±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32893
New Yesterday: 9 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Forensic Recovery and ATA-3 'Secure Mode', possible?

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3 ... 9, 10, 11  Next 
  

Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Thu Sep 02, 2004 9:18 pm

Hi everyone,

This is more of a theoretical question than an actual problem. I guess you could consider this an anti-forensic data recovery question. I was recently researching data protection technologies for my company's mobile devices. I learned that our laptops support ATA-3 Secure Mode, which is a hardware level password stored on the drive itself. Even if you remove the drive and install it in another PC, the password is in place. From what I understand, you can't take an image of a drive with an ATA-3 Secure Mode password set, because the drive won't allow you to read from the disk until you enter the correct password.

So this got me thinking, how could you possibly do forensic recovery on a system if the user has set an ATA-3 secure mode password? Anyone run into this before? If so, how did you deal with it? Do you know anyone else who has encountered this?

I've found that there are a handful of companies that will remove the ATA-3 Secure Mode password, if you can prove drive ownership. From what I understand, some of these companies use a cleanroom technique of some type, others have knowledge that few outside of the manufacturers themselves have. So what about the rest of us?

Thanks for a great site!

Christopher Meyer
Information Security Engineer
Appleton, WI  

meyerc13
Newbie
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Thu Sep 02, 2004 11:45 pm

Hi Chris,

ATA-3 secure mode devices are "secure" from most forensic specialists. As you so rightly said there are a few specialised companies that offer this service of password removal.

That said there a "few" backdoors to this problem.

From an anti-forensics point of view these drives offer a facility for completely reinitialising the drive.

Just my 2 cents.

Best
Samir
_________________
Samir Datt
Director
Computer Crime Investigations & Forensics
Foundation Futuristic Technologies (P) Ltd.
New Delhi
www.ForensicsGuru.com
skd @ forensicsguru.com 

SamirDatt
Member
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Wed Sep 08, 2004 2:38 am

so possible?
_________________
Neo-IT Managed Service
http://www.neo-it.com.au
A managed system provides a FIXED COST for the business technology 

neoit2000
Newbie
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Wed Sep 15, 2004 3:04 pm

The question of unlocking an ATA password has arisen before on other sites and the answer has always been no.

The reason for this being the only commands the drive will accept are password related i.e. give password master/user or erase with master password.

The password is on the drive so the controller can not be changed for an identical one and other controllers would probably not work with the drive.

The solution appears to be to attach the device to a special peice of hardware that can read the data,probably used to make reverse engineering more difficult.

I have a password protected drive and have done as much research on the internet as i can and have not heard of anyone having any luck removing this at home.  

deepdraw
Newbie
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Wed Sep 15, 2004 5:27 pm

deepdraw,

Welcome to Forensic Focus and thanks for that post, very useful.

Kind regards,

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus
Google+: www.google.com/+ForensicFocus 

jamie
Site Admin
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Mon Oct 04, 2004 1:28 pm

Apparently this company can do it for a fee: -

www.nortek.on.ca/hdd_pw.html

Would love to know what they use Smile

Andy  

Andy
Senior Member
 
 
  

Re: Forensic Recovery and ATA-3 'Secure Mode', possible?

Post Posted: Thu Oct 07, 2004 1:04 pm

Vogon in the UK has a hardware product that can bypass the ATA password.  

Matrix
Member
 
 

Page 1 of 11
Go to page 1, 2, 3 ... 9, 10, 11  Next