In this PGP encrypted hard drive recovery case study, the client had used full-drive encryption to secure the data on their laptop. With Symantec PGP whole disk encryption, the entirety of their hard drive was password-protected. PGP encryption, also known as “Pretty Good Privacy” encryption, was invented by Phil Zimmerman in 1991. Technology companies such as Symantec offer software that uses this strong encryption method to protect users’ data.

PGP encryption helps protect the data on your hard drive from unwanted access. But it doesn’t protect your hard drive from any physical or logical damage. When this client’s laptop failed to boot up one day, the client removed the hard drive. They found that the drive grew very hot when they tried to power it on, and could not get it to detect on another machine. The client quickly contacted our recovery client advisers here at Gillware Data Recovery and send the hard drive to our data recovery lab.

PGP Encrypted Hard Drive Recovery Case Study: Laptop Not Booting
Drive Model: Hitachi HTS725050A7E630
Drive Capacity: 500 GB
Operating System: Windows
Situation: Laptop became very hot and wouldn’t boot
Type of Data Recovered: User Word and Excel documents
Binary Read: 67.2%
Gillware Data Recovery Case Rating: 9

Firmware and Parts Compatibility Issues

When our data recovery engineers inspected the client’s hard drive in our cleanroom, they found that the drive’s read/write heads had crashed. There was some moderate damage to the drive’s platters as well. The drive needed its read/write heads replaced.

Even when two hard drives share the same model number, they are both still special snowflakes. Each hard drive has to be calibrated in the factory for its unique tolerances and minor defects separately. The calibration makes sure the drive’s internal components work properly, according to its unique differences. The calibration data is stored in a ROM chip on the drive’s control board.

A hard drive will never truly behave optimally if it has another drive’s read/write heads inside it. This is simply because the drive’s calibrations just do not line up with the unimaginably tiny variations between the two sets of read/write heads. This can make finding suitable donor parts frustrating.

This hard drive was particularly uncooperative with our engineers. Normally, when a hard drive powers on, its read/write heads find the firmware, read it, and store the data in the drive’s RAM before continuing its normal operations. The drive’s new read/write heads wouldn’t do this properly. They could read the firmware, but our engineers had to manually load it into the drive’s RAM.

Due to adaptive drift, it took multiple sets of donor heads to read this hard drive. As a repaired hard drive continues to operate, its operating conditions change. When the conditions shift too far, the hard drive’s replacement parts become incompatible, and must be themselves replaced. Eventually, after multiple donors have been used on this drive and the drive’s condition had continued to degrade, we had gotten all we could get: 67% of the drive’s binary.

Symantec PGP Decryption

PGP encrypted hard drive recovery
You can see a small unencrypted PGPGUARD header on the first sector of a PGP encrypted drive.

Symantec PGP whole drive encryption encrypts the entire hard drive (hence the name). Well, almost all of it. The only part of the drive that remains unencrypted is a small portion at the beginning of Sector 0 that tells anything talking to the drive how it’s encrypted.

There’s no way to decrypt the drive on the fly, unfortunately, which puts our engineers in a bind when the drive is damaged. There isn’t any way to target used areas of the disk, because there is no way to discern encrypted data from encrypted zeroes.

When a drive is damaged to the point where a full (or near-full) disk image isn’t possible, the situation is very worrying for our engineers. There’s no way of knowing how much stuff we’ve gotten. If the tiny parts of the disk that contain the encryption metadata couldn’t be recovered, then we can’t decrypt the recovered data, even with the correct password.

And so our logical engineer Cody took the encrypted disk image out of our cleanroom, used the client’s password to decrypt the disk, crossed his fingers, held his breath, and waited.

And waited.

As a byproduct of its design, Symantec PGP whole disk encryption actually takes a very long time to undo. Our engineers are, unfortunately, at its mercy. Cody began the decryption process on a Friday morning. By the end of that day, about five percent of the disk had been decrypted. It wasn’t until the next Tuesday that the process finished.

PGP Encrypted Hard Drive Recovery – Conclusion

Cody reviewed the results of this data recovery as soon as the operation finished. The results were very good. Imaging the drive had been a shot in the dark due to the encryption. But our engineers had gotten 99.8% of the drive’s file definitions. Of the 99.8% of the files we knew about on the disk, the vast majority had been completely recovered. All of the client’s critical data was there. We rated this PGP encrypted hard drive recovery case a 9 on our ten-point data recovery case rating scale.