All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 24th, 2012, 21:53 
Offline

Joined: February 10th, 2012, 2:34
Posts: 8
Location: USA, USA
http://www.youtube.com/watch?v=gXe7Tyc1JvE

einstein9 can get around the password even if it is set with password, no problem. Well he says it works 8/10 tries something like that. You have to send your drive to the middle east though.


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 25th, 2012, 4:12 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2797
Location: Kuwait
OBESEJESUS wrote:
http://www.youtube.com/watch?v=gXe7Tyc1JvE

einstein9 can get around the password even if it is set with password, no problem. Well he says it works 8/10 tries something like that. You have to send your drive to the middle east though.


Well, sorry to disappoint you here, but its LIMITED only for the OFFICIAL FORENSIC CASES

and i do agree with Dr.kiev (last post)

it is not as easy as it looks.

good luck

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 25th, 2012, 8:48 
Offline

Joined: December 22nd, 2012, 20:25
Posts: 12
Location: Germany
Hello,

thanks for your helpful comments - some updates on my side:

You were right: Both donor keys are different since their LBA0's don't match - and the encrypted pattern for "0x00 0x00 etc." is also different.
So the "wrong" logic board retreives the right key from somewhere on the disk.

I compared the sector count for the donor drive with and without the logic board attached. As somewhere else mentioned, with the logic board attached there is only the user formatted area visble (sectors 0-1953458175). Without the logic board I also see the VCD area and the some stuff beyond.

Since the key for the disk won't be stored within the user area (everything there is subject to be overwritten). My guess is that the key resides beyond sector 1953458175. So I filled all remaining bytes with 0xFF and attached the drive to the "wrong" logic board. The strange thing is, it could still decrypt the drive! So I took another view at the drive w/o the logic board attached and compared sectors 1953458175 to my 0xFF template. The logic board apprently "restored" 5 sectors. Those have the headers: "wdRT (2 sectors long), wdMP, wdMP (copy of first wdMP), "wdDI".

So the logic board somehow retreives the correct key from the disk - but apprently not from the sectors beyond the user area. Storing the key within the user-area makes no sense because all data there can be overwritten with documents/music/pictures [...]. Maybe the logic board can read the key from the disks SA.

My next steps will be to check if both logic boards recreate those "wd"-sectors always with the same information.

bye
Darky


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:06 
Offline

Joined: December 22nd, 2012, 20:25
Posts: 12
Location: Germany
Hello,

finally I figured it out...

The key is stored within a Sector at the end of the disk (beyond the VCD area) with a Signature of "SInE". This sector is stored there twice (only a few sectors between those two).

So I had 2 disk sets (green disk and gree PCB, blue disk and blue PCB) of the same kind to experiment with.

First I attached the green disk to the green PCB which resulted in a succesful decrypt - as it should be.
Then I attached the green disk at the blue PCB which also resulted in a succesful decrypt, since the logic board apprently compares the key on the disk with the key stored in its flash. If the key on the disk is different then the board copies the key to its flash (so be careful what you are doing!!)

So I unintentionally flashed the blue board with the green key. (Didn't know this at that time).

I then deleted the "hidden area" after sector 1953458175 and wondered why the blue board still could decrypt my data... This was because I flashed it with the green key.

To undo my doings I reattached the blue disk to the blue board to reflash the blue PCB with the blue key.
Then I reattached the green disk (with the key still deleted from the disk) to the blue PCB and it couldn't decrypt the disk anymore!

Also from my client's drive the two "SInE" sectors are gone - but luckily the PCB is currently on its way to my lab.

If the PCB isn't retreivable anymore, reconstructing the "SInE" sector seems easy once you have the key, which is, according to some other thread in this forum, backed up within the SA of the disk.

Reconstructing the "SInE" sectors once you retrieved the correct key seems pretty easy using a template SInE-sector.

Hopfully this information helps some other ppl and also serves as a warning, if the PCB is the last "good" and "easy2access" location for your key, don't attach to random drives with other keys since it will be overwritten!

This also makes me think - if the key is actually stored within the SA of the disk, and the User sets a password for the disk which probably encrypts the SInE sector and the key in the PCB's flash (hadn't time to actually try that). If you retreive the key from the disk's SA and rebuild the original SInE your data shouldn't be protected by a password anymore... Guess I'll have to invest in some PC3k hardware to take some more looks into this matter - looks interesting :mrgreen: - also from a forensic perspective.

bye,
Darky


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:22 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3564
Location: Chicago
Dark-Sider wrote:
If you retreive the key from the disk's SA and rebuild the original SInE your data shouldn't be protected by a password anymore...

When you set a password all copies get updated

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:30 
Offline

Joined: December 22nd, 2012, 20:25
Posts: 12
Location: Germany
Hi,

Doomer wrote:
Dark-Sider wrote:
If you retreive the key from the disk's SA and rebuild the original SInE your data shouldn't be protected by a password anymore...

When you set a password all copies get updated


that would mean, that the PCB can write to the disks SA?! - If it can write there why isn't it setup so it also reads the key from this area but instead it relys on keys stored at the end of the HDD or inside the flash.

Ok, this makes the data robust against imaging and restoring it to another similiar drive since a normal person can't image / restore the SA.

regards,
Darky


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:30 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3564
Location: Chicago
About your drive and "SInE" sector
Maybe your drive never had one
Adding the key into the sector is recent feature for FireWire drives
I have bunch of FireWire drives from 2011 - they don't have a copy of the key in sectors
The only copy was in the flash

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Last edited by Doomer on December 27th, 2012, 14:37, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:31 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3564
Location: Chicago
Dark-Sider wrote:
that would mean, that the PCB can write to the disks SA?! - If it can write there why isn't it setup so it also reads the key from this area but instead it relys on keys stored at the end of the HDD or inside the flash.

it's secondary option I guess
IDK why it wouldn't

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:40 
Offline

Joined: December 22nd, 2012, 20:25
Posts: 12
Location: Germany
Doomer wrote:
About your drive and "SInE" sector
Maybe your drive never had one
Adding the key into the sector is recent feature for FireWire drives
I have bunch of FireWire drives from 2011 - they don't have a copy of the key in sectors
The only copy was in the flash


Thanks! very helpful piece of information!

My guess is, that one should avoid those encrypting drives if you don't need the encryption feature it just makes recovery more painful.


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 27th, 2012, 14:54 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3564
Location: Chicago
Dark-Sider wrote:
My guess is, that one should avoid those encrypting drives if you don't need the encryption feature it just makes recovery more painful.

People don't know what they have until the drive stops working

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD Passport Studio 1 TB recovery issues due to encryptio
PostPosted: December 28th, 2012, 8:51 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2797
Location: Kuwait
Doomer wrote:
Dark-Sider wrote:
My guess is, that one should avoid those encrypting drives if you don't need the encryption feature it just makes recovery more painful.

Quote:
People don't know what they have until the drive stops working


+1 100% Agree with you here
99.9% of them think its just a regular password which can be resets using Freeware/Open Source bootable CDs as win pass.

hehe

good luck with your R n D.

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group