Forensic acquisitio...
 
Notifications
Clear all

Forensic acquisition of a Secure Boot enabled system

9 Posts
6 Users
0 Likes
2,105 Views
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

Hi,

I'm hoping someone might be able to point me in the right direction for taking a forensic acquisition of a Fujitsu Lifebook AH512 Laptop which has secure boot enabled.

During the examination process, I have noted the following

The bios clearly displays that secure boot is enabled, and the option to disable this is greyed out.

I have refrained from removing the HDD and taking a forensic copy via my own forensic workstation, as a colleague of mine has advised me of a similar experience, where by upon reinstalling the HDD, the drive was rendered useless as it had encrypted itself. I am uncertain if this is because he disabled the secure boot in the first instance, or whether this is a security feature if the drive is removed? If anyone can shed any light on this, that would be much appreciated.

I considered following ACPO guidelines, and booting directly into windows, where I could use something like FTK imager lite to take a forensic copy, however I get as far as the windows 8 login screen which is password protected. I have not been provided any password to proceed further.

If anyone can suggest any other methods, it would be of great help.

Many thanks

 
Posted : 07/04/2014 3:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Secureboot is somehow a misnamer.

It should be called "trustedboot".
http//technet.microsoft.com/en-us/library/hh824987.aspx
http//docs.fedoraproject.org/en-US/Fedora/18/html/UEFI_Secure_Boot_Guide/index.html
it is simply a mechanism that allows booting from "digitally signed" bootloaders/bootmanagers.

Secureboot in itself won't encrypt anything, but that particular make/model laptop (or even the actual hard disk in it) may well have other provisions that make the drive encrypted.

Does it not boot from CD/DVD and/or USB?

jaclaz

 
Posted : 07/04/2014 6:29 pm
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

Jaclaz,

Thank you for your response, I should have mentioned in my first post, what the result is from booting from USB or CD. The result is the following

If I attempt to boot from USB, I get the error "Setup Warning Boot failure", this then returns to the boot device selection page.

Or if I attempt to boot from CD, I get the error "Image failed to verify with *ACCESS DENIED*. Press any key to continue", this proceeds to another page which presents "Failed to start loader.efi (14) not found".

 
Posted : 07/04/2014 7:22 pm
(@athulin)
Posts: 1156
Noble Member
 

The bios clearly displays that secure boot is enabled, and the option to disable this is greyed out.

You need to translate that into reality. Does it mean that the HDD supports the ATA Security Mode Feature Set (most modern disks do, particularly laptop drives), and that it is enabled. (If it is, how? Does it have a Master Password, or only a User Password, for example). Or does it refer to something else? Find the relevant User Manual, and examine it.

ATA Security Mode Features should be testable by examining the HDD configuration. hdparm in Linux does it, for example. If you haven't experimented with a disk with this feature set enabled you may want to do that first.

… as a colleague of mine has advised me of a similar experience, where by upon reinstalling the HDD, the drive was rendered useless as it had encrypted itself.

There are situations in which a Security Mode enabeld disk will reset. One example is too many failed attempts to provide a password. Or, if Maximum Security Level is set, and you don't have the User Password. In that case, the Master Password can be used to unlock the drive, but it will also erase it.
Without knowing exactly what he did, it's difficult to say why it behaved the way it did.

If anyone can suggest any other methods, it would be of great help.

First find out what you're facing. Asking the manufacturer is probably the fastest.

If it's ATA Security, do you have either password? If you do, will use of that password give you access to data or not? But if you don't have any password, find a reputable data recovery company – there are products that claim to be able to bypass various forms of HDD security for specific products.

 
Posted : 07/04/2014 8:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Jaclaz,

Thank you for your response, I should have mentioned in my first post, what the result is from booting from USB or CD. The result is the following

If I attempt to boot from USB, I get the error "Setup Warning Boot failure", this then returns to the boot device selection page.

Or if I attempt to boot from CD, I get the error "Image failed to verify with *ACCESS DENIED*. Press any key to continue", this proceeds to another page which presents "Failed to start loader.efi (14) not found".

Yep ) , but it may depend on WHAT you attempt to booting from CD/DVD or USB.
You need to boot *something* that also uses a Secureboot compatible bootloader/bootmanager.
If the BIOS/UEFI is really "locked down" I guess that you are stuck. (

What you need is a forensic sound Linux live CD compatible with Secureboot or "merge" this
http//www.911cd.net/forums//index.php?showtopic=25269
with WinFE
http//reboot.pro/topic/19036-mini-winfe/
of course you will need to experiment on a test machine.
The Fedora is one of the "approved" Linuxes, cannot say if any specifically "forensic" distro exists with these.

Additionally and really "rare", but JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=9426/
http//www.forensicfocus.com/Forums/viewtopic/t=8383/
http//www.forensicfocus.com/Forums/viewtopic/t=7907/

jaclaz

 
Posted : 08/04/2014 12:18 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

As pointed out disk encryption and secure boot aren't linked. You can have one without the other.

In some BIOS's a supervisors password is required to be set before you can access and turn off some of the options in BIOS (secure boot and CSM).

Also for Windows logo-certified Windows RT 8.1 and Windows RT PCs, Secure Boot is required to be configured so that it cannot be disabled (this is for ARM based hardware). But I think the Lifebook is an x86 machine and so should not have this issue.

 
Posted : 08/04/2014 8:39 am
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

Yes, Secure Boot is a nuisance when trying to boot with a W8 alternative.

Google will get you the answer pretty quickly, the key with Fujitsu seems to be that you have to set a supervisor password before you can access any advanced settings.

http//www.tomshardware.co.uk/forum/61553-63-downgrading-win7-problem

H

 
Posted : 09/04/2014 12:33 pm
(@rampage)
Posts: 354
Reputable Member
 

About linux live CDs which are meant to work with secure boot, you can try CAINE 5 blackhole by booting from flash drive.

i haven't tested it myself, as till now i didn't run into a secure boot enabled system, but it should work.

http//www.nannibassetti.com/dblog/articolo.asp?articolo=196

you need the USB flashdrive version as the CD won't boot if secure boot is enabled.

 
Posted : 09/04/2014 3:35 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

you need the USB flashdrive version as the CD won't boot if secure boot is enabled.

My guess is that this depends on the specific BIOS/UEFI implementation of the machine, there are reports of people having "happily" booted from CD/DVD with Secureboot enabled (of course media that contain Secureboot compatible loaders) and people that were even "stuck in a loop" when downgrading from Windows 8 to Windows 7.

The "standard" (EFI/UEFI) consists of 2180 pages, and it represents IMHO a non-standard 😯
http//www.forensicfocus.com/Forums/viewtopic/t=11276/

jaclaz

 
Posted : 09/04/2014 7:57 pm
Share: