Jump to content











Photo
- - - - -

Safeboot 4.2 plugin for bartPE


  • Please log in to reply
34 replies to this topic

#1 b01100110

b01100110
  • Members
  • 7 posts
  •  
    United States

Posted 04 October 2009 - 03:48 PM

I need to find a Safeboot v4.2 plugin for BartPE so i can get so i can get to the data I do have the id and password
however the domain was removed and replaced by a work group no i can no longer access the computer I donot know the local login information. this is for a customer of and it is time critical I would appreciate an help thank you

#2 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 October 2009 - 05:01 PM

I need to find a Safeboot v4.2 plugin for BartPE so i can get so i can get to the data I do have the id and password
however the domain was removed and replaced by a work group no i can no longer access the computer I donot know the local login information. this is for a customer of and it is time critical I would appreciate an help thank you


A safeboot 4.2 BartPE plugin should have been included in the 4.2 release (CD):
http://forums.mcafee...ad.php?t=229119

A plugin was posted for UBCD4WIN:
http://www.forensicf...m...opic&t=3812
http://ubcd4win.com/...showtopic=11191

You may want to try contacting Kevin Bentley at http://www.dedicatedrecovery.com/

jaclaz

#3 maanu

maanu

    Gold Member

  • Advanced user
  • 1,125 posts
  •  
    Pakistan

Posted 04 October 2009 - 05:54 PM

if all you need /want is to login to a password protected account , you can use kon-boot if you just want to bypass it or NT offline password and registry editor .

edit :

oops sorry i misunderstood it . may be booting from the pe will get you to the data ?

#4 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 04 October 2009 - 06:06 PM

if all you need /want is to login to a password protected account , you can use kon-boot if you just want to bypass it or NT offline password and registry editor .

edit :

oops sorry i misunderstood it . may be booting from the pe will get you to the data ?


maanu
safeboot is a Commercial protection/encryption system, nothing "standard".

JFYI:
http://www.mcafee.co...r_safeboot.html

I would hope you cannot access data protected with such an expensive tool easily.

jaclaz

#5 maanu

maanu

    Gold Member

  • Advanced user
  • 1,125 posts
  •  
    Pakistan

Posted 04 October 2009 - 06:40 PM

hmm interesting .

actually my knowledge about encryption is next to none . but it might be useful for me just to know how to bypass it .

is every encryption utility has its own mechanism of bypassing it with a password or something?

i ll try to google it that how to bypass this safeboot thing .

#6 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 October 2009 - 07:01 AM

hmm interesting .

actually my knowledge about encryption is next to none .

Yes, I can see that. :D

but it might be useful for me just to know how to bypass it .

is every encryption utility has its own mechanism of bypassing it with a password or something?

You DO NOT "by-pass" encryption, you unencrypt data.

Unless the encryption algorithm is flawed, just as an example some older Winzip .zip files and multiple files in archive, there is NO way to "bypass" it, you need to find the appropriate password (or key-file) to perform the unencryption.
And this won't normally work "easily" as you may think.

Of course passwords like "mypass" and "password" are pretty easy to find with brute-force, but as soon as you go to, say, 12 alphanumeric characters+punctuation, on normal, fast, dedicated PC's (and with a really fast algorithm) it will take anything from a few weeks to several months to brute-force (possibly years).

In the case at hand, safeboot normally needs it's own program to unencrypt data, even if you know password and id, and it is not easy to make it work, as it uses a server daily issued authentication and whatnot.

jaclaz

#7 maanu

maanu

    Gold Member

  • Advanced user
  • 1,125 posts
  •  
    Pakistan

Posted 05 October 2009 - 07:38 AM

last night when i started googling , i saw a post where a user said that he reverse engineered safe boot's encryption somehow ( i believe he meant de-crypt as you'r saying ) . but he did not share how .

then it linked me to password protected hdd's . oh man . it took me about 2 hours before pain started in my eyes ;) .i was thanking God that i have not recieved anything like that i mean a hdd with stuff like above to salvage data from . otherwise i 'd have to tell that guy to excuse me :D .

but anyhow i could not find a solution to password protected hdd's yet but still im searching for it . i saw a commercial solution though .

and as far as encryption is concerned ,it seems it is dangerous when it comes to safe boot . i have seen posts where the users were asking help because they could not access there hdd's when windows got corrupt and they still had the safeboot login details .
thats why a plug in would be needed ?

why we dont have a script for it YET ? :D

by the way i was thinking that how CIA OR FBI are doing this stuff ? i mean decrypting or breaking the password protected hdd for forensic purposes ?? :D

#8 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 October 2009 - 08:49 AM

last night when i started googling , i saw a post where a user said that he reverse engineered safe boot's encryption somehow ( i believe he meant de-crypt as you'r saying ) . but he did not share how .

I would rephrase that to:

last night when i checked the first link jaclaz gave on the thread, this one:
http://www.forensicf...m...opic&t=3812
i saw a post where a user said that he reverse engineered safe boot's encryption somehow ( i believe he meant de-crypt as you'r saying ) . but he did not share how .

;)

And actually you are wrong. ;)

What user Edge reported was:
  • that there was a small flaw in the safeboot version 4.2 that compromised the encryption scheme
  • that there may be ways on v5 too

A little bit of reverse engineering on v5 can go a long way and on v4 a small flaw in SafeBoot logic can mitigate their entire security. I am not going to discuss on the forum how to reverse engineer or bypass their logic as I have no idea what legal ramifications would exits if I did.

i.e. that he supposedly has an actual way to bypass the encryption and/or to validate non-right credentials to unencrypt.

but anyhow i could not find a solution to password protected hdd's yet but still im searching for it . i saw a commercial solution though .

Rest assured, there are NONE (if we speak "generically" about "password protected HD's".
There may be some specific ones for a given specific encryption scheme or for a specific program, leveraging on a flaw on the encryption algorhitm or on a security hole in the program.




and as far as encryption is concerned ,it seems it is dangerous when it comes to safe boot . i have seen posts where the users were asking help because they could not access there hdd's when windows got corrupt and they still had the safeboot login details .
thats why a plug in would be needed ?

Yes. :D
But the whole point is that lots of morons inexperienced people encrypt their data for no real reason, have not a sound recovery plan, do not test accurately the features of the encryption programs they chose, they don't simulate a data failure (and recovery), they don't make "safe" copies of the data, thoughtlessly remove authentication servers/criteria/etc. and then go around crying that they cannot get their data back. :D


why we dont have a script for it YET ? ;)

I cannot say the reason, but you have to consider the following "tree of decisions":
Are you a criminal or however involved in illegal activities?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you a politically involved person and you live in a country where you may be persecuted for your ideas?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you working for any country secret service or counterspy organization?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you working for a leading edge, technological or military involved industry where the theft of data might be a great problem?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you a lawyer or member of a law firm or bank/financial institution where theprivacy of your customers and their data is a priority ?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you in any way needing to protect actually confidential data and your customers trust you will never disclose such info?
  • if yes, you may want to encrypt all your data, but you won't go around crying you lost it
  • if no, you DON'T need to encrypt your data

Are you 15 and you have a nosy little sister/brother?
  • if yes, you may want to encrypt all your data, AND you will go all around the internet crying you lost it
  • if no, you DON'T need to encrypt your data


Alternate answer:
  • if yes, and you are young but not stoopid, you may want to encrypt all your data, AND either use a "good-enough" encryption algorithm (enough to prevent access to a 10 years lad) OR plan properly everything AND have prepared an emergency plan.

:D

by the way i was thinking that how CIA OR FBI are doing this stuff ? i mean decrypting or breaking the password protected hdd for forensic purposes ?? ;)

They could tell you, but they would also have to kill you afterwards...;)

More seriously, NO encryption scheme is "safe" in an absolute sense, it is only a problem on how many resources you can use on it and the amount of time you have at your disposal.

Governments have, besides technical means, legal ones (example):
http://www.out-law.com/page-8515

JFYI, a few "historical" links to interesting things you might not be aware of:
http://www.sigpc.net/v1/n22.htm
http://www.distributed.net/rc5/
http://www.cdt.org/crypto/risks98/
http://www.garykessl...ary/crypto.html


And some undesirable effects of encryption:
http://www.viruslist...logid=208187524

Moral:
If you want to really keep data secret, DO NOT write it ANYWHERE.

