Restore a dd/raw encrypted image to a HDD

Hi Klobbe,

Getting the disk to the point where its bootable seems to be the main issue rather than the encryption. Perhaps the following tools may be of use.

Virtual Boot Methods -

VMWare & Virtualbox.

Virtual Disk Conversion tools

Virtualbox has a utility for converting raw disks to vmdk (http//stackoverflow.com/questions/454899/how-to-convert-flat-raw-disk-image-to-vmdk-for-virtualbox-or-vmplayer).

Otherwise "Raw2Vmdk" also works nicely … most the time.

Alternatively if you want to copy the image to another disk… You could probably just use a *nix os/bootdisk to write the image out to a device with the DD tool. I haven't had to go through this process yet though so I'm not certain… perhaps somebody more experienced can verify?

cheapest way is to use "dd"

if you have tool around, encase and ftk will also work.

I did search the forum and found a thread about booting it via LiveView (i used 07 and 0.8) but that dosen't work for me, i get the blue safeguard enterprise splash screen but there is no login prompt and after a couple of seconds the virtual machine reboots by itself.

LiveView won't help – what it does is 'massage' an OS installation into running on virtual hardware instead of the actual hardware, modifying registry and other configuration data. If there is a full-disk encryption layer on top, LiveView can't do a thing.

Corrected That was unfortunately nonsense – LiveView creates a virtual machine and tries to configures it to reflect the configuration of the actual OS, requiring access to registry files etc. It doesn't modify the source image.

You probably need a Safeguard expert to get it working I can only guess that the safeguard boot assumes some kind of hardware profile, and fails when it doesn't find it perhaps it looks for the disk at a particular IDE slot, or something such. If SafeGuard can be convinced to produce logs, those might help. But you need some kind of Safeguard competence for that.

A forensic platform with support for Safeguard encryption might do it – buth then we're talking EnCase and similarly expensive tools.

In their absence, the only easy thing I can think of is to restore the (encrypted) image to another hard disk, mount it in the existing hardware in the place of the original drive, and boot it as before. After that its a question of tracing the boot code, and figuring out what happens.

Added but if it is an Enterprise installation, doesn't the enterprise Safeguard admin have a data recovery solution? Most full-disk encryption products come with one. They often involve a stand-alone boot that allow you attach the encrypted disk as a separate volume, and access it from there. Or there may be a 'decrypt' option – but you need to know the product for this. A Safeguard admin is probably in a better position to get support from Sophos (or whoever owns the product). Or, … you could ask about data-recovery solution in a Safeguard or Sophos-related forum.

Thanks for the replies!

I did test the various ways of creating the files needed to boot the image in VM-Ware, Raw2Vmdk, ProDiscover but with the same result. I get the splashscreen for Safeguard Enterprise without the login prompt and after a couple of seconds it reboots.

So as you wrote it seems to be looking for files that the full-disk encryption stops the vm-software to reach.

So i'll give the dd a go tomorrow. I'll use SIFT and mount the disk and read back the image to a disk of the same model as it was originally captured from and then put the disk in a laptop of the same make and model as the disk was running in to begin with.

That would most likely let me boot the image as normal and let me supply the login credentials to get past the full disk encryption or am i wrong in my assumption?

I will also explore what kind of support deal we have with Sophos.

I will have access to FTK in the coming future, can that software handle this image directly?