Forensic Recovery a...
 
Notifications
Clear all

Forensic Recovery and ATA-3 'Secure Mode', possible?

73 Posts
32 Users
0 Likes
5,180 Views
(@meyerc13)
Posts: 3
New Member
Topic starter
 

Hi everyone,

This is more of a theoretical question than an actual problem. I guess you could consider this an anti-forensic data recovery question. I was recently researching data protection technologies for my company's mobile devices. I learned that our laptops support ATA-3 Secure Mode, which is a hardware level password stored on the drive itself. Even if you remove the drive and install it in another PC, the password is in place. From what I understand, you can't take an image of a drive with an ATA-3 Secure Mode password set, because the drive won't allow you to read from the disk until you enter the correct password.

So this got me thinking, how could you possibly do forensic recovery on a system if the user has set an ATA-3 secure mode password? Anyone run into this before? If so, how did you deal with it? Do you know anyone else who has encountered this?

I've found that there are a handful of companies that will remove the ATA-3 Secure Mode password, if you can prove drive ownership. From what I understand, some of these companies use a cleanroom technique of some type, others have knowledge that few outside of the manufacturers themselves have. So what about the rest of us?

Thanks for a great site!

Christopher Meyer
Information Security Engineer
Appleton, WI

 
Posted : 03/09/2004 3:18 am
(@samirdatt)
Posts: 24
Eminent Member
 

Hi Chris,

ATA-3 secure mode devices are "secure" from most forensic specialists. As you so rightly said there are a few specialised companies that offer this service of password removal.

That said there a "few" backdoors to this problem.

From an anti-forensics point of view these drives offer a facility for completely reinitialising the drive.

Just my 2 cents.

Best
Samir

 
Posted : 03/09/2004 5:45 am
(@neoit2000)
Posts: 2
New Member
 

so possible?

 
Posted : 08/09/2004 8:38 am
(@deepdraw)
Posts: 1
New Member
 

The question of unlocking an ATA password has arisen before on other sites and the answer has always been no.

The reason for this being the only commands the drive will accept are password related i.e. give password master/user or erase with master password.

The password is on the drive so the controller can not be changed for an identical one and other controllers would probably not work with the drive.

The solution appears to be to attach the device to a special peice of hardware that can read the data,probably used to make reverse engineering more difficult.

I have a password protected drive and have done as much research on the internet as i can and have not heard of anyone having any luck removing this at home.

 
Posted : 15/09/2004 9:04 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

deepdraw,

Welcome to Forensic Focus and thanks for that post, very useful.

Kind regards,

Jamie

 
Posted : 15/09/2004 11:27 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Apparently this company can do it for a fee: -

http://www.nortek.on.ca/hdd_pw.html

Would love to know what they use 🙂

Andy

 
Posted : 04/10/2004 7:28 pm
(@matrix)
Posts: 21
Eminent Member
 

Vogon in the UK has a hardware product that can bypass the ATA password.

 
Posted : 07/10/2004 7:04 pm
(@Anonymous)
Posts: 0
Guest
 

I know how to unlock all big drives.
Nikola

 
Posted : 28/11/2004 11:49 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

For a fee, or for free?

 
Posted : 29/11/2004 7:58 am
(@Anonymous)
Posts: 0
Guest
 

For a fee, or for free?

Not for fee or tea, just for job.
One is free for secound You take on tea

 
Posted : 29/11/2004 10:33 am
Page 1 / 8
Share: