Help About Encrypted Disc

[datarikaviri]

Hello everybody

I have a case which is most probably encrypted. But I couldn't found algorithm or encryption software. But there are some interesting clues about algorithm.
First there is no valid MBR on first sector. But there is a sign before partition definition area (BF 92 FE 57). Second: every first bytes of all lines are in a sequence and it is repeating itself on every two sectors. If you look at pictures which I have attached you can see what I want to tell. This is same for whole disc.

I have calculated some part of disc data's entropy and it is above 7.9999+. So disk is encrypted most probably.

Do anybody have any knowledge about fully encrypted discs and signatures about some different encryption softwares. Any information can help me.
Thank you for your replies.

Attachments

Ekran Alıntısı2.JPG (129.8 KiB) Viewed 19391 times

[fzabkar]

It would be better if you uploaded a BIN file.

Sector 0 does indeed have MBR code of some type, but the partition table is empty. Is that what you meant to say?

As for entropy, ISTM that it could be quite low, but we would need to see all the data to be sure. In your example, each group of 4 bytes can be derived from the previous group by adding 0x50 to each byte. If that's encryption, then it is very strange.

Code:

03  B7  AB  DF

+50 +50 +50 +50

53  07  FB  2F

A3  57  4B  7F
F3  A7  9B  CF
43  F7  EB  1F
93  47  3B  6F
...
13  C7  BB  EF

[shubhsinghal]

Hello everybody

I have a case which is most probably encrypted. But I couldn't found algorithm or encryption software. But there are some interesting clues about algorithm.
First there is no valid MBR on first sector. But there is a sign before partition definition area (BF 92 FE 57). Second: every first bytes of all lines are in a sequence and it is repeating itself on every two sectors. If you look at pictures which I have attached you can see what I want to tell. This is same for whole disc.

I have calculated some part of disc data's entropy and it is above 7.9999+. So disk is encrypted most probably.

Do anybody have any knowledge about fully encrypted discs and signatures about some different encryption softwares. Any information can help me.
Thank you for your replies.

Ekran Alıntısı.JPG

Can you share case details in brief?

[datarikaviri]

Hello again and thanks for your replies.

Yes fzabkar you understand me correctly about MBR. It does'nt have any partition table.

I have examined image deeply and I have found that disk data is repeating itself in every 4 MB. do you have any idea about this? I think someone filled drive with some random data maybe.

[fzabkar]

I couldn't find a match for the MBR code at the following site:

https://thestarman.pcministry.com/asm/mbr/index.html

This leads me to suspect that the MBR code is not Microsoft code. Are you able to disassemble it? (I probably could, but I have other things to do ATM.)

If you compress the drive's image, does it shrink to a very small size? ISTM that it should, given that the data repeat at 4MB intervals.

In any case, ISTM that there is no data to be recovered. Otherwise, could you be witnessing a weird firmware problem where the drive is returning garbage (I don't think so) ???

[datarikaviri]

I think we dont need to compress data to be sure data is repeating itself. I have divided image to 4MB parts. Then calculated hash values and I am sure data is repeating itself because hash values are same. Actually there are just 4 different hash values in 110000+ files which are same size.

[pcimage]

Is this an SSD or a mechanical drive?

[datarikaviri]

Is this an SSD or a mechanical drive?

This is mechanical drive.

[pcimage]

Ok, in that case there can be little doubt the data has been wiped out

If the “data” is indeed repeating itself byte-for-byte every 4Mb then it’s not real data, something (or someone) must have overwritten the drive with this repeating data set. Either that or some obscure FW bug, but I doubt that very much.