±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 92

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Mount PGP Encrypted disk image (SymantecDesktopEncryption)?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

doublezero
Newbie
 

Mount PGP Encrypted disk image (SymantecDesktopEncryption)?

Post Posted: Mar 23, 20 18:53

Hey Guys,

I'm working on a case where I made a disk image of a computer encrypted with Symantec Desktop Encryption. Now, I can boot the disk image in a VM, and using the user password I'm able to unlock the disk and get a windows session (without admin privileges).
The problem is, I'm unable to perform a image of the logical unencrypted partition because I have no means to get admin privileges (we dont have the admin password), and I also cant find a tool to unlock the partition for file browsing or anything else. I dont want to exploit the OS for privilege escalation, and the decryption process using Symantec Desktop Encryption is slow AF (90+ hours for 1TB).

Any advice on a way to unlock the disk for logical image of unencrypted partition?
Bitlocker is way easier to work ahaha.

(sorry for the bad english)  
 
  

jaclaz
Senior Member
 

Re: Mount PGP Encrypted disk image (SymantecDesktopEncryptio

Post Posted: Mar 24, 20 12:33

Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

doublezero
Newbie
 

Re: Mount PGP Encrypted disk image (SymantecDesktopEncryptio

Post Posted: Mar 24, 20 15:50

- jaclaz
Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?

jaclaz


I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.  
 
  

jaclaz
Senior Member
 

Re: Mount PGP Encrypted disk image (SymantecDesktopEncryptio

Post Posted: Mar 25, 20 09:39

- doublezero

I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.


So (if I get it right now) the machine/install has:
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.

What I would suggest you to try is to by-pass the password.

If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.

But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image):

www.piotrbania.com/all/kon-boot/

Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

doublezero
Newbie
 

Re: Mount PGP Encrypted disk image (SymantecDesktopEncryptio

Post Posted: Mar 25, 20 16:14

- jaclaz
- doublezero

I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.


So (if I get it right now) the machine/install has:
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.

What I would suggest you to try is to by-pass the password.

If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.

But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image):

www.piotrbania.com/all/kon-boot/

Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.

jaclaz


Thank you jaclaz! Unfortunately, konboot wont work with disk encryption.
I have one copy of the disk being decrypted. 2 Days, 25% done, and with decryption speed decreasing. I'm fucked ahaha  
 

Page 1 of 1