±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 7
Overall: 27333
Visitors: 64

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensic acquisition of a Secure Boot enabled system

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 4:55 am

Hi,

I'm hoping someone might be able to point me in the right direction for taking a forensic acquisition of a Fujitsu Lifebook AH512 Laptop which has secure boot enabled.

During the examination process, I have noted the following:

The bios clearly displays that secure boot is enabled, and the option to disable this is greyed out.

I have refrained from removing the HDD and taking a forensic copy via my own forensic workstation, as a colleague of mine has advised me of a similar experience, where by upon reinstalling the HDD, the drive was rendered useless as it had encrypted itself. I am uncertain if this is because he disabled the secure boot in the first instance, or whether this is a security feature if the drive is removed? If anyone can shed any light on this, that would be much appreciated.

I considered following ACPO guidelines, and booting directly into windows, where I could use something like FTK imager lite to take a forensic copy, however I get as far as the windows 8 login screen which is password protected. I have not been provided any password to proceed further.

If anyone can suggest any other methods, it would be of great help.

Many thanks  

ridders
Newbie
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 7:29 am

Secureboot is somehow a misnamer.

It should be called "trustedboot".
technet.microsoft.com/...24987.aspx
docs.fedoraproject.org...index.html
it is simply a mechanism that allows booting from "digitally signed" bootloaders/bootmanagers.

Secureboot in itself won't encrypt anything, but that particular make/model laptop (or even the actual hard disk in it) may well have other provisions that make the drive encrypted.

Does it not boot from CD/DVD and/or USB?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 8:22 am

Jaclaz,

Thank you for your response, I should have mentioned in my first post, what the result is from booting from USB or CD. The result is the following:

If I attempt to boot from USB, I get the error "Setup Warning: Boot failure", this then returns to the boot device selection page.

Or if I attempt to boot from CD, I get the error "Image failed to verify with *ACCESS DENIED*. Press any key to continue", this proceeds to another page which presents "Failed to start loader.efi (14) not found".  

ridders
Newbie
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 9:37 am

- ridders
The bios clearly displays that secure boot is enabled, and the option to disable this is greyed out.


You need to translate that into reality. Does it mean that the HDD supports the ATA Security Mode Feature Set (most modern disks do, particularly laptop drives), and that it is enabled. (If it is, how? Does it have a Master Password, or only a User Password, for example). Or does it refer to something else? Find the relevant User Manual, and examine it.

ATA Security Mode Features should be testable by examining the HDD configuration. hdparm in Linux does it, for example. If you haven't experimented with a disk with this feature set enabled you may want to do that first.

... as a colleague of mine has advised me of a similar experience, where by upon reinstalling the HDD, the drive was rendered useless as it had encrypted itself.


There are situations in which a Security Mode enabeld disk will reset. One example is too many failed attempts to provide a password. Or, if Maximum Security Level is set, and you don't have the User Password. In that case, the Master Password can be used to unlock the drive, but it will also erase it.
Without knowing exactly what he did, it's difficult to say why it behaved the way it did.

If anyone can suggest any other methods, it would be of great help.


First find out what you're facing. Asking the manufacturer is probably the fastest.

If it's ATA Security, do you have either password? If you do, will use of that password give you access to data or not? But if you don't have any password, find a reputable data recovery company -- there are products that claim to be able to bypass various forms of HDD security for specific products.  

athulin
Senior Member
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 1:18 pm

- ridders
Jaclaz,

Thank you for your response, I should have mentioned in my first post, what the result is from booting from USB or CD. The result is the following:

If I attempt to boot from USB, I get the error "Setup Warning: Boot failure", this then returns to the boot device selection page.

Or if I attempt to boot from CD, I get the error "Image failed to verify with *ACCESS DENIED*. Press any key to continue", this proceeds to another page which presents "Failed to start loader.efi (14) not found".


Yep Smile , but it may depend on WHAT you attempt to booting from CD/DVD or USB.
You need to boot *something* that also uses a Secureboot compatible bootloader/bootmanager.
If the BIOS/UEFI is really "locked down" I guess that you are stuck. Sad

What you need is a forensic sound Linux live CD compatible with Secureboot or "merge" this:
www.911cd.net/forums//...opic=25269
with WinFE:
reboot.pro/topic/19036-mini-winfe/
of course you will need to experiment on a test machine.
The Fedora is one of the "approved" Linuxes, cannot say if any specifically "forensic" distro exists with these.

Additionally and really "rare", but JFYI:
www.forensicfocus.com/...ic/t=9426/
www.forensicfocus.com/...ic/t=8383/
www.forensicfocus.com/...ic/t=7907/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Mon Apr 07, 2014 9:39 pm

As pointed out disk encryption and secure boot aren't linked. You can have one without the other.

In some BIOS's a supervisors password is required to be set before you can access and turn off some of the options in BIOS (secure boot and CSM).

Also for Windows logo-certified Windows RT 8.1 and Windows RT PCs, Secure Boot is required to be configured so that it cannot be disabled (this is for ARM based hardware). But I think the Lifebook is an x86 machine and so should not have this issue.  

Passmark
Senior Member
 
 
  

Re: Forensic acquisition of a Secure Boot enabled system

Post Posted: Wed Apr 09, 2014 1:33 am

Yes, Secure Boot is a nuisance when trying to boot with a W8 alternative.

Google will get you the answer pretty quickly, the key with Fujitsu seems to be that you have to set a supervisor password before you can access any advanced settings.

www.tomshardware.co.uk...n7-problem

H
_________________
ADF Solutions - Leaders in Digital Forensic Triage
www.adfsolutions.com/
--------------------------------------------------------
Resources for Forensic Practitioners
computerforensics.parsonage.co.uk 

harryparsonage
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next