The only safe is to store info in your head (provided you are not forgetful) and keep your big mouth shut. ;)

An alternative, actually in practice much safer than plain cryptography is steganography:
http://en.wikipedia....i/Steganography
(for limited amounts of data, of course)

:D

jaclaz

#9 b01100110

b01100110
  • Members
  • 7 posts
  •  
    United States

Posted 05 October 2009 - 01:08 PM

your decision tree is interesting however there is another one.
an executive of a large corporation is given a laptop by her company (it has safeboot on it) she retires and begins working as a consultant for that same company. she then tries to setup her home office as a small network at which point she can no longer logon to the domain and she does not know the local passwords for the computer.

we can get by the safeboot login, bu cannot login to windows because of the domain error.

Thank you for your help, If i get an answer I will share with you. duane

#10 maanu

maanu

    Gold Member

  • Advanced user
  • 1,125 posts
  •  
    Pakistan

Posted 05 October 2009 - 01:26 PM

you could use kon boot first to bypass the password ,

http://www.piotrbani...m/all/kon-boot/

since you already have the safe boot login .

@ Sir Jaclaz

it is looooong reply but interesting one i ll have to go one by one . but no i wont use encryption in near future unless i fulfill the criteria you given above :D .

#11 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 October 2009 - 03:19 PM

your decision tree is interesting however there is another one.

Yep ;) there may be several more ones, this however is "incomplete":

an executive of a large corporation is given a laptop by her company (it has safeboot on it) she retires and begins working as a consultant for that same company. she then tries to setup her home office as a small network at which point she can no longer logon to the domain and she does not know the local passwords for the computer.

AND/OR she hadn't a good "feeling" with the corporation IT guys (they can often be bought with a couple of coffes and doughnuts)
AND/OR the large corporation misses a policy on the "sanitization" of PC's left to retired or fired people
AND/OR the large corporation actually has a policy on the "sanitization" of PC's left to retired or fired people, but it wasn't applied because of a glitch in the matrix
AND/OR the large corporation actually has a policy to NEVER let unencrypted data out of the company, including NOT leaving PC's to retired or fired people
AND/OR ....

in other words either the corporation or your friend/customer (or both :D) did not adequately plan what to do in this case.

we can get by the safeboot login, bu cannot login to windows because of the domain error.

Yes, that's exactly the need for the "emergency" daily key mentioned, a lot more info can be found here:
http://www.eems2.com...e=documentation
I don't think that the procedure has changed since 4.2
This should be the current "howto":
ftp://www.eems2.com/website_files/documen...val%20Guide.pdf

Thank you for your help, If i get an answer I will share with you. duane

Thanks. It is always interesting to learn something more. :D

:D

jaclaz

#12 b01100110

b01100110
  • Members
  • 7 posts
  •  
    United States

Posted 05 October 2009 - 04:05 PM

The problem with booting from a cd without the safeboot plugin is that once your loaded o/s you cannot see the encrypted data on the harddrive. it will display the following message:

Harddrive not formatted
do you wish to format it?

thanks for the link though, I may used it at a later time

thanks again duane

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 867 posts
  • Location:Bergen
  •  
    Norway

Posted 05 October 2009 - 04:12 PM

Remove encryption following this guide; ftp://www.eems2.com/website_files/documen...val%20Guide.pdf

Then you're left with pure windows based barriers, which there are plenty of guides on out there, with descriptions. Google.

Hint: Windows\System32\config\SAM

Joakim

#14 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 October 2009 - 04:34 PM

Remove encryption following this guide


And how would he get the daily code? :D

Restart the machine and boot from the floppy disc/cdrom; once its done this, you will be prompted for an
‘Authorisation Code’. This code is available on request from your IT Administrator or from an EEMS2
SafeBoot Support representative. This code changes on a daily basis and is 4 digits long.


:D

jaclaz

#15 b01100110

b01100110
  • Members
  • 7 posts
  •  
    United States

Posted 05 October 2009 - 04:36 PM

You are correct jaclaz, this is a result of poor planning. but at this point. I am just trying to a help a valued customer. thank you for all of your help

duane

#16 b01100110

b01100110
  • Members
  • 7 posts
  •  
    United States

Posted 05 October 2009 - 04:45 PM

thank you, Joakim that is exactly what i needed. I appreciate this more than i can relay to you.

