Thread: [sleuthkit-users] obtaining a viable image of an encrypted hard disk drive
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: DePriest, J. R. <jrd...@gm...> - 2006-10-17 22:51:49
|
I use Sleuthkit and Autopsy for forensic investigations at work. I have been struggling with my first Pointsec (http://www.pointsec.com) whole disk encrypted hard disk drive. Pointsec is our enterprises chosen method of whole disk encryption which was purchased without input from IT Risk Management (which includes Data Security), so we had no idea what we were getting into from an investigation point of view. According to Pointsec's technical support, you can create an image of a Pointsec encrypted disk by booting off of a CD or floppy. This image will be complete gibberish and there is no way to decrypt the data inside of it. They also told me that if you get to the Pointsec authorization screen (which comes up right after POST and before initializing the OS) and press a magic key combination you can choose another boot device. You still have to have the proper user name and password to authorize the decryption (which I have). If you press CTRL-F9, Pointsec tries to boot from the floppy drive. If you press CTRL-F10, Pointsec lets you pick. I booted from a Helix CD and have tried on two occasions to create an image. Both are unrecognizable to Sleuthkit. The only image I have that is mountable is one I created by removing the hard disk drive from the laptop and connecting it to a Windows system via a firewire attached write blocker. The image is useless however, because everything is encrypted. Some information about the images. First image information -- Pointsec status: disk encrypted Hard disk read / write: hardware write block Host OS: Windows 2003 Server with SP1 Imaging Application: dd from George M. Garner, Jr.'s Forensic Acquisition Utilities (http://users.erols.com/gmgarner/forensics/) Imaging Application options: conv=noerror Imaging Results: 9767003+0 records in, 9767520+0 records out (517 'Permission denied' errors) mmls says: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $ /sleuthkit/sleuthkit/bin/mmls -v -t dos -i raw /cygdrive/g/SP/2006/2006-027/hdd/2006-027-01.img img_open: Type: raw NumImg: 1 Img1: /cygdrive/g/SP/2006/2006-027/hdd/2006-027-01.img dos_load_prim: Table Sector: 0 raw_read_random: byte offset: 0 len: 512 load_pri:0:0 Start: 63 Size: 78124977 Type: 7 load_pri:0:1 Start: 0 Size: 0 Type: 0 load_pri:0:2 Start: 0 Size: 0 Type: 0 load_pri:0:3 Start: 0 Size: 0 Type: 0 DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0000000062 0000000062 Unallocated 02: 00:00 0000000063 0078125039 0078124977 NTFS (0x07) 03: ----- 0078125040 0078140159 0000015120 Unallocated =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Second image information -- Pointsec status: disk encrypted Hard disk read / write: hardware write block Host OS: cygwin 1.5.21(0.156/4/2) on Windows 2003 Server with SP1 Imaging Application: GNU ddrescue (http://www.gnu.org/software/ddrescue/ddrescue.html) Imaging Application options: -r 8 -v Imaging Results: rescued 40006 MB, errsize 1570 kB, errors 3068 mmls says: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $ /sleuthkit/sleuthkit/bin/mmls -v -t dos -i raw /cygdrive/g/SP/2006/2006-027/hdd/2006-027-02.img img_open: Type: raw NumImg: 1 Img1: /cygdrive/g/SP/2006/2006-027/hdd/2006-027-02.img dos_load_prim: Table Sector: 0 raw_read_random: byte offset: 0 len: 512 Invalid magic value (File is not a DOS partition (invalid primary magic) (Sector: 0)) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $ /sleuthkit/sleuthkit/bin/mmls -v /cygdrive/g/SP/2006/2006-027/hdd/2006-027-02.img img_open: Type: n/a NumImg: 1 Img1: /cygdrive/g/SP/2006/2006-027/hdd/2006-027-02.img Not an AFF/AFD/AFM file Not an EWF file dos_load_prim: Table Sector: 0 raw_read_random: byte offset: 0 len: 512 bsd_load_table: Table Sector: 1 raw_read_random: byte offset: 512 len: 512 gpt_load_table: Sector: 0 raw_read_random: byte offset: 0 len: 512 sun_load_table: Trying sector: 0 raw_read_random: byte offset: 0 len: 512 sun_load_table: Trying sector: 1 raw_read_random: byte offset: 512 len: 512 mac_load_table: Sector: 1 raw_read_random: byte offset: 512 len: 512 Cannot determine partiton type =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Third image information -- Pointsec status: disk decrypted Host OS: Helix (Knoppix Linux) 1.8 from 10/06/2006 (http://www.e-fense.com/helix/index.php) Hard disk read / write: software read only Imaging Application: dd_rescue by Kurt Garloff (http://www.garloff.de/kurt/linux/ddrescue/) Imaging Results: ipos 39062488.5k, opos 39062488.5k, xferd 39062488.5k, errs 0 mmls says: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $ /sleuthkit/sleuthkit/bin/mmls -v -t dos -i raw /cygdrive/g/SP/2006/2006-027/hdd/2006-027-03.img img_open: Type: raw NumImg: 1 Img1: /cygdrive/g/SP/2006/2006-027/hdd/2006-027-03.img dos_load_prim: Table Sector: 0 raw_read_random: byte offset: 0 len: 512 load_pri:0:0 Start: 3896685812 Size: 3296919557 Type: 81 Starting sector 3896685812 too large for image Invalid sector address (dos_load_prim_table: Starting sector too large for image) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $ /sleuthkit/sleuthkit/bin/mmls -v /cygdrive/g/SP/2006/2006-027/hdd/2006-027-03.img img_open: Type: n/a NumImg: 1 Img1: /cygdrive/g/SP/2006/2006-027/hdd/2006-027-03.img Not an AFF/AFD/AFM file Not an EWF file dos_load_prim: Table Sector: 0 raw_read_random: byte offset: 0 len: 512 dos_load_prim_table: Testing FAT/NTFS conditions bsd_load_table: Table Sector: 1 raw_read_random: byte offset: 512 len: 512 gpt_load_table: Sector: 0 raw_read_random: byte offset: 0 len: 512 sun_load_table: Trying sector: 0 raw_read_random: byte offset: 0 len: 512 sun_load_table: Trying sector: 1 raw_read_random: byte offset: 512 len: 512 mac_load_table: Sector: 1 raw_read_random: byte offset: 512 len: 512 Cannot determine partiton type =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= hexedits of the 3rd (supposedly decrypted) image turn up confusing results, such as large sections of disk that just say 'PROTECT Sector #{some number}' and then a bunch of dashes. The 1st and 2nd images don't have anything that resembles legible text (ie - 'strings' turns up only gibberish). Since the 1st and 2nd images were created with lots of errors, I booted the system off of a SpinRite 6.0 CD (http://grc.com) and let it run a repair over the weekend. It found absolutely no problems at all. I used the CTRL+F10 method to let SpinRite get to the decrypted hard disk drive, but I have no idea if it really makes a difference. Incidentally, I gave up on performing a true forensic analysis since my time is running out. The OS running on the laptop is Windows XP with SP1 and it boots up just fine with no errors at all. Any expertise would be appreciated in this area. If there are requests for me to perform some additional tasks, let me know. Corp Sec is willing to let me keep the system to figure this out as long as I give them copies of what they are looking for. Thanks! -Jason |
Thanks for helping keep SourceForge clean.
X