34 replies to this topic

[was_jaclaz]

Well noone is off-track here, we are simply on different tracks, talking of two different things.

I was talking specifically of Safeboot, you are talking "generally".

I am pretty sure that on "my" track, the specific Safeboot 4.2 issue which is the actual problem of the OP, your approach won't work, but as always I may be wrong .

So it's easy: you just get a safeboot 4.2 encrypted disk, and you unencrypt it with any of your proposed methods.

Once you will have done it, we will be again on the same track, and you will have helped the OP.

It would be nice, however, if you could re-read your post #13
http://www.boot-land...?...=9297&st=12

And answer the question I asked on post #14:
http://www.boot-land...?...=9297&st=13

Which I will re-phrase for your convenience:
How can the OP make use of the referenced guide and "tech" disks, as you suggested, to unencrypt the drive?

A couple documents you may want to completely avoid reading:
http://www.headtechn...Admin_Guide.pdf
http://www.headtechn...Admin_Guide.pdf



jaclaz

[joakim]

Post 13 & 14 is about encryption removal, for which you need the "Authorisation Code", and as you already have referenced the answer to. Encryption removal is NOT the same as booting an OS in decrypted form. However, it is possible to achieve the same following what I already have described.

It is very important to keep in mind and I'll quote myself in the referenced link

Since this highly depends on how up to date patching is,...

, that this MAY be a workaround but definitely NOT a guaranteed solution.

I repeat myself again; it is a workaround that can let you get an unencrypted copy of your system, and most importantly then, for which you also can (as mentioned in post 25) either 1) create a vm of it, 2) mount image and do whatever to whatever file on it, or 3) restore image back to the physical machine and enjoy unencrypted disk.

This WORKAROUND is therefore NOT the same as directly removing encryption from the disk using the SafeDisk supplied tools.

Thank you for the link to the admin guide. Take a look at page 123 in DE_Admin_Guide.pdf, it says;

SafeBoot boot screen collects the users ID, and looks up the correct token type to perform the authentication. The user is then prompted for a password and a local authentication by cryptographically validating the user’s password using PKCS-5 is performed. If this passes, the SafeBoot boot code starts the transparent hard drive decryption process, loads the original MBR and executes it.

If you're still in doubt, you should try opening the physical disk with a hex editor from within the booted OS. Do you see encrypted garbage or a filesystem with files on?

Therefore you have to connect to the central server only if encryption removal is to be done, but the workaround don't need to connect that way and can be performed on your local home network. The connection to the central server is also for updating the policies to clients, but not required for booting OS.

How would I know this also works on SafeDisk. Well, I installed and set up a server and client environment in 2 virtual machines (product now named McAfee Endpoint Encryption). It was by the way a pain in the back to configure properly, but I'm also impressed by all functionality the solution has.

Now, the big question:
Is this solution about some voodoo secrets involved which distinguishes it from other products? NO! It's still just disk encryption. This workaround is not about flaws in encryption. It's all about taking advantage of a vulnerability in Windows! This workaround applies equally to all similar disk encryption solutions.

If you or anybody else still don't believe me, I can make a "for dummies" video that shows I'm not kidding.

Could you answer what of the 3 methods mentioned in post 23, that you had done EXACTLY the kind of forensic recovery work with? Seriously, we are learning from each other here..

Summary:
It is possible (under certain circumstances) to remove encryption on disk with 2/3 (user & pwd, but not Authorisation Code) of the requirements listed by jaclaz.

Joakim

[was_jaclaz]

Could you answer what of the 3 methods mentioned in post 23, that you had done EXACTLY the kind of forensic recovery work with? Seriously, we are learning from each other here..

No, I cannot, and we are not learning from each other.
Each of us is stubbornly keeping his own position, and this only leads to more misunderstandings on a topic for which (at least on my side) there is not any particular interest, if not that of trying helping the OP.
That's why I gave up originally, and of course I did a stupid thing in getting involved again since.
The whole thing is now officially a S.E.P.

Post 13 & 14 is about encryption removal, for which you need the "Authorisation Code", and as you already have referenced the answer to. Encryption removal is NOT the same as booting an OS in decrypted form. However, it is possible to achieve the same following what I already have described.

What you wrote is:

Remove encryption following this guide; ftp://www.eems2.com/website_files/documen...val%20Guide.pdf

I asked you HOW one is supposed to follow that guide WITHOUT having the daily code available:

And how would he get the daily code?

You didn't answer.
To my best knowledge, removing the encryption following that guide WITHOUT having the daily code (one way or the other) is not possible, or it would mean NOT following that guide.