If i can ever be of assistance, let me know.
(teslageek at gmail)

thank you again. duane

#17 Lancelot

Lancelot

    Frequent Member

  • .script developer
  • 5,013 posts
  • Location:Turkiye/Izmir
  • Interests:*Mechanical stuff and Physics,
    *LiveXP, BartPE, SherpyaXPE,
    *Basketball and Looong Walking,
    *Buying outwear for my girlf (Reason: Girls are stupid about buying bad stuff to make themselves uglier :))
    *Girls (Lyric: Girl,...., You will be a womann, Soon)
    *Answering questions for "Meaning of life",
    *Helping people,

    Kung with LiveXP, Fu with Peter :)
  •  
    Turkey

Posted 06 October 2009 - 09:12 AM

But the whole point is that lots of morons inexperienced people encrypt their data for no real reason, have not a sound recovery plan, do not test accurately the features of the encryption programs they chose, they don't simulate a data failure (and recovery), they don't make "safe" copies of the data, thoughtlessly remove authentication servers/criteria/etc. and then go around crying that they cannot get their data back. :hypocrite:

Agreeing with inexperienced part, the most frequent scenario i witness in past is some inexperienced users using Windows "encrypt content" options**. On this case MS dont give warnings as usual ;) which it should with great fonts, tech guys on MS like to put warnings in many cases but i guess missed this one ;), Where is "Are you SURE", where is "Do you want to save/backup key" :lol:

**My guess is: I feel these inexperienced users click around to find a way to secure their personal data from their friends/family etc, and the checkbox is tempting :smart: , mostly after which they dont understand and dont remember why they checked this and found other ways to secure their data keeping folder encrypted.

Scenario continues with windows failure after a long while (months) than this inexperienced user simply format and reinstall windows which cause the encrypted data on mostly a folder like D:\I_Love_My_Pictures\ unusable forever.

ps: For the ones who uses enc. software intentionally without backing up keys where there are lots of warnings, I feel no mercy.


A question, What easy to use application (method) do you suggest to backup and access ntfs encrypted files ?.
Example: files ntfs encrypted on a pc, and want to be accessed on another pc.
Example: windows crashed, user booted with pe and since windows is still on hdd keys can be accessed and datas can be unencrpted (only guessing :frusty: ).
(In past i only found only a commercial application to backup enc key and access files later with this backuped keys)
No need to mention i am other side next to none with maanu :hypocrite:


@Joakim

thanks, i just read what safeboot is and just learned the official way to remove it and have a plugin ;). If one day i see a similar situation, i now know rest is asking 4 digit key <_<

#18 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 06 October 2009 - 10:16 AM

A question, What easy to use application (method) do you suggest to backup and access ntfs encrypted files ?.
Example: files ntfs encrypted on a pc, and want to be accessed on another pc.
Example: windows crashed, user booted with pe and since windows is still on hdd keys can be accessed and datas can be unencrpted (only guessing <_< ).
(In past i only found only a commercial application to backup enc key and access files later with this backuped keys)
No need to mention i am other side next to none with maanu :lol:

There are also commercial apps that can "guess" the key.

2k and XP are slightly different in this:
http://en.wikipedia....ing_File_System
http://lists.virus.o...1/msg00020.html
having an "external" "recovery agent" makes possible recovering without much hassle and without proprietary tools, but otherways AFAIK there is not an"easy", "free" way. :frusty:

Vista NTFS has additional differences, but really cannot say which.

The whole point I am trying to make is that these kinds of solutions are intended to be SECURE.

If they weren't at least DIFFICULT to crack/open there would be NO reason to use them as they would be NOT SECURE. Doesn't it sound "logical" enough? ;)

:hypocrite:

jaclaz

#19 joakim

joakim

    Silver Member

  • Team Reboot
  • 867 posts
  • Location:Bergen
  •  
    Norway

Posted 06 October 2009 - 11:09 AM

Another free workaround may go like this (but not verified by me);

- Set up a bogus domain to log into.
- Boot up and log into bogus.
- Image the decrypted drive just booted.
- Restore unencrypted image on top of encryped drive.
- Some mbr issues may need to be solved lastly & disk possibly partitioned firstly.
- Enjoy encryption free drive.

Joakim

#20 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 06 October 2009 - 11:47 AM

Another free workaround may go like this (but not verified by me);


I give up. :hypocrite:

jaclaz

#21 joakim

joakim

    Silver Member

  • Team Reboot
  • 867 posts
  • Location:Bergen
  •  
    Norway

Posted 07 October 2009 - 11:10 PM

@jaclaz
ignore this one as you already gave up.

