Recovering Data from a McAfee Endpoint Encryption Corporate Hard Drive

My system information.

• IMB Thinkpad Lenovo T420
• Windows 7 64 bit
• Hard drive is encrypted with McAfee Endpoint Encryption v6
  320GB hard drive
• 2 partitions; 1 main partition, the other partition is labeled BDEDrive (which I think is a standard Windows 7 partition)

This past Friday, my Windows 7 machine locked up. I waited for it to respond for about 15 minutes. It didn't! So I held the power button down to give it a fresh boot. The machine blinked a blue screen of death and rebooted to a standard Windows diagnostic screen. The machine automatically ran the diagnostic with no solution. This was in an endless loop. I ran CHKDSK from a DOS prompt without any success.

I then pulled the hard drive to hook up to another system to see what I could find. It asked me to reformat, which I did NOT do. I did some Google research and it appears that the MBR or partition was potentially damaged. So I downloaded TestDisk and tried to scan the partition (Intel - without logging); quick scan and deep scan did not return anything to recover (but was able to completely scan the drive). So at this point I logged a help desk ticket with my company.

I brought the machine in Monday morning and they told me that the hard drive is encrypted with McAfee. They tried to run some software on my machine from a USB drive (I did not catch the name of it) but it locked up and they did not try it again. They pulled the hard drive from the machine to test it via a diagnostic machine and got an I/O error. At this point they told me that they could not do anything because the hard drive crashed. But I didn't believe it since I did not get any errors from connecting through my personal USB hard drive adapter. So I was able to get the hard drive in order to continue testing on my own (which may or may not be a good idea since they didn't want to give it up).

So here are my screen shots and log from TestDisk.

Quick Analysis shows the following; the first partition appears to be listed twice.


Results of Quick Scan does not show the first partition...


Looking at the files (they all appear to be from the BDEDrive partition)...


There appears to be some logs listed with the date of my initial problem.


Could the BCD or BCD.log files be used to troubleshoot this problem?

I also did a deep scan. Below are the results.



Looks like TestDisk found the first partition, but when I go and look at the files...I get this! Which I guess I would expect since the hard drive is encrypted.


Looking at the Advanced -> Boot option in TestDisk, I see the following. Is this expected with an encrypted drive?


And I ran a scan with Crystal Disk Info. Results here look good.


Should I create an image of this drive before doing anything else?

Not sure what else to do here.

Any help with this would be much appreciated!

Here's the first part of the log from TestDisk.

Code:

Tue Jul 22 13:46:10 2014
Command line: TestDisk

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows 7 (7601) SP1
Compiler: GCC 4.7, Cygwin 1007.17
Compilation date: 2013-07-30T14:08:52
ext2fs lib: 1.42.2, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20120504
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=320072933376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=160041885696
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=320072933376
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=159713853440
filewin32_getfilesize(\\.\D:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\D:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\D:
filewin32_getfilesize(\\.\E:) GetFileSize err Incorrect function.

filewin32_setfilepointer(\\.\E:) SetFilePointer err Incorrect function.

Warning: can't get size for \\.\E:
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\F:)=319744376832
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\G:)=314572800
Hard disk list
Disk /dev/sda - 160 GB / 149 GiB - CHS 19457 255 63, sector size=512 - HITACHI HTS723216A7A, S/N:3E285426AG8KN1, FW:EC1Z
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63, sector size=512 - ST320LT0 07-9ZV142

Partition table type (auto): Intel
Disk /dev/sdb - 320 GB / 298 GiB - ST320LT0 07-9ZV142
Partition table type: Intel

Analyse Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
Current partition structure:
Invalid NTFS or EXFAT boot
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument
Search for partition aborted

Results
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB

interface_write()
 1 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition
Partition table type (auto): Intel
Disk /dev/sdb - 320 GB / 298 GiB - ST320LT0 07-9ZV142
Partition table type: Intel

Analyse Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
Current partition structure:
Invalid NTFS or EXFAT boot
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
file_pread(5,2,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument

