±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 250

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Self-Encrypting HardDrive -- How to image?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Self-Encrypting HardDrive -- How to image?

Post Posted: Sat Jul 21, 2012 7:01 pm

I have a seagate momentus fde self-encrypting hard drive.
To my understanding the encryption processing is done on a chip inside the drive.
I'm curious how to make a forensically sound image of it and analyze it.

I have the username/password to the encryption, but if I boot it, I lose time-stamps, etc.

I talked to EnCase(what I use) and they sell a decryption module for EnCase, but it only works for things like PGP, they don't support seagate self-encrypting drives.

Has anyone come across this before?
I think Hitachi makes a similar hardware-based encrypted drive.

This is the drive:
www.cdwg.com/shop/prod...46614.aspx

Any ideas?


Thanks,
Jon  

jond
Newbie
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Sat Jul 21, 2012 9:45 pm

What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?


(elucidation added)  

Last edited by jhup on Sun Jul 22, 2012 6:04 pm; edited 1 time in total

jhup
Senior Member
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Sun Jul 22, 2012 1:02 am

Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.  

yunus
Senior Member
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Sun Jul 22, 2012 8:55 am

- jond
I have a seagate momentus fde self-encrypting hard drive.
To my understanding the encryption processing is done on a chip inside the drive.
I'm curious how to make a forensically sound image of it and analyze it.

I have the username/password to the encryption, but if I boot it, I lose time-stamps, etc.

At least from what Seagate says, it seems like the the data is actually ALWAYS encrypted with a specific drive "key", and the password is only a way to access the on-the-fly decryption module (or whatever):
seagatewtb.test3.cs3.f...Q/206011en

From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.

The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine:
web.archive.org/web/20...ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Mon Jul 23, 2012 7:36 am

i have read the spec pdf of the drive from seagate and i have 2 thoughts

1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager

2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable  

mansiu
Senior Member
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Mon Jul 23, 2012 10:48 am

Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
knowledge.seagate.com/...Q/207211en
www.seagate.com/suppor...ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Self-Encrypting HardDrive -- How to image?

Post Posted: Mon Jul 23, 2012 1:39 pm

- jhup
What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?
(elucidation added)


Good question. That's the ideal scenario. Problem is the host computer won't be able to read the encrypted drive.
I would need some sort of 3rd party tool(I would assume) to decrypt the drive from the host PC.


- yunus
Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.


Thanks for the suggestion. I emailed their pre-sales support to see if they can do it.
It looks like they may only deal with bios passwords, but we'll see...

- jaclaz
From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.


Yeah I'm curious about that. I would like to boot it to the bios and see if there's a disable option there or not.
Hopefully I can find a safer option that would involve a write-blocker, but we'll see. It might have to be done if it's possible,

- jaclaz
The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine:
web.archive.org/web/20...ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz


That's a good point too. I did find this from one of their software partners:
"OS Recovery for self-encrypting drives" by Wave
Basically it says to boot the device, enter the pre-boot encryption password, then quickly hit F8 to halt the boot. Then put in a boot CD like WIN PE or whatever. It will boot to CD and the drive will be unencrypted.
Problem still is no write blocker is involved.
www.tvtonic.com/suppor...DM-006.asp

- mansiu
i have read the spec pdf of the drive from seagate and i have 2 thoughts
1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager
2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable


Good ideas. I was looking into winfe and EnCase portable and it looks like it might work in the situation above where the drive stays in the original laptop, it booted past pre-boot authentication, and then halted for something like EnCase portable to run. That might work...

- jaclaz
Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
knowledge.seagate.com/...Q/207211en
www.seagate.com/suppor...ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz


Thanks. I'm looking into this more. My only fear is hooking up my evidence to another device w/o a write blocker and that thing somehow corrupting it or writing over the evidence. If I can put the write blocker in-line with it, it might work. I'll look into it more.  

jond
Newbie
 
 

Page 1 of 2
Go to page 1, 2  Next