safeboot and windows rescue cds
SafeBoot and Windows Rescue CDs Introduction This document discusses the common problem of repairing the OS of a SafeBoot protected machine, or extracting data from it, without having to remove the encryption first. Usually this is a difficult task but by following the instructions within a bootable CD image can be created which, allows administrators transparent access to the files and folders on the hard disk. This document describes how to modify a WinPE like CD to support SafeBoot. Accompanying this document are the appropriate scripts and files required to make such changes, and also readymade plugins for BartPE CD s Though SafeBoot has experience of WinPE and BartPE, we cannot offer support on the use of these products other than information how to install our drivers and applications. Authors: Dennis Rijnbeek and Simon Hunt, Control Break International. This document, the advice and suggestions within, are the opinions of SafeBoot Certified System Engineers, and should not be regarded as exact science. As every SafeBoot implementation is unique, it is always critical to understand both SafeBoot itself, and the environment SafeBoot is being used in, before any decision on implementation strategy can be reached. SafeBoot Certified System Engineers The SCSE award is only issued to the highest caliber SafeBoot trained engineers who have passed both the SCSA exam and shown complete understanding of SafeBoot implementation and management. For information on SCSA and SCSE training courses, please contact your local SafeBoot representative. Edisonbaan 15 3439 MN Nieuwegein The Netherlands T. +31 (0)30 6348800 F. +31 (0)30 6348899 info@safeboot.com www.safeboot.com
SafeBoot and Windows Rescue CDs Overview One of the most challenging tasks administrators have is recovering data from user machines when the operating system is damaged. Historically when the FAT file system was predominant, a simple boot disk was enough to give administrators access to the users data, and as files were small, the same floppy could be used to recover data. Today, files are huge, floppy drives are rarely fitted, and the file-system of choice is NTFS. All these factors conspire against administrators and make accessing users data after an OS crash difficult. To solve these issues, several companies (such as Bart Lagerweij 1, Microsoft 2, WinInternals 3 etc) supply bootable CD images which allow the data from a damaged-os machine to be accessed without having to fix the host OS first. By booting from one of these magic bullet CD s, administrators can access the broken OS and data, can make repairs, and can copy important files onto network drives or memory sticks. A task which once would have involved reinstalling the OS to get a working system, or connecting the drive to a second machine as a slave (both time consuming processes) can now be completed in minutes. The Interaction with SafeBoot SafeBoot protects the files and data on a PC by encrypting all the sectors of all the Windows-accessible partitions on the machines hard disk, and applies a pre-boot authentication environment to allow users to login. These technologies are commonly termed Whole Disk Encryption and Pre-Boot Authentication. As the disk is encrypted at the lowest level, booting from something other than the original hard disk will normally not allow the data to be accessed. To regain access to the files, the parts of SafeBoot which support authentication and disk encryption, the drivers and code responsible for transparently decrypting the disk can continue working. About WinPE and WinInternals ERD Commander To aid administrators Microsoft and others supply Windows XP versions which can be used directly from a boot CD. These systems are useful as it allows complete access to a broken-os hard disk without having to remove it from the host machine and slave it to a 2 nd. They are also highly convenient as the process for accessing the data on a broken-os is simply an act of booting from a CD image. Adding SafeBoot Support to a bootable CD It s not difficult to add the necessary drivers and configuration to a bootable CD to allow it to interact with the SafeBoot encrypted hard disk. By using commonly available tools such as ISO editors the necessary changes can be easily made, and as SafeBoot s drivers correctly identify whether drives are 1 www.nu2.nu 2 www.microsoft.com 3 www.wininternals.com
encrypted or not the resulting SafeBoot Aware CD can also still be used on standard non-safeboot PC s
Step By Step Instructions Before We Start Although there are many steps to this process detailed below, it s important to follow each one exactly to ensure the success of your bootable CD. We suggest you print this document and cross off each step as you complete it to ensure success. Where indicated with the CD icon, the files mentioned below can be found in the Tools/Making A Rescue CD directory of your SafeBoot Installation CD. If you are using BartPE v3.1.3 Due to the simplicity and elegance of the BartPE system, Ready-made plugins for BartPE are included in the Tools/Making a Rescue CD directory of your SafeBoot Installation CD. Simply copy the plugins to the appropriate directory of your PEBuilder and activate them as usual. There is no need to modify the CD image by hand, you can simply jump to step 9. Requirements You will need the following information before starting: Windows PE-like CD image You can obtain WinPE from Microsoft, or alternate systems such as BartPE from sites such as http://www.nu2.nu/pebuilder/ ISO editor (not needed if you are building with BartPE) UltraISO (http://www.ezbsystems.com/ultraiso/) The appropriate drivers for algorithm of the environment You can obtain these from your SafeBoot client or administration directory. It is advisable to create a temporary folder structure mirroring that of the CD to make it easy to copy the files back to the CD 1. Create the SafeBoot Folder in your ISO Image Using your ISO Image Editor, create a folder named safeboot in the i386\system32 directory. 2. SBTag File Create a text files called sbtag and enter the following content: SafeBoot encryption driver for Windows Text-Mode Setup Copyright 1991-2005 Control Break International Copy this file to the safeboot directory you created in step 1.
