code:
    10. On the encryption console click Tools > Recovery
       
    11. Select “Virtual Client”and enter in the nameof the virtual client. (In this example VC1)
       
    12. Select “Key requested” and click “Next”
    13. Select “Recovery key for Safeguard Enterprise Client managed
    14. Click “Find Now” to list all of the encryption keys available. You will be able to find the key for the laptop you are on by finding a key matching the hostname under the “Key Name” column. Failing that the “Key ID” will also match the key displayed in step 8.
       
    15. Select the key and click ok. Then “Next”.
    16. Type in the challenge code you wrote down earlier 
    17. A Response code will be generated
    18. On the laptop enter the response into the response field
       

    You can now browse the encrypted drive and copy the data across to a USB drive.

    :50934
Children
No Data
Unfiltered HTML