Hello,

A WD Passport Studio 1 TB drive (for MAC with FW ports) was used for a good time without any password set.
The guy who used the drive bought a new Mac without firewire ports - so he decided to also buy a standard USB 2.0 box for the WD disk. He opened the Passport box and moved the drive to the standard box. After that he connected the drive to his new mac and guess what - he formatted it with HFS+ since a popup asked to do so.

Now the disk sits in front of my for recovery... All utilities I know of find only the newly created HFS+ Partition and a deep search returns nothing - that made me thinking and I found out that the WD My Passport SATA to FireWire PCB might have some nasty hardware encryption chip on it.

The PCB might still exist but is a few 100 miles away... Before I tell the guy bring me the PCB I wanted to know if the encryption key is stored within a small (flash) chip on the PCB or if encryption key is stored somewhere on the disk itself and any identical SATA to FW "My Passport Studio PCB" could do the decryption? The disk itself is a standard SATA WD 2.5" 1TB drive (blue).

If the key, which is NOT protected by any password, resides on the disk - are there also some tools which could do the decryption? Which sector(s) would contain the key? - So I could check whether the key is still on the disk or if it got overwritten with EFI-Partition data...

thanks for helping out!
regards,
Darky

http://www.pcadvisor.co.uk/reviews/pc-p ... tb-review/





It would be easier to get the original casing or a similar casing and try recovering the data

a similar situation discussed here.
book-recovery-t24419.html

Hi,

thanks for the reply. If a casing of the same kind would work, then the decryption key will reside on the disk itself.
Is it known in which sector(s) the key is actually stored? Or which signature preceeds the key?

regards,

Darky

You'll never know how many thieves would like to know something more about this kind of things....

What has this to do with thieves? The thieve could always purchase a similiar casing and read the data back if the key is not protected by a password. If the key is protected the thiev has next no chance to get the data, since he doesn't know the password to decrypt the key.

Encryption normally works like this. A Password decrypts the Encryption Key which then decrypts the data. If you change the password for the key only the key itself is rewritten to the disk. This means that changing a password does force the whole drive (each sector) to be reencrypted.

This is also some kind of attack vector against large crypto containers. If I give you a TrueCrypt file to which I know the password (and keep myself a copy). You mount the file, change the password, change contents and give me the file back, I just could swap the TrueCrypt headers and read back all the data

Since there is no software (at least to my knowledge) that emulates the WD crypt chip-algo (although it could be writte if someone know the exact algo), I want to check if the key still resides on the disk or if it got overwritte by repartitioning the drive outside the enclosure.

regards,
Daryk

A-ha



So one size fits all ?



Horses and zebras and donkeys are all equine , but they are not exactly the same thing. If it was like that on your WD you had the solution.

Do you suggest I stole the drive?!

I know that the key is not protected by a password since the person to which the drive belongs sits right next to me. The problem is (as I described in my initial post) that the logic board sits across the country and booking flights over the holiday season is a PITA.




Of course there are different approaches - but I have a degree in computer science and I know my way around in cryptography. And the basics are always the same or they are pseudo-solutions that don't really protect your data.


[/quote]
What has that to do with a solution. I was just explaining what the difference between a password and the key itself is. I just thought I needed to explain that to you, but then again I beleive you have information on the topic than you are willing to share what is a pitty.

regards,
Darky

I just looked deeper through the forum and found this thread for-those-who-had-doubt-smartware-solution-t21584-20.html

Is WD really serious? Again we are not affected by a smartware password but the solution wd chose looks shady!

Hmm the edit function seems to disappear after a certain amount of time:
I also found this thread - unlock-book-essential-t19408.html
Said sector is zeroed empty on my drive - maybe the overall sector count on my drive and the drive mentioned in the linked thread is different but sector 1953517576 points to a 1 TB drive.

I'll just run a Hex search on the image of the disc for the magic 0x57 0x44 0x01 0x14 over the last portion of the disk.

That's the best option to try for you

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

Your best bet is to get the original PCB.

_________________
http://www.datasaversllc.com

Well, not so important really, but even with it too hard to do close to impossible for him = dead end @ the end.

and wish u good luck

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein

Hello,

thanks for your replys.

I went out and bought 2 new disks of the same kind for experimenting with them. Thank god the enclosure is really easy to disassmble - not like those plastic cases...

Right now die logic board sits in front of me and I got:
1x OXUF943SE-LQCG (FW800 (IEEE1394b) & USB2.0 to SATA Controller with Encryption, Pb-free 100-pin LQFP)
1x LSI L-FW843-07 (Don't know what it exactly does, maybe it's for the firewire daisy chaining or whatever)
1x Winbond W25X10BL (Flash...)

I also took a look at the on disk structure of one of the new bought Disks - Didn't find the "magic" at sector 1953517576 there either (or in close proximity).

There are a few sectors at the very end of the disk that have some unencrypted content but they actually don't look like as if there was a key stored (no it's not the VCD area)

Since there is a flash chip on the logic board my guess is that the key is stored within the chip - maybe a backup resides within the SA of the disk. Just out of curiosity are there any real freeware tools to look into the SA of disks or is just the commercial stuff like pc3000 etc? I'll admit that retreiving the key out of the disks SA and flashing it back to the winbond chip (mainly this) might be beyond my capabilities.


What's next:
- I'll Image both new bought disks to preserve theire factory defaults (w/o logic board, with tableau write blocking solution attached).
- I'll copy some files to one of those disks with the original logic board attached
- I'll attach the other logic board and compare the results. (Correct decryption yes/no)

If the disk decrypts correctly:
- Both disks either have the same decryption key (doubt that)
- The key is somewhere on the disk where I didn't find it.
- The logic board can read the key from the disks Bios/SA

If the disk doesn't decrypt:
- The key is stored within the flash chip...

What would mean we'd have to get the orignal PCB...

bye
Darky

Udate:

I've stripped down both new disks sets (logic board / disk). Let's call those sets blue and green.

Green disk works with green logic board
Green disk works with blue logic board

Are you serious WD? Basically this means that both disks have the same encryption key.

Although the setback is, that the disk that I want to rescue gets not correctly decrypted by the logic board. So I guess WD only changes the key every week or so - or it depends on FAB or whatever. So I guess I'll have im fetch the old logic board.

bye
Darky

On WD My Book Essentials & My Passport Essentials the encryption key is on the hard drive platters not the PCB.
I have not looked at a Studio yet to confirm if it the same.



Loki

Logically thinking if your hoping to connect it to the original pcb & that it will decrypt it - it wont, the pcb encrypts the data on the fly but as the user has taken the drive out & formatted it whilst connected directly this has changed sectors on the platters. If you then reattach it to the pcb the partition that it did read when connected directly will look like gibberish when connected via the pcb as it will use the decryption key.
Only option I see is to connect it up to the pcb & then run R-Studo to scan & see if it can do a RAW recovery.

Loki

No, its not.



You forgot to count: the key can be present somewhere in user area and in flash chip in a same time.
.... And it can be updated/destroyed itself after some unprofessional attemts.

_________________
Angel Data Recovery

Oh, so your drive was firewire, with encryption? You need original board back to decrypt the data, the key is in the flash for those. You will need to deal with reformatted partition, as well

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

Doubt that, but who knows
Personally, I've never seen the same key on two firewire boards, even on the drive from the same batch
We can easily check that, you just need to dump encrypted LBA0 from both drives and post it here. LBA0 usually contains partition table, so information should be similar/same on both drives. If encrypted versions look different then the keys are different too

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

He did that suggestion just because the primary hashed-key for this drives stored the same way as for symwave boards in the user area. Thats why he was able to decrypt both donors-drives with not original firewire-usb-boards.
For the patient drive , key-sector has been overwritten , thats why trick didn't work for him. But he still have a chance to restore it using second location.

_________________
Angel Data Recovery