Self-Encrypting HardDrive -- How to image?

What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?

(elucidation added)

Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.

I have a seagate momentus fde self-encrypting hard drive.
To my understanding the encryption processing is done on a chip inside the drive.
I'm curious how to make a forensically sound image of it and analyze it.

I have the username/password to the encryption, but if I boot it, I lose time-stamps, etc.

At least from what Seagate says, it seems like the the data is actually ALWAYS encrypted with a specific drive "key", and the password is only a way to access the on-the-fly decryption module (or whatever)
http//seagatewtb.test3.cs3.force.com/articles/en_US/FAQ/206011en

From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.

The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine
http//web.archive.org/web/20100105201430/http//www.seagate.com/ww/v/index.jsp?locale=en-US&name=dn_sec_partner_solutions&vgnextoid=658683bedbc93110VgnVCM100000f5ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz

i have read the spec pdf of the drive from seagate and i have 2 thoughts

1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager

2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable

Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
http//knowledge.seagate.com/articles/en_US/FAQ/207211en
http//www.seagate.com/support/external-hard-drives/desktop-hard-drives/blackarmor-maxtor/maxtor-ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz

What is the reason you cannot slave it (secondary drive, instead of boot) through a write-blocker?
(elucidation added)

Good question. That's the ideal scenario. Problem is the host computer won't be able to read the encrypted drive.
I would need some sort of 3rd party tool(I would assume) to decrypt the drive from the host PC.

Have you tried password removal in PC 3000 or Atola. If that particular hdd model is supported by PC-3000 or Atola, you can remove the password and then access the hard drive and make a forensic image of the hard drive.

Thanks for the suggestion. I emailed their pre-sales support to see if they can do it.
It looks like they may only deal with bios passwords, but we'll see…

From what I understand from the above, it seems like it is possible to "disable" the password and let the encryption/decryption become "transparent", thus the disk should work as "normal" drive even without booting.
Of course whether this is actually what happens and whether the procedure would be acceptable in the context of the investigation you are after it's entirely up to you.

Yeah I'm curious about that. I would like to boot it to the bios and see if there's a disable option there or not.
Hopefully I can find a safer option that would involve a write-blocker, but we'll see. It might have to be done if it's possible,

The good guys at Seagate - since the drive is discontinued - removed most of the pages related to it, but something is still retrievable from the Wayback Machine
http//web.archive.org/web/20100105201430/http//www.seagate.com/ww/v/index.jsp?locale=en-US&name=dn_sec_partner_solutions&vgnextoid=658683bedbc93110VgnVCM100000f5ee0a0aRCRD
maybe contacting one of these "software partners" you may get something for the specific use.

jaclaz

That's a good point too. I did find this from one of their software partners
"OS Recovery for self-encrypting drives" by Wave
Basically it says to boot the device, enter the pre-boot encryption password, then quickly hit F8 to halt the boot. Then put in a boot CD like WIN PE or whatever. It will boot to CD and the drive will be unencrypted.
Problem still is no write blocker is involved.
http//www.tvtonic.com/support/documents/TDM/TDM-006.asp

i have read the spec pdf of the drive from seagate and i have 2 thoughts
1) Free solution. connect the drive to sata and boot up the machine using winfe and ftk imager
2) Commercial solution. connect the drive to sata and boot up the machine using EnCase portable

Good ideas. I was looking into winfe and EnCase portable and it looks like it might work in the situation above where the drive stays in the original laptop, it booted past pre-boot authentication, and then halted for something like EnCase portable to run. That might work…

Further reading on the document I provided a link to earlier, makes it clear that it is possible to disable the use of password on a non-boot disk, or at least this is possible using the Maxtor BlackArmor software.
http//knowledge.seagate.com/articles/en_US/FAQ/207211en
http//www.seagate.com/support/external-hard-drives/desktop-hard-drives/blackarmor-maxtor/maxtor-ba-master/
Whether this software can be used also on Seagate drives connected through a "generic" USB enclosure is yet to be tested.

jaclaz

Thanks. I'm looking into this more. My only fear is hooking up my evidence to another device w/o a write blocker and that thing somehow corrupting it or writing over the evidence. If I can put the write blocker in-line with it, it might work. I'll look into it more.

One secondary thought I had. Since it appears this drive has it's own processor and the decryption is done by it, it seems like any write-blocker would block whatever password or key exchange needed to decrypt it on the fly.
Just from a logical sense, it seems like maybe doing this with a write-blocker isn't possible?

One secondary thought I had. Since it appears this drive has it's own processor and the decryption is done by it, it seems like any write-blocker would block whatever password or key exchange needed to decrypt it on the fly.
Just from a logical sense, it seems like maybe doing this with a write-blocker isn't possible?

Yes, this is "likely", but not "obvious" nor "necessary".
I mean, when you have a "normal" disk connected to a drive through a write blocker, the PC sends to it (through the write blocker) a "read" command (and the write-blocker lets this command "pass through" allright) when instead the PC sends a "write" command (and some data to be written) the write-blocker intervenes and prevents EITHER the "write" command OR the data attached to it to pass-through.
So it is possible that the "write blocker"

• filters *any* "write" command
• filters only the data attached to it
• lets only the "read" command to pass through
• …. put here another possible behaviour ….

in some of these behaviours a "unencrypt" command may be able to "pass-through".
The actual makers of the write-blockers that you use should be able to clear this aspect.

The "general" idea behind my previous suggestions was that you should procure yourself (through used/surplus computer re-seller or even e-bay) a couple of same model drives and do the experiments with them.
I might be not cheap but always better than risking on a case
http//www.memory4less.com/m4l_itemdetail.aspx?itemid=1441603073&partno=ST9160414ASG&rid=fd_01
http//www.asisparts.com/product_info.php?manufacturers_id=3&products_id=3222
This should be the Maxtor external version
http//www.ebay.com/itm/SEALED-160GB-Maxtor-Seagate-Black-Armor-BlackArmor-External-Hard-Drive-/330755085405?pt=US_External_Hard_Disk_Drives&hash=item4d028a145d
just as an example it is possible that the Maxtor software "requires" the Maxtor USB external case (and controller) but this latter "accepts" another disk….

Even IF through a PC-3000 (or anyway through a "terminal" connection - cannot say if available on these drives) or through the "F8" procedure ot the Blackarmor software (as is or modified for the specific chore) you can unblock/remove/authenticate/whatever the protection, unless you have some "solid" evidence (coming from tests) that these won't affect in the least the drive contents, you risk that the "other party" in the trial (or whatever) may attempt (and actually succeed in) proving your method to be "unsafe".

There is a lot of debate about writeblockers, the actual *need* to use them, the actual WinFE "soundness" for forensic operations, etc., so if I were you I would make sure to be able to verify the behaviour of the process and be prepared to demonstrate the actual validity of it from a forensic stand point.

jaclaz