IDE Sniffing || Detect WDE/FDE

Posted: November 4, 2008 in (anti)Forensics
Tags: , , , , ,

Maybe “IDE Sniffing” is a bit misleading…but I was not sure how to call it otherwise. So this is the problem context: You need to know if a harddisk is encrypted but you are not allowed to disconnect or move the computer. You have no access to the computer, like no login,no firewire to exploit and no vulnerable services running. Let’s also assume that this computer is using normal IDE ( I know it’s a bit outdated) disks. How on earth are we going to find out?

A few things come to mind at first:

  • Use a hardware keylogger and log in
  • Demand a police warrant to log in
  • Fake somekind of power failure and examine the disk

All of the above could be performed…but still they are not stealthy enough. To succesfully overcome this problem you need a logic analyzer (click for wikipedia explanation)! Which looks like this:

logicport_big

Now trust me this is a really sweet piece of hardware.I assume you have read the wikipedia link I gave so by now you know what this is. You can analyze the really raw 1’s and 0’s going over the wire from and to the harddisk. So how can we use this to detect if a harddisk is encrypted (I’ll get to the sniffing part later)?

Basically when a harddisk is not encrypted and an application requests something, the operatin system will read directory structure and file structure , lookup the information etc. This means that there is NO continous read of data from the harddisk…there will be gaps like reading 0’s. Now suppose the harddisk has been FDE/WDE. In that case the blocks read will not contain large blocks of 0’s because every read it perfoms WILL return a lot of, at first sight, random gibberish. This is exactly what we will exploit with the logic analyzer device. The biggest problem was knowing if the IDE disk or motherboard would be fried when attaching the logic analyzer to it. Because when you attach the logic analyzer there is a slight change in electronical resistance and other funky electro technical stuff. Since I don’t really like theoretical stuff too much I just decided to plug & pray. So just to resume we got a running pc on which we attach the logic analyzer to it’s IDE cable.

The most interesting part is of course well….how does it look like?

The non-crypted harddisk:

non-crypted

The crypted harddisk:

crypted

Like you can see, the crypted harddisk is ALWAYS reading data it does NOT contain reads of 0’s or little data. The non-crypted harddisk on the other hand contains a lot of gaps. Now this is of course just a lab experiment but it went well and it worked.  The title of this blog entry stated “IDE Sniffing”, since with the logic analyzer you can in some degree see what is transmitted over the wire you COULD state that if you record that , you can get a glimps of what is beeing transfered. I have not tested this yet…but then again it’s not really important. If you have a harddisk without encryption you can just image it and know what’s on it. If you have a crypted harddisk you can’t see it anyways.

This is really usefull if you are not sure if the harddisk has been FDE/WDE and you need to image it. Cause if it’s encrypted you better not pull the power plug and try to do some live forensics instead if that’s possible.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s