I have a seagate momentus fde self-encrypting hard drive.
To my understanding the encryption processing is done on a chip inside the drive.
I'm curious how to make a forensically sound image of it and analyze it.

I have the username/password to the encryption, but if I boot it, I lose time-stamps, etc.

I talked to EnCase(what I use) and they sell a decryption module for EnCase, but it only works for things like PGP, they don't support seagate self-encrypting drives.

Has anyone come across this before?
I think Hitachi makes a similar hardware-based encrypted drive.

This is the drive:
www.cdwg.com/shop/prod...46614.aspx

Any ideas?


Thanks,
Jon  

What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?


(elucidation added)  

Last edited by jhup on Sun Jul 22, 2012 1:04 pm; edited 1 time in total

Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.  

- jond

I have a seagate momentus fde self-encrypting hard drive.
To my understanding the encryption processing is done on a chip inside the drive.
I'm curious how to make a forensically sound image of it and analyze it.

I have the username/password to the encryption, but if I boot it, I lose time-stamps, etc.

At least from what Seagate says, it seems like the the data is actually ALWAYS encrypted with a specific drive "key", and the password is only a way to access the on-the-fly decryption module (or whatever):
seagatewtb.test3.cs3.f...Q/206011en

From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.

The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine:
web.archive.org/web/20...ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

i have read the spec pdf of the drive from seagate and i have 2 thoughts

1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager

2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable  

Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
knowledge.seagate.com/...Q/207211en
www.seagate.com/suppor...ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

- jhup

What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?
(elucidation added)

Good question. That's the ideal scenario. Problem is the host computer won't be able to read the encrypted drive.
I would need some sort of 3rd party tool(I would assume) to decrypt the drive from the host PC.

- yunus

Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.

Thanks for the suggestion. I emailed their pre-sales support to see if they can do it.
It looks like they may only deal with bios passwords, but we'll see...

- jaclaz

From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.

Yeah I'm curious about that. I would like to boot it to the bios and see if there's a disable option there or not.
Hopefully I can find a safer option that would involve a write-blocker, but we'll see. It might have to be done if it's possible,

- jaclaz

The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine:
web.archive.org/web/20...ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz

That's a good point too. I did find this from one of their software partners:
"OS Recovery for self-encrypting drives" by Wave
Basically it says to boot the device, enter the pre-boot encryption password, then quickly hit F8 to halt the boot. Then put in a boot CD like WIN PE or whatever. It will boot to CD and the drive will be unencrypted.
Problem still is no write blocker is involved.
www.tvtonic.com/suppor...DM-006.asp

- mansiu

i have read the spec pdf of the drive from seagate and i have 2 thoughts
1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager
2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable

Good ideas. I was looking into winfe and EnCase portable and it looks like it might work in the situation above where the drive stays in the original laptop, it booted past pre-boot authentication, and then halted for something like EnCase portable to run. That might work...

- jaclaz

Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
knowledge.seagate.com/...Q/207211en
www.seagate.com/suppor...ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz

Thanks. I'm looking into this more. My only fear is hooking up my evidence to another device w/o a write blocker and that thing somehow corrupting it or writing over the evidence. If I can put the write blocker in-line with it, it might work. I'll look into it more.