This does not mean that other methods won't work, but that one won't.

Summary:
It is possible (under certain circumstances) to remove encryption on disk with 2/3 (user & pwd, but not Authorisation Code) of the requirements listed by jaclaz.

Very good.

Happy you found a way.

I look forward for the OP telling us that he managed to get the data he is after following one of the methods you devised.



jaclaz

[b01100110]

I appreciate all of the work, I have learned alot from this experiance. however I ran into road blocks with each direction. I would like to know more about the hot cloning though.

[joakim]

You, jaclaz, make no sense and you are a terrible liar.

You claim to NOT learn anything of this discussion, yet you're only in this thread because you want to help the OP, but you did not mention a solution that might work under certain conditions..

Quoting you (assuming Italian jaclaz there is Italian jaclaz here) in a thread over at Forensic Focus on November 30 2007 http://www.forensicf...m...pic&t=2065;

I am just an amateur with a liking for filesystems and data recovery

And the same jaclaz posting every third day the last month at the same for Forensic Focus; http://www.forensicf...h_author=jaclaz

And jaclaz's interest triggered by a question about data recovery with SafeBoot (disk encryption) present; http://www.forensicf...m...opic&t=3812

I haven't learnt anything from the other posters in this thread either, BUT I was hoping 1 of the 3 points in post 23 could trigger something valuable. At least I'm curious how far you got and what theories you have about that..

Joakim

[joakim]

I appreciate all of the work, I have learned alot from this experiance. however I ran into road blocks with each direction. I would like to know more about the hot cloning though.

Could you be a little bit more specific about what you tried and what happened?

Coldcloning or imaging a system "cold" refers to it being done from another booted system (typically a bootcd).
Hotcloning or imaging in "hot" mode refers to it being done from the same system while running.

With encryption present you will only see garbage with "cold", while any "hot" method would be good as gold:

Joakim

[joakim]

You, jaclaz, make no sense and you are a terrible liar.

Re-reading this, I see it sounds very bad. I did not mean to call you a liar. I am sorry for that.

What I meant, and that did not come through very clear, was;

- a "terrible liar" was supposed to mean something like "stubborn enough to admit" (just as I am, and in a humoristic sense).

You said:

on a topic for which (at least on my side) there is not any particular interest

and that I did not fully believe.

Neither way, you are definitely not a liar because of that.

Joakim

[sanbarrow]

Folks - this is a interesting topic - but very confusing.

Joakim - maybe you really can post a video of what you actually do ....
I haven't fully understood it either

Ulli

[joakim]

As promised and requested, here is a 12 min video of the complete procedure.

Remove_encryption.zip

Important things (assumptions);
- Disk is encrypted and you know user and password
- You don't know ANY user/password to log into Windows (or system error prevents it)
- There exist no winpe based plugins for the encrypting program and booting from any other media (usb, floppy, cd, pxe) will only let you see encrypted garbage on disk (as raw).
- There is absolutely no way of interrupting windows boot process or modify any system file offline (because of encryption)
- Your Windows copy is not patched for a vulnerability for which there exist an exploit for Metasploit (if you're good enough you make it all yourself)

Now what did I do?
In this specific example a copy Windows XP SP2 was used together with McAfee Endpoint Encryption. The exploit used was ms08_067_netapi which is on the server service. Note that XP SP3 is also vulnerable, but SP2 was used because I did not have a copy of SP3 at hand. It therefore assumes that port 445 is open. The reverse shell was used as payload, because it is most handy.. We get remote access with SYSTEM priviliges and add a new user to the local administrators group. We log into Windows with new user and make a disk image of the encrypted disk and save it to network share. We then reboot into a recovery environment where we can restore the image on top of the encrypted disk and also write a standard nt5 mbr. When restore is finished we reboot again from local harddisk and voila, no encryption! The removed encryption is verified with the encryption client when fully booted.

Success rate?
Highly depends on whether your Windows copy is exploitable.

Has encryption been cracked?
No. We are taking advantage of a Windows flaw.

A general workaround or only specific to SafeBoot (McAfee Endpoint Encryption)?
It works as a general workaround for similar issues where disk encryption is present. It also opens the possibility to remove encryption from a McAfee Endpoint Encrypted disk without the Authorisation Code.

Joakim

[larry6464]

Hi,

I have 2800, yes two thousand eight hundred HP laptop computers that all are protected with Safeboot 4.2. I have the safeboot log in but not the windows log in. Sound Familiar?

I need to get into them. I have read this post beginning to end. Did anyone come up with an efficient method of getting into them?

Thanks