Hard disk ATA Security



Similar documents
Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Technical Proposal on ATA Secure Erase Gordon Hughes+ and Tom Coughlin* +CMRR, University of California San Diego *Coughlin Associates

Management of Hardware Passwords in Think PCs.

ATOLA INSIGHT. A New Standard In Data Recovery Equipment

Firmware security features in HP Compaq business notebooks

How to enable Disk Encryption on a laptop

Magic Card Plus User Manual

1 of :01

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

Enterprise Erase LAN

Windows 8 Backup, Restore & Recovery By John Allen

ThinkPad USB Portable Secure Hard Drive User Guide

Seagate Manager. User Guide. For Use With Your FreeAgent TM Drive. Seagate Manager User Guide for Use With Your FreeAgent Drive 1

USB External Hard Disk Drive

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Full version is >>> HERE <<<

Locking down a Hitachi ID Suite server

Additional details >>> HERE <<<

BACKUP AND RECOVERY File History + Push Button Reset + Advanced Recovery Tools + System Image Backup

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Additional information >>> HERE <<<

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

Strategies for Firmware Support of Self-Encrypting Drives

MaxAttach NAS 4000 Series OS 2.2 Hard Disk Drive Replacement

How Drive Encryption Works

SMART Ink. Windows operating systems. User s guide

WHITE PAPER. DriveLock Hard Drive Protection on Armada Portables CONTENTS

10 steps to better secure your Mac laptop from physical data theft

Disk Encryption. Aaron Howard IT Security Office

Keep Your Data Secure: Fighting Back With Flash

Additional information >>> HERE <<<

Operating Instructions - Recovery, Backup and Troubleshooting Guide

Time Stamp. Instruction Booklet

How to Encrypt your Windows 7 SDS Machine with Bitlocker

The HDAT2 Cookbook. "How can I do?" Version Lubomir Cabla / CBL. Page i

ATOLA INSIGHT A New Standard in Data Recovery Technology

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

BlackBerry 10.3 Work and Personal Corporate

Attacking VoIP. Agenda. Walter Sprenger 1. Introduction VoIP. 2. Sample Installations. 3. SIP / RTP - Protocols

Section 12 MUST BE COMPLETED BY: 4/22

Full version is >>> HERE <<<

Medical Networks and Operating Systems

Full Drive Encryption Security Problem Definition - Encryption Engine

XL-RAID-SATA Data Backup System. User s Guide

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

How Endpoint Encryption Works

Atola Insight Forensic

User Manual - Secure Lock Ware

DriveLock and Windows 7

Imation Clip USB 2.0 Flash Drive. Imation Drive Manager Software. User s Manual

Data recovery from a drive with physical defects within the firmware Service Area, unrecoverable using

Hi-Speed USB 2.0 Flash Disk. User s Manual

NIST CFTT: Testing Disk Imaging Tools

White Paper: Whole Disk Encryption

USB FLASH DRIVE. User s Manual 1. INTRODUCTION FEATURES SPECIFICATIONS PACKAGE CONTENTS SYSTEM REQUIREMENTS...

NEC Versa Dock Important Information. Updating the BIOS. Before Docking for the First Time. Windows 95 and 98. Note

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

istar User Manual for Comsol USB Flash Drive

How To Use An Unmanipulated Hard Disk Duplicator (Hd4/Hda100)

HP ProtectTools User Guide

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

ATA TO IDE INTERFACE PC CARD DRIVES

Computrace Agent Quick Reference and Best Practices Guide

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Standard Operations Procedure For. System Recovery on FlyBook V33i Notebook PC

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

More details >>> HERE <<<

BitLocker Encryption for non-tpm laptops

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

User Manual. HitmanPro.Kickstart User Manual Page 1

System Security Policy Management: Advanced Audit Tasks

Tutorial How to upgrade firmware on Phison S5 controller MyDigitalSSD

CASPER SECURE DRIVE BACKUP

DriveLock and Windows 8

Programming Interface. for. Bus Master IDE Controller. Revision 1.0

Applications of Data Recovery Tools to Digital Forensics: Analyzing the Host Protected Area with the PC-3000

Managing Remote Access

HP Commercial Notebook BIOS Password Setup

A+ Practical Applications Solution Key

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

Advanced Diploma In Hardware, Networking & Server Configuration

User s Guide

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

This user guide describes features that are common to most models. Some features may not be available on your computer.

Mobile Device Security and Encryption Standard and Guidelines

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

Acer erecovery Management

FAQ No Q: What should we know before we start Windows 10 upgrade?