Results
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB


dir_partition inode=5
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=97
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /System Volume Information
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 Chkdsk
      98 -r--r--r--     0      0     20480  3-Mar-2012 07:24 tracking.log

dir_partition inode=17
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /System Volume Information/Chkdsk
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 .
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      18 -r--r--r--     0      0      4096 18-Jul-2014 17:01 Chkdsk20140718210112.log
      19 -r--r--r--     0      0      4096 18-Jul-2014 17:02 Chkdsk20140718210218.log
      20 -r--r--r--     0      0      5120 18-Jul-2014 17:03 Chkdsk20140718210315.log
      21 -r--r--r--     0      0      4096 18-Jul-2014 17:10 Chkdsk20140718211021.log
      22 -r--r--r--     0      0      3072 18-Jul-2014 17:25 Chkdsk20140718212522.log
Directory /System Volume Information
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      17 dr-xr-xr-x     0      0         0 18-Jul-2014 17:01 Chkdsk
      98 -r--r--r--     0      0     20480  3-Mar-2012 07:24 tracking.log
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

and the next part...

Code:

dir_partition inode=35
   * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr


dir_partition inode=5
   P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

dir_partition inode=35
   P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /Boot
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      86 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Fonts
      37 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 cs-CZ
      39 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 da-DK
      41 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 de-DE
      43 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 el-GR
      45 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 en-US
      48 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 es-ES
      50 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fi-FI
      52 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 fr-FR
      54 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 hu-HU
      56 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 it-IT
      58 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ja-JP
      60 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ko-KR
      63 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nb-NO
      65 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 nl-NL
      67 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pl-PL
      69 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-BR
      71 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 pt-PT
      73 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 ru-RU
      75 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 sv-SE
      77 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 tr-TR
      79 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-CN
      81 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-HK
      83 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 zh-TW
      92 -r--r--r--     0      0     28672 18-Jul-2014 18:11 BCD
      93 -r--r--r--     0      0     25600 18-Jul-2014 18:11 BCD.LOG
      94 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG1
      95 -r--r--r--     0      0         0  3-Mar-2012 07:23 BCD.LOG2
      36 -r--r--r--     0      0     65536  3-Mar-2012 07:23 BOOTSTAT.DAT
      62 -r--r--r--     0      0    485760 20-Nov-2010 22:24 memtest.exe
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

interface_write()
 1 P HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
Failed to startup volume: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.
Failed to startup volume: Input/output error.
$MFT has invalid magic.
ntfs_mft_load(): Failed.
Failed to load $MFT: Input/output error.

search_part()
Disk /dev/sdb - 320 GB / 298 GiB - CHS 38913 255 63
NTFS at 38873/127/39
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
NTFS at 38911/189/62
filesystem size           614400
sectors_per_cluster       8
mft_lcn                   25600
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS found using backup sector, blocksize=4096, 314 MB / 300 MiB
NTFS at 38913/37/36
filesystem size           32768000
sectors_per_cluster       8
mft_lcn                   786432
mftmirr_lcn               2
clusters_per_mft_record   -10
clusters_per_index_record 1
     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
file_pread(5,2,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,8,buffer,625142528(38913/82/18)) lseek err Invalid argument
file_pread(5,1,buffer,625142528(38913/82/18)) lseek err Invalid argument
file_pread(5,8,buffer,625142656(38913/84/20)) lseek err Invalid argument
file_pread(5,8,buffer,625142784(38913/86/22)) lseek err Invalid argument
file_pread(5,8,buffer,625142912(38913/88/24)) lseek err Invalid argument
file_pread(5,8,buffer,625143040(38913/90/26)) lseek err Invalid argument
file_pread(5,8,buffer,625143168(38913/92/28)) lseek err Invalid argument
file_pread(5,8,buffer,625143296(38913/94/30)) lseek err Invalid argument
file_pread(5,8,buffer,625143424(38913/96/32)) lseek err Invalid argument
file_pread(5,8,buffer,625143552(38913/98/34)) lseek err Invalid argument
file_pread(5,8,buffer,625143680(38913/100/36)) lseek err Invalid argument
file_pread(5,1,buffer,625143807(38913/102/37)) lseek err Invalid argument
file_pread(5,1,buffer,625143808(38913/102/38)) lseek err Invalid argument
file_pread(5,14,buffer,625143809(38913/102/39)) lseek err Invalid argument
file_pread(5,3,buffer,625143823(38913/102/53)) lseek err Invalid argument
file_pread(5,3,buffer,625143870(38913/103/37)) lseek err Invalid argument
file_pread(5,8,buffer,625143886(38913/103/53)) lseek err Invalid argument
file_pread(5,11,buffer,625143933(38913/104/37)) lseek err Invalid argument
file_pread(5,2,buffer,625145855(38913/135/6)) lseek err Invalid argument

