HDD locked - Forensic investigation

[kitt2000]

Good morning to all, guys!... I have a interesting *hard* situation about a notebook, and a little story to share with communty.

First of all, please excuse my bad english...

Here are equipment data...

L300D-SP5802 PART# PSLC1U-00H006
Hard disk: SSD SV300S37A/120G

I'm owner of this lap. It's old, but *very* special for me. 15 days ago it was stolen, but after 10 days, with help of some
remote access software and patience i catch the public IP from thieve. So, after report that situation, and make all bureaucratic part, cops start her labor.

With a court order, and requisition through, cops was able to retrieve the stolen lap. I'm system engineer and have some
knowledge of computer forensics, so cops ask from my collaboration in investigation, because in that burglary also stolen other items that are still missing.

Now, cops give me laptop to help to trace evidence in, but have a little, but *hard* problem at hand:

When i turn on lap, it was locked with password. First of all, i try to attach disK to another equipment, to make a forensic
image and start to work with it, with no luck. HDD was locked with passwotd, so i'm can't gain access at all.

Investigating in some web pages, i found some interesting solution to hdd lock problem (italian) http://elettrofreak.blogspot.com.ar/2011/02/estrarre-le-password-ata-da-un-hard.html. My idea is "dump" HPA's information, then analyze the possibility to decrypt password, or execute procedure in that URL... is a little risky... so first i try decryption... or if i have some luck, found password in plain text

Doing some research about my HDD, i discover some data about ata commands regarding SandForce controller present in this SSD, attached in this post, but i have some doubts:

First, i'm *SUPOSE* kingston's guys use SF-2281 SandForce controllers customized to their needs, but HPA's addressing can be the same as "original" board... this can be true?

I found the same controller in another datasheet from SF-2281 board controller: http://www.wintecind.com/OEM/datasheets/WintecSSD-WxSSxxxG1TA-D41x_v1_08.pdf and extracted HPA's addressing table from it.

Second, i found in your site some directives about read registers with MHDD, but i'm learning yet, and have some doubts about "translate" that HPA's addresses into MHDD's script. At this moment, i have this:

reset
waitnbsy
regs = $f8 $ff $00 $00 $00 $e0 $20
;registers from first sector at last in HPA. I write last sector as FF just in case. It is correct?

waitnbsy
checkdrq
sectorsto = dump.bin

Can you tell me if it's correct? I'm missing something? I'm using MHDD 4.5

I'm glad to hear your comments...

Thank you in advance, and best regards to ALL!

DieGO

Attachments

HPA SF-2281 addressing table

HPA SF-2281 Security addressing

Sv300's controller model

[kitt2000]

Dears, fortunately HDD has been unlocked with original password, after cops asked to thief. Now i'm working on HDD to find some trace of evidence. Thank you anyway!

Regards!

[seed.helper]

good luck

[warnerr]

Nice you got in the easy way. good luck!

[kitt2000]

Thanks guys! Regards!

[Sasha Sheremetov]

Great to hear that old school methods still work...

[Dmitry Postrigan]

God bless thermorectal cryptanalysis.

[guru]

LMAO I guess the KLIZMA is for when it all goes wrong?

[harddrivespecialist]

KLIZMA is used to clean some room for new ideas Lager once used for large ideas