3. txtsetup.oem File Create a text file called txtsetup.oem and enter the following content: # --------------------------------------------------------------- # SafeBoot Encryption drivers for Windows Text-Mode Setup # Copyright 1991-2005 Control Break International # # --------------------------------------------------------------- [Disks] d1 ="SafeBoot Encryption Subsystem Installation Disk",sbTag,"" [Defaults] SCSI=SBALG [SCSI] SBALG="SafeBoot Encryption driver" [Files.SCSI.sbalg] driver=d1, SBALG.SYS, SBALG Copy this file to the safeboot directory you created in step 1. 4. Modifying txtsetup.sif Extract the file txtsetup.sif from your ISO image using the ISO Editor you can find it in the i386 folder. Edit the file in notepad and add the following lines to the end/bottom of the file: [SourceDisksfiles] safeboot.sys = 1,,,,,,3_,4,0,0,,1,4 [BootBusExtenders.Load] sbalg = sbalg.sys safeboot = safeboot.sys [BootBusExtenders] safeboot = "Safeboot Encryption SubSys",files.none,safeboot Put the modified file back into the ISO Image in the i386 directory.
5. Modifying winpeoem.sif Extract the file winpeoem.sif from your ISO image using the ISO Editor you can find it in the i386\system32 folder. Edit the file in notepad and add the following lines to the end/bottom of the file: [massstoragedrivers.append] SBALG=SBALG.SYS [OemDriverParams] OemDriverDirs=SAFEBOOT OemDriverRoot= 6. Modifying the Registry Extract the file setupreg.hiv from the i386\system32 folder of your CD image. Using Regedit.exe 1. select the Hkey_Local_Machine hive 2. select Load Hive file menu 3. select the setupreg.hiv file you extracted above and click OK 4. enter a key name of SafeBoot Create registry file with the following lines. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\safeboot\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}] "UpperFilters"=hex(7):50,00,61,00,72,00,74,00,4d,00,67,00,72,00,00,00,53,00,41,\ 00,46,00,45,00,42,00,4f,00,4f,00,54,00,00,00,00,00 [HKEY_LOCAL_MACHINE\safeboot\ControlSet001\Services\RsvLock] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000001 [HKEY_LOCAL_MACHINE\safeboot\ControlSet001\Services\SafeBoot] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000003 [HKEY_LOCAL_MACHINE\safeboot\ControlSet001\Services\SBAlg] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000003 "Group"="Primary Disk" Import the registry file just created. You will see in the registry editor that the entries are added in the safeboot hive.
Unload the hive by clicking on it and select unload hive from the file menu, copy the file setupreg.hiv back into the i386/system32 folder of your ISO image. 7. Inserting the Driver Files Copy the following files from a current working SafeBoot clients system32\drivers directory to the i386\system32\drivers directory of the ISO image: safeboot.sys rsvlock.sys sbalg.sys The operating system of the client you copy these from should be the same as the operating system of the boot CD you are creating. You also need to copy the wintech.exe and support files to your CD: Program Files\SafeBoot\WinTech.exe Program Files\SafeBoot\SBComms.dll Program Files\SafeBoot\SBDBMGR.dll Program Files\SafeBoot\SBUILib.dll Program Files\SafeBoot\SBXFERDB.dll Program Files\SafeBoot\SBAlgs\SBAlg.dll (appropriate version for your environment) 8. A Summary of the Modifications The following files in your ISO Image should now have been modified: I386\txtsetup.sif I386\system32\winpeoem.sif I386\system32\setupreg.hiv I386\system32\safeboot\sbtag I386\system32\safeboot\txtsetup.oem I386\system32\drivers\safeboot.sys I386\system32\drivers\sbalg.sys I386\system32\drivers\rsvlock.sys Program Files\SafeBoot\ directory 9. Burn the ISO Image There are no more changes to be made. You can now burn your modified ISO Image. Test it works as a normal Boot CD on a machine without SafeBoot installed to ensure the modifications are correct.
10. Using your Modified CD on a SafeBoot Machine To access the original hard disk, you need to use the wintech tool installed in the programs start menu., or wherever you placed it on your CD image. Simply follow the prompts within the tool to select the drive you want to open. You will need to submit a machine export from your SafeBoot Administrator system to the tool this contains the key material needed to unlock the drive. You can obtain the machine export by right-clicking the machine in SafeBoot Administration, and selecting Export Machine. There is no need to include users or files. If all the modifications were made correctly, the boot-cd will allow you to access the hard disks on your machine as if they were not encrypted. Control Break International Holding B.V.