All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: HDD locked - Forensic investigation
PostPosted: November 14th, 2014, 9:47 
Offline

Joined: November 14th, 2014, 8:49
Posts: 3
Location: South America
Good morning to all, guys!... I have a interesting *hard* situation about a notebook, and a little story to share with communty.

First of all, please excuse my bad english...

Here are equipment data...

L300D-SP5802 PART# PSLC1U-00H006
Hard disk: SSD SV300S37A/120G

I'm owner of this lap. It's old, but *very* special for me. 15 days ago it was stolen, but after 10 days, with help of some
remote access software and patience i catch the public IP from thieve. So, after report that situation, and make all bureaucratic part, cops start her labor.

With a court order, and requisition through, cops was able to retrieve the stolen lap. I'm system engineer and have some
knowledge of computer forensics, so cops ask from my collaboration in investigation, because in that burglary also stolen other items that are still missing.

Now, cops give me laptop to help to trace evidence in, but have a little, but *hard* problem at hand:

When i turn on lap, it was locked with password. First of all, i try to attach disK to another equipment, to make a forensic
image and start to work with it, with no luck. HDD was locked with passwotd, so i'm can't gain access at all.

Investigating in some web pages, i found some interesting solution to hdd lock problem (italian) http://elettrofreak.blogspot.com.ar/2011/02/estrarre-le-password-ata-da-un-hard.html. My idea is "dump" HPA's information, then analyze the possibility to decrypt password, or execute procedure in that URL... is a little risky... so first i try decryption... or if i have some luck, found password in plain text :)

Doing some research about my HDD, i discover some data about ata commands regarding SandForce controller present in this SSD, attached in this post, but i have some doubts:

First, i'm *SUPOSE* kingston's guys use SF-2281 SandForce controllers customized to their needs, but HPA's addressing can be the same as "original" board... this can be true?

I found the same controller in another datasheet from SF-2281 board controller: http://www.wintecind.com/OEM/datasheets/WintecSSD-WxSSxxxG1TA-D41x_v1_08.pdf and extracted HPA's addressing table from it.

Second, i found in your site some directives about read registers with MHDD, but i'm learning yet, and have some doubts about "translate" that HPA's addresses into MHDD's script. At this moment, i have this:

reset
waitnbsy
regs = $f8 $ff $00 $00 $00 $e0 $20
;registers from first sector at last in HPA. I write last sector as FF just in case. It is correct?

waitnbsy
checkdrq
sectorsto = dump.bin

Can you tell me if it's correct? I'm missing something? I'm using MHDD 4.5

I'm glad to hear your comments...

Thank you in advance, and best regards to ALL!

DieGO


Attachments:
File comment: HPA SF-2281 addressing table
ScreenHunter_64 Nov. 14 08.23.jpg
ScreenHunter_64 Nov. 14 08.23.jpg [ 38.16 KiB | Viewed 16441 times ]
File comment: HPA SF-2281 Security addressing
ScreenHunter_63 Nov. 14 08.23.jpg
ScreenHunter_63 Nov. 14 08.23.jpg [ 27.45 KiB | Viewed 16441 times ]
File comment: Sv300's controller model
ScreenHunter_62 Nov. 14 08.18.jpg
ScreenHunter_62 Nov. 14 08.18.jpg [ 27.34 KiB | Viewed 16441 times ]
Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: November 15th, 2014, 12:05 
Offline

Joined: November 14th, 2014, 8:49
Posts: 3
Location: South America
Dears, fortunately HDD has been unlocked with original password, after cops asked to thief. Now i'm working on HDD to find some trace of evidence. Thank you anyway!

Regards!


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: November 29th, 2014, 16:30 
Offline

Joined: August 11th, 2010, 19:00
Posts: 145
Location: Portugal
good luck :)


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: November 29th, 2014, 22:17 
Offline

Joined: February 13th, 2010, 9:44
Posts: 208
Location: san diego, ca.
Nice you got in the easy way. good luck!


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: December 1st, 2014, 11:05 
Offline

Joined: November 14th, 2014, 8:49
Posts: 3
Location: South America
Thanks guys! Regards!


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: February 21st, 2015, 7:48 
Offline

Joined: July 2nd, 2014, 8:05
Posts: 201
Great to hear that old school methods still work...

Image

_________________
VISUAL NAND RECONSTRUCTOR. A big revolution in chip-off data recovery


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: February 23rd, 2015, 18:33 
Offline

Joined: September 27th, 2005, 8:21
Posts: 765
God bless thermorectal cryptanalysis.

_________________
Dmitry


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: March 22nd, 2015, 14:37 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2782
Location: England
LMAO I guess the KLIZMA is for when it all goes wrong?

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: HDD locked - Forensic investigation
PostPosted: March 24th, 2015, 14:37 
Offline

Joined: January 15th, 2008, 11:06
Posts: 1418
Location: Providence, RI. Boston, MA USA
:lol: KLIZMA is used to clean some room for new ideas :lol: Lager once used for large ideas :wink:

_________________
www.datarecoveryne.com


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group