Join Us!

Mount PGP Encrypted...
 
Notifications
Clear all

Mount PGP Encrypted disk image (SymantecDesktopEncryption)?  

  RSS
doublezero
(@doublezero)
New Member

Hey Guys,

I'm working on a case where I made a disk image of a computer encrypted with Symantec Desktop Encryption. Now, I can boot the disk image in a VM, and using the user password I'm able to unlock the disk and get a windows session (without admin privileges).
The problem is, I'm unable to perform a image of the logical unencrypted partition because I have no means to get admin privileges (we dont have the admin password), and I also cant find a tool to unlock the partition for file browsing or anything else. I dont want to exploit the OS for privilege escalation, and the decryption process using Symantec Desktop Encryption is slow AF (90+ hours for 1TB).

Any advice on a way to unlock the disk for logical image of unencrypted partition?
Bitlocker is way easier to work ahaha.

(sorry for the bad english)

Quote
Posted : 23/03/2020 5:53 pm
jaclaz
(@jaclaz)
Community Legend

Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?

jaclaz

ReplyQuote
Posted : 24/03/2020 11:33 am
doublezero
(@doublezero)
New Member

Excuse me, I don't understand.
You can boot (in the VM) to the actual Windows (which EXACT version) which is in the disk image?
How (EXACTLY) are you logging in? Do you have a user (non-admin) login/password?
IF this is the case, this non-admin user must have *some* access to the volume, does it not?

jaclaz

I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.

ReplyQuote
Posted : 24/03/2020 2:50 pm
jaclaz
(@jaclaz)
Community Legend

I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.

So (if I get it right now) the machine/install has
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.

What I would suggest you to try is to by-pass the password.

If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.

But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image)

https://www.piotrbania.com/all/kon-boot/

Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.

jaclaz

ReplyQuote
Posted : 25/03/2020 8:39 am
doublezero
(@doublezero)
New Member

I can boot using a user password. Symantec Desktop Encryption require an user password to boot the machine, then it autologon from that user in Windows10 (latest).
On the OS, I have access to the volume, but I cant use tools to live capture the unencrypted volume (this require admin level) or install Virtualbox GuestAddons tools to transfer files via network or USB. I managed to obtain hashes and crack one admin password, but that admin user is blocked on the OS.
I never worked on that scenario before.

So (if I get it right now) the machine/install has
1) an user (without admin privileges) for which you know the password
2) an admin user (for which you know the password) BUT that isdisabled
3) ANOTHER admin user, active but for which you DO NOT know the password.

What I would suggest you to try is to by-pass the password.

If it wasn't (I believe it is) the latest-latest Windows 10 (and 64-bit), good ol' Passpass would have done, but I don't think that the patch codes for latish version have been published.

But Kon-Boot (Commercial, but affordable) should be able to do that (but it has to be seen if it works on this PGP encrypted image)

https://www.piotrbania.com/all/kon-boot/

Please understand how the idea is to by-pass (NOT reset, NOT change) the password (actually its check), so - if it works - the system is not modified.

jaclaz

Thank you jaclaz! Unfortunately, konboot wont work with disk encryption.
I have one copy of the disk being decrypted. 2 Days, 25% done, and with decryption speed decreasing. I'm fucked ahaha

ReplyQuote
Posted : 25/03/2020 3:14 pm
doublezero
(@doublezero)
New Member

Just to update
I used Symantec Desktop Encryption to decrypt the disk using the user password. It took almost 5 days to complete.
After that, the disk was flagged as "Bitlocker encrypted" on linux, but I managed to unlock the disk using dislocker with a "blank" password. Before on windows, the disk was flagged as "raw", not flagged as bitlocker encrypted.

Weird, but it worked.

ReplyQuote
Posted : 07/04/2020 1:53 am
Share: