hai everybody,
i have a problem, i recd laptop for the analysis which was alleged to be password protected. on switching on the system, on the screen appears only the icons of lock and monitor, nothing else. the laptop appears to be having the operating system of windows vista. i removed the hard disk, and switched on, the same symbol appears on the screen. i previewed the hard disk in encase 5 and 6, but reveals no info. i want to know is it there any encryption or power on password. if encryption what type of encryption is it? how to proceed further. pl. guide me .
krishna
Make and model of the device? Also what icons do appear? Is it a white lock on a black screen in the upper right hand corner?
This is a two part answer. If there is only a BIOS password lock, then you will not have any issues viewing the contents of the drive thru EnCase (assuming it's removed from the machine and connected via write-blocker).
If there is full drive encryption, EnCase will identify that for you. In that case, I suggest you consider using a rainbow table or other method for decryption.
This is a two part answer. If there is only a BIOS password lock, then you will not have any issues viewing the contents of the drive thru EnCase (assuming it's removed from the machine and connected via write-blocker).
If there is full drive encryption, EnCase will identify that for you. In that case, I suggest you consider using a rainbow table or other method for decryption.
in this issue i like to mention that the laptop mentioned was lenova thinkpad T400 model and i could make out the symbol the symbol lock and monitor for power on password. now the question is how to bypass/break this poweron password. i removed the hard disk and try to view the contents thru encase, the encase reveals no contents. pl help to view the contents.
krishna
removing the bios password on a thinkpad is fairly trivial
but if you do that you also lose the date/time on the device, which means that all of your times can be called into question
to get rid of all the bios settings (including password), pull the battery out, then find the CMOS battery and remove that for 5-10 minutes
after that, put it all back together and it should work
if you cant see any content on the drive then its probably hard drive locked as well…..theres not much infromation that ive found to break that kind of password (although you can always get a clean room and switch the platters with a like-for-like working model without a password)
all in all the easiest thing to do is try to find the bios password as it will usually be the same as the hard disk password. its also the most forensically sound as youll retain the bios settings and the all important date/time