RAID User Guide. Edition. Trademarks V1.0 P/N: C51GME0-00

Transcription:

Hard disk ATA Security Hard disk ATA Security Adrian Leuenberer adrian.leuenberer@csnc.ch GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch Aenda Overview ATA specs Insecurities Problems with protected hard disks Password bypass procedures Further References Compass Pae 2

Hard disk ATA Security Overview GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch Short overview of the security features Modern hard disks allow the settin of hard disk passwords that have to be entered whenever a computer is started. The password can usually be set in the computers BIOS or with 3rd party tools. The password is stored in the hard disk itself (not to be confused with the BIOS password, which is stored in the computer). Was firstly defined in the ATA-3 ANSI Standard (2008D AT Attachment - 3 Interface). Two passwords can be specified (each one 32 Bytes lon) User Password Master Password The passwords are stored in the service area of the hard disk. The actual data is not encrypted on the hard disk. Compass Pae 4

Hard disk ATA Security ATA Specs GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch Security modes Two security modes can be set Hih Security The administrator can reset the user password Data remains as-is Maximum Security The administrator can reset the user password Data is overwritten with 0 (wiped) Most often, the security mode cannot be set in the BIOS of the computer. Default is Hih Security. Usually just the user password can be manaed in the BIOS. Settin the security mode can be done with 3 rd party tools. Every computer type has to be carefully evaluated concernin the ATA security settins. Compass Pae 6

Power-On Process Power-on Locked mode UNLOCK ERASE PREPARE Media access Non-media access ERASE UNIT Reject command Execute command No Password match? Yes Unit erased Lock function disabled Unlock mode Normal operation, all commands are available FREEZE LOCK Normal operation, Frozen mode commands are available Compass Pae 7 ATA Security Commands ATA Command Mode where cmd is available SECURITY DISABLE PASSWORD Unlocked SECURITY ERASE PREPARE Locked/Unlocked/Frozen SECURITY ERASE UNIT Locked/Unlocked SECURITY FREEZE LOCK Unlocked/Frozen SECURITY SET PASSWORD Unlocked SECURITY UNLOCK Locked/Unlocked The correct password has to be provided of course! See table 7 in the ATA-3 specs for more details on which command is available in which context. Compass Pae 8

Password Lost User password lost Level? Hih UNLOCK with master password Maximum ERASE PREPARE Normal operation ERASE UNIT with master password Normal operation but data lost Compass Pae 9 Harddisk Access Operatin System (runnin) Computer BIOS Computer Hardware Mainboard IDE Connector IDE Cable Hard Disk Controller Hard Disk Plates Service Area / Hard Disk Password Data: - Partitions - Filesystems Compass Reserve Pae 10

Hard disk access It should be noted, that every access to the hard disk is made via the hard disk controller. There is no way to bypass the controller. The controller limits access to the data area on the disk. Other areas are not accessible in the normal operation mode. However, all disks know a maintenance mode where access to all areas of the disk is possible. How to put the disk into maintenance mode is a secret known only to the manufacturers. Recovery service companies (such as Kroll Ontrack or IBAS) miht also et the information from the manufacturers or have reverse enineered the required techniques. Compass Pae 11 Hard disk ATA Security Insecurities GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch

ATA security states The ATA security mechanism allows insecure states and transitions if the computers BIOS is not implemented correctly. This allows viruses and worms to set arbitrary hard disk passwords. If a hard disk ets locked that way, the followin solutions exist If only a user password is set and the master password is known and the security level is HIGH, then a new user password can be set without any data loss. If only a user password is set and the master password is known and the security level is MAXIMUM, then a new user password can be set but all data on the hard disk is overwritten with zeroes. If an unknown master password is set, the hard disk can be either sent to a data recovery company or thrown away. The conclusion is, that the ATA security has to be implemented correctly or 3rd party solutions have to be evaluated to limit the damae a virus/worm could possibly cause. Compass Pae 13 Insecure States and Transitions Powered off, security disabled 1 Powered off, security enabled Power on Security Set Password (with user password) Power on Security Unlock Security disabled, not frozen Security enabled, unlocked, not frozen 2 Security enabled, locked, not frozen Security Freeze Lock Security Disable Password 3 Hardware RESET Security Freeze Lock Hardware RESET 4 Security disabled, frozen Security enabled, unlocked, frozen 5 Handoff to the operatin system (Windows etc.) Hardware States BIOS States Operatin System Compass Pae 14

Secure States Every BIOS has to be checked whether the FREEZE command has been correctly implemented. The correct workin is as follows 1. The computer is powered up. 2. The user enters the hard disk password. 3. The hard disk controller unlocks the hard disk. 4. Directly after unlockin the FREEZE command is sent to the hard disk. 5. Now the operatin system can be booted. The operatin system cannot chane the ATA security settins anymore. This can be tested usin a tool developed by Heise/ct http://www.heise.de/ct/ftp/projekte/atasecurity/windows.shtml A 3rd party Windows service allows sendin the FREEZE command in an early boot stae (also available from the link above) if the BIOS does not implement it correctly. Compass Pae 15 Hard disk ATA Security Problems with protected disks GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch

Problems Forensic investiations (disk imain) are impossible without first removin the hard disk password. The data on the disk itself is still unencrypted. It is usually just a matter of time until tools become available to bypass such security mechanisms. Compass Pae 17 Hard disk ATA Security Password Recovery/Bypass Procedures GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch

Compass investiations I Unlockin of a Hitachi HTS721060G9AT00 hard disk Hard disk in a desktop pc usin a 3,5 to 2,5 converter cable. No access to the disk is possible (Knoppix, Windows, various boot disks). Hard disk in an old notebook No access to the disk is possible (Knoppix, Windows, various boot disk). Hard disk in a forensic workstation (Freddie) with Encase Encase does not reconize the hard disk. Compass Pae 19 Compass investiations II Unlockin of a Hitachi HTS721060G9AT00 hard disk Security settins of the password Locked / Hih Security / Not frozen Brute forcin the master password is not possible as the hard disk has to be power cycled every 5 tries. This is annoyin slow Several well-known master passwords have been tried without success (HDAT2 reports that the default password is still in place). WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB Seaate Maxtor Maxtor INIT SECURITY TEST STEP 32 x 0xFF (Hex 255) 32 x 0x20 (Space) Compass Pae 20

Compass investiations III Unlockin of a Hitachi HTS721060G9AT00 hard disk Test with TAFT (see references) Device cannot be detected. ATAPWD (see references) Hard disk was detected successfully Not possible to et or chane the password. HDAT2 (see references) Hard disk was detected successfully Not possible to et or chane the password. Compass Pae 21 Recovery Services I A-FF Repair Station ( 39.50 for 1 unlock) Compass Pae 22

Recovery Services II Statement from A-FF reardin the Hitachi HTS721060G9AT00 (mail from 05.01.2006): Dear Adrian, Unfortunately, Repair Station cannot unlock the drive, but we can do that in our lab which is located in the Ukraine. Unlockin of such a drive will cost 229,95 EUR. You may want to visit our lab website: http://lab.aff.com Sincerely, Daniel Clay A-FF Support Support@hdd-tools.com Compass Pae 23 Recovery Services III Ultratec (UK) http://www.ultratec.co.uk/services/password_recovery.asp Nortec http://www.nortek.on.ca/nortek/ Kepler Data Recovery http://www.kepler.cl/en/paes/unlock.htm And many more Just oole for password ata security or similar. Compass Pae 24

Recovery Services IV Statement from Hitachi concernin the password protected hard disk: First statement The password function of a drive is a powerful Security Feature. If a password has been set on the drive, and you now no loner know the password, then you will be unable to access the data or the drive. As this is a Security Feature desined to prevent unauthorized access to the drive, Hitachi will be unable to assist you further with this request. Second statement We know that the data recovery companies can et around the password protection. This doesn't mean that we are able to help you ain access as well. "As this is a Security Feature desined to prevent unauthorized access to the drive, Hitachi will be unable to assist you further with this request." I am sorry but we cannot help you anymore, if you need the data on the drive then I would like to advice you to contact a data recovery company. Compass Pae 25 Password Crackin Password Crackin POD from Voon The laptop hard drive password cracker module enables the user to remove passwords from platter locked hard disk drives. It then allows the drive to be imaed and the oriinal password to be replaced, all in a forensically sound manner. This may be essential when conductin field or covert investiation work. The techniques used are passive, and attachment to the host drive is via the drives' own interface. Works only in conjunction with the Voon imain hardware. Compass Pae 26

Hard disk ATA Security References GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL Tel.+41 55-214 41 60 Fax+41 55-214 41 61 info@csnc.ch www.csnc.ch Tools Windows WinAAM and ATA Security Service http://www.heise.de/ct/ftp/projekte/atasecurity/windows.shtml Linux Hdparm (Version tested: 6.3) http://sourcefore.net/projects/hdparm # hdparm --security-help DOS TAFT The ATA Forensics Tool http://vidstrom.net/stools/taft/ ATAPWD http://www.rockbox.or/lock.html HDAT2 http://www.hdat2.com/ Compass Pae 28

References ATA-3 Specification http://www.t13.or/project/d2008r7b-ata-3.pdf Drive construction http://www.acelab.ru/products/pc-en/articles/modernhdd/index.html ATA password recovery service http://www.dataclinic.co.uk/password-protected-hard-drive.htm ATA password recovery proram http://hdd-tools.com/products/rrs Computer Forensics and the ATA Interface http://www.foi.se/upload/rapporter/foi-computer-forensics.pdf Password Crackin POD (Voon) http://www.voon-forensic-hardware.co.uk/forensic-hardware/datacapture/password-cracker-pod.htm Compass Pae 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information