Results
     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Not an exFAT boot sector.

     HPFS - NTFS          36873 110 38 38913  37 36   32768000
     NTFS found using backup sector, blocksize=4096, 16 GB / 15 GiB
Can't open filesystem. Filesystem seems damaged.


dir_partition inode=5
     HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB
Directory /
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 .
       5 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 ..
      35 dr-xr-xr-x     0      0         0  3-Mar-2012 07:23 Boot
      97 dr-xr-xr-x     0      0         0  3-Mar-2012 07:24 System Volume Information
      96 -r--r--r--     0      0      8192  3-Mar-2012 07:23 BOOTSECT.BAK
      85 -r--r--r--     0      0    383786 20-Nov-2010 22:23 bootmgr

interface_write()
 
No partition found or selected for recovery
Failed to startup volume: Invalid argument.
Failed to startup volume: Invalid argument.
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

Interface Advanced
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB

 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
Can't open filesystem. Filesystem seems damaged.
Not an exFAT boot sector.

 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
Can't open filesystem. Filesystem seems damaged.

ntfs_boot_sector
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
filesystem size           390804543586094168 5917483371533155136
sectors_per_cluster       20 161
mft_lcn                   3224934975 1356870961
mftmirr_lcn               3178257084 3769315386
clusters_per_mft_record   62 -56
clusters_per_index_record 101 69
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.

Interface Advanced
Geometry from i386 MBR: head=255 sector=63
check_part_i386 failed for partition type 07
NTFS at 38873/127/39
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
 2 * HPFS - NTFS          38873 127 39 38911 189 62     614400 [BDEDrive]
     NTFS, blocksize=4096, 314 MB / 300 MiB

ntfs_boot_sector
 1 P HPFS - NTFS              0  32 33 38873 127 38  624500736
filesystem size           390804543586094168 5917483371533155136
sectors_per_cluster       20 161
mft_lcn                   3224934975 1356870961
mftmirr_lcn               3178257084 3769315386
clusters_per_mft_record   62 -56
clusters_per_index_record 101 69
Boot sector
Status: Bad

Backup boot sector
Status: Bad

Sectors are not identical.

A valid NTFS Boot sector must be present in order to access
any data; even if the partition is not bootable.

Did you find any solution to get access to the drive/files?

chakko99 said:

Did you find any solution to get access to the drive/files?

I did, but it required my company's helpdesk since the hard drive was encrypted.

After I did this...

TheJoeFletch said:

I brought the machine in Monday morning and they told me that the hard drive is encrypted with McAfee. They tried to run some software on my machine from a USB drive (I did not catch the name of it) but it locked up and they did not try it again. They pulled the hard drive from the machine to test it via a diagnostic machine and got an I/O error. At this point they told me that they could not do anything because the hard drive crashed. But I didn't believe it since I did not get any errors from connecting through my personal USB hard drive adapter. So I was able to get the hard drive in order to continue testing on my own (which may or may not be a good idea since they didn't want to give it up).

I thought I was screwed. But I took it back to another help desk location within my company and they had it fixed in a few hours. They had to decrypt the whole hard drive, fix it (sorry I do not recall what it was - I think that it had to do with a bad / failed windows update) and then turn it back over to me. The first help desk location was terrible and didn't want to do the work. It took nearly a full day to get it sorted out. I hope this helps. Sorry for the late reply.