±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 33501
New Yesterday: 7 Visitors: 204

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Firmware on Toshiba HDD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Firmware on Toshiba HDD

Post Posted: Wed Feb 14, 2018 3:02 pm

Good afternoon everyone,

I have a puzzling case I am working and need your help. I have a Toshiba HDD from a laptop that was sent to me for analysis. The employee that seized the laptop allowed bad guy to have access to the laptop to "unlock it" for said employee :0 Needless to say, the employee saw the Windows splash screen and then what he described as a black screen with white letter (possibly command line). The employee said bad guy typed something in and the screen went black. I know, I know.......

Anyways, now to the lab portion of this. I connected the HDD to a Forensic Falcon, which sees the drive and all its data (size, serial number, LBA, etc.), but has ALL read errors, from start to end when I try to image it. I've tried to iSCSI to the drive to see what's on it and it freezes my FTK Imager. I have booted to Paladin and attempted to image and again ALL read errors. I have read the S.M.A.R.T. data on the drive and it does not show any raw-read-error-rate is 0.

According to the employee that seized the laptop, the bad guy is very computer savvy and had LOTS of hacking software and "how to go undetected by the government" documents (unfortunately not seized for my viewing). My question is this...does anyone know of a command line or executable that will easily corrupt the firmware or tell the firmware that it is bad? The firmware is the only explanation that I can come up with for the drive having ALL read errors, when the employee just saw the bad guy on the laptop. If he wiped the drive, I should still be able to image it.

Any help would be greatly appreciated. Also, I don't have a power cable to boot to BIOS so I have none of that data.

Investigator Wheeler  

swheeler
Newbie
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Wed Feb 14, 2018 3:27 pm

There are all sorts of nasty boot bombs out there. They could have started a format process, zero out process, or overwriting the MBR or File Table.

Options:
1. Hardware Imager
2. DEFT/CAINE Discs
3. Encase Imager
4. If all else fails, clone the Suspect Drive > Analyze the Clone  

bntrotter
Senior Member
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Wed Feb 14, 2018 10:00 pm

bntrotter,

I don't think your comments make sense. OP has already tried hardware and software imaging, which seems to have failed.

swheeler,

Do you have any details about the type of the error? e.g. CRC.
Might be that the drive was encrypted and the password was rolled over.
What model hard drive it is? Does it support SED

See also
www.pcworld.com/articl...omise.html
"Toshiba has introduced a series of self-encrypting hard drives that come with what the company says is a unique self-diagnostic feature that blocks access to data if the drive doesn't recognize the host, in case it is lost or stolen ...... a feature that deletes the keys required to decrypt data when a drive is removed or is connected to an unrecognized host."

Might have been a bad move to remove that drive from the host.  

Passmark
Senior Member
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Thu Feb 15, 2018 2:15 am

@swheeler

as a DR (Stands for Data Recovery) opinion i can tell you this is a common G-list issue with Toshiba drives (specially the new models)

better you seek a DR firm asking for a Clone of the drive if possible.  

einstein9
Member
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Thu Feb 15, 2018 8:41 am

- Passmark
bntrotter,

I don't think your comments make sense. OP has already tried hardware and software imaging, which seems to have failed.

swheeler,

Do you have any details about the type of the error? e.g. CRC.
Might be that the drive was encrypted and the password was rolled over.
What model hard drive it is? Does it support SED

See also
www.pcworld.com/articl...omise.html
"Toshiba has introduced a series of self-encrypting hard drives that come with what the company says is a unique self-diagnostic feature that blocks access to data if the drive doesn't recognize the host, in case it is lost or stolen ...... a feature that deletes the keys required to decrypt data when a drive is removed or is connected to an unrecognized host."

Might have been a bad move to remove that drive from the host.


The drive is a Toshiba, model MQ01ABF050, not the MX model that supports SED. I don't believe this model is a SED, but I may be wrong. As for the error type, Forensic Falcon is not giving me an error type. In fact, it doesn't actually appear to be reading the sectors. I think the drive is locked an it is just going through the motions.

I attempted additional troubleshooting and connected the drive to a Logicube Dossier. The Dossier could not image the drive as it said the drive was "locked." If the drive is merely encrypted, I should still be able to get an image still, the data will just be random. Now if the BIOS/Firmware is password protected, then I won't, correct?  

swheeler
Newbie
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Thu Feb 15, 2018 9:32 am

- swheeler

I attempted additional troubleshooting and connected the drive to a Logicube Dossier. The Dossier could not image the drive as it said the drive was "locked." If the drive is merely encrypted, I should still be able to get an image still, the data will just be random. Now if the BIOS/Firmware is password protected, then I won't, correct?


Could it be a (more generic, i.e. not Toshiba specific) ATA PWD "lock"? Question

I don' think that there are ways (software, without a specific hardware connection to diagnostic/TTL ports or similar) to actually clear G-Lists or however modify the ROM/firmware, while setting an ATA password lock is possible.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Firmware on Toshiba HDD

Post Posted: Thu Feb 15, 2018 9:40 am

- jaclaz
- swheeler

I attempted additional troubleshooting and connected the drive to a Logicube Dossier. The Dossier could not image the drive as it said the drive was "locked." If the drive is merely encrypted, I should still be able to get an image still, the data will just be random. Now if the BIOS/Firmware is password protected, then I won't, correct?


Could it be a (more generic, i.e. not Toshiba specific) ATA PWD "lock"? Question

I don' think that there are ways (software, without a specific hardware connection to diagnostic/TTL ports or similar) to actually clear G-Lists or however modify the ROM/firmware, while setting an ATA password lock is possible.

jaclaz


jaclaz,

That is what I am beginning to think. Are you aware of a forensic tool that can detect if there is an ATA password on the drive?  

swheeler
Newbie
 
 

Page 1 of 3
Go to page 1, 2, 3  Next