@therest
Taking this issue to a general level with the assumption that no winpe based plugin for the encryption program in question is available (and encryption key is known but not windows pwd (or system error preventing login)), there might still be another workaround going like this;

- Boot the machine
- Launch a remote exploit against the system

I described the procedure here (including assumptions); http://sanbarrow.com...opic.php?t=1671

If anybody has done similar forensic work, then please answer the questions not answered in that thread.

Note 1; definitely not the easiest workaround.
Note 2; an image done in hot-mode by ShadowProtect on an encrypted disk is effectively an unencrypted disk (now verified with AES 256 present).


Joakim

#22 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 08 October 2009 - 04:45 PM

If anybody has done similar forensic work, then please answer the questions not answered in that thread.

I have done EXACTLY this kind of forensic recovery work, but I cannot answer since I gave up. :thumbsup:

jaclaz

#23 joakim

joakim

    Silver Member

  • Team Reboot
  • 867 posts
  • Location:Bergen
  •  
    Norway

Posted 08 October 2009 - 06:09 PM

I have done EXACTLY this kind of forensic recovery work, but I cannot answer since I gave up. :hypocrite:


Exactly which part are the "quitter" referring to?

- Binary modification/process injection

or

- vmem files & snapshots analysis

or

- Remote exploitation


Joakim

#24 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7,098 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 08 October 2009 - 07:22 PM

If you knew what Safeboot is and how it works (or had had the decency of READING the docs) you would have an idea of how whatever you threw on the table (which ,BTW, APART from this specific case, may be interesting :hypocrite:) does NOT apply to the specific app/situation.

The filesystem is ENCRYPTED, the key to decrypt it is in three parts, either:
  • username+password+Centralized server generated part
    OR
  • username+password+(special program and) daily issued code.

You started form the WRONG assumption that you can UNENCRYPT the drive with just 2/3 of the needed items, this simply is not the case.

jaclaz

#25 joakim

joakim

    Silver Member

  • Team Reboot
  • 867 posts
  • Location:Bergen
  •  
    Norway

Posted 08 October 2009 - 11:15 PM

Sorry jaclaz, you're really off track here.

If you carefully re-read post 21 and also the referenced link, you will notice that I talk about disk encryption in general, and not so much specific to SafeDisk. I do have a decent understanding of how different encryption methods work, so I felt no need to study these SafeDisk specific docs.

To refresh our memory about this specific case, the client of the topic starter had the information necessary to login past the encryption (thus booting windows in a decrypted form (how would ntldr know what to do (or even get executed) if it was reading encrypted garbage??)). Now having a system waiting for user to log in to OS, must by definition, be a system in a decrypted form (disk still encrypted but decryption key located in memory). Any application running on that system can read the decrypted disk.

Do me a favour and re-read post 9 and you understand why I took this to a general diskencryption level (because all disk encryption software work the same way).

Your theory about the decryption process in 3 parts is not correct. It is only 2 parts for booting, but 3 parts for disk encryption removal.

Going back to the solution that incorporates a remote exploit (described in post 7 at http://sanbarrow.com...pic.php?t=1671), we have been granted system privileges. That is equivalent to a "game over" in terms of standard hacking. Making a "hot" image of the disk can easily be made. Like already mentioned, I have verified this with a disk image taken with ShadowProtect (all similar apps should do the job). This image is taken of an encrypted disk, while the imaging program is working on the disk in a decrypted mode. You can verify this by mounting this image offline on another system, where you can browse the complete filesystem. With this 3.rd party disk image, you can for instance 1) create a vm of it, 2) mount image and do whatever to whatever file on it, or 3) restore image back to the physical machine and enjoy unencrypted disk. The reason why this works is because the image taken is not a raw disk image (dd).

These images where taken from such a scenario, where the encryption part is passed while windows logon is blocked.

Posted Image

Posted Image

As you may notice the encryption solution used in this test is with DriveCrypt PlusPack 3.95 with AES 256, but that makes no difference to the validity of the above points. The exploit is launched from Metasploit on BackTrack2.

Lastly;
You did not answer post 23: EXACTLY which of the 3 parts you where referring to?


Joakim




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users