Some info on an ibm thinkpad t42 hdd


ceaserone

New Member
Jul 22, 2008
6
0
#1
I'm really having trouble getting anything off of this locked IBM thinkpad T42 hdd. I have tried encase which we usually use for these sort of things and no luck. Any luck with these from anyone? I'm really stuck here.

Thanks for any help
 

mfors

New Member
Jul 13, 2008
6
0
#3
encrypted?

<r>PreferredUser - so it encrypts its data by itself with the chip?<br/>
Any idea what kind of encryption it is?<br/>
<br/>
edit: just answered my own question.<br/>
<br/>
<I><s></s>"Be sure that there are no active HDD passwords, and that you have uninstalled any IBM/Lenovo security software that might want information stored or encrypted with the help of the TPM chip before you clear the chip. Any data that is encrypted using information inside the TPM chip will be useless after you clear the TPM chip. It is unknown if clearing the TPM chip can mess with the BIOS HDD password support, but until someone tests it, it is best to play it safe.<br/>
Hint:<br/>
A password-locked HDD can be made useful again by using a low-level utility capable of issuing the SECURE-ERASE command to it. You will lose all data, but at least the HDD will be usable again, as that also unlocks the HDD.<br/>
"<e>
</e></I><br/>
<br/>
info about the chip: <br/>
thinkwiki.org/wiki/Embedded_Security_Subsystem<br/>
<br/>
Seems like if the data was protected and signed with the chip when the HDD was removed and/or the chip cleared after that, the data will be very difficult to retrieve.. It can sign data using 2048-bit RSA keys.<br/>
Also seems like if one should put the HDD back and reset the chip, the data will be lost but the drive will be up and running again. After that, its uncertain how much of the lost data that can be retrieved, and the level of encryption on it.</r>
 

ceaserone

New Member
Jul 22, 2008
6
0
#4
thanks for the reply guys I think Im at a loss here with getting anything off of this.

Thanks for the wiki as well its a good read but with that type of encryption ......(looking downward at the floor.)

The best thing I can think of is throw it back in and see what I can do.
 

RobertR

New Member
Jun 3, 2007
447
0
#5
if it has the hard drive security password set you are pretty much dead in the water..... see if you can find other devices used by the same subject ans look for passwords on them... maybe they used the same one for the hard drive.
 

farmerdude

New Member
Jan 11, 2006
789
0
#6
This is a _great_ illustration for why live analysis _is_ important. You didn't state if the system was sent to you, or shut down upon arrival. That would preclude analyzing the live system. But for any live system the potential ups for performing live analysis and data collection far outweigh the single argument about possibly changing evidence. Systems such as this laptop, those with encrypted drives, file systems, or files, and certainly those with malware/rootkits are all ones to seriously consider as targets for live analysis and collection.

Cheers!

farmerdude

www . forensicbootcd .com

www . onlineforensictraining . com
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#7
farmerdude there are plenty of live tools that will NOT write to a live system...gargoyle live and BIA Protect offers these services. even Encase Enterprise uses a servlet that loads directly into ram and self destructs, and can image a hard drive live even unmounting and shadowcopying a database.

you may have luck with a few free hddunlock tool out there by a bios flash to the original bios..

there are services out there IE...http://www{dot}hddunlock[dot]com/

Good luck :D
 

farmerdude

New Member
Jan 11, 2006
789
0
#8
Sha_d0h,

I didn't state anywhere in my post that there exist no tools that will not _write_ to a live system.

I _did_ make note of the potential issue of changing potential evidence.

I have yet to find any application that does _not_ have an impact on the running system, Sha_d0h. And with that, I mean; affecting system state, affecting the I/O buffer, affecting virtual memory, etc.

Unless I'm mistaken, Gargoyle must be _pre-installed_ in order to use it for live analysis. So for every system without it pre-installed it would be not applicable. Is the BIA Protect product the same as Gargoyle and EnCase Enterprise?

Regards,

farmerdude

www . forensicbootcd . com

www . onlineforensictraining . com
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#9
the gargoyle live s run from usb.. as with bia.. we have done plenty of aquisitions this way and encase enterprise uses a servlet that loads to RAM only.

I think you are referring to gargoyle forensic and yes that has to be installed but gargoyle live does not. as with BIA's product all can be used on a live system without writing to the physical drive and can capture all data in memory as well.

Farmerdude i was just offering some alternatives that are tried and tested both by myself and the DA's office here in NYC

Affecting the system state is trivial its all about the data.. as long as you are not changing data your ok.. pulling the plug on a linux system is changing the state but is a sound forensic procedure.
 

farmerdude

New Member
Jan 11, 2006
789
0
#10
Affecting the system state can be about changing data, Sha_d0h.

For example, where are your tools writing their memory dump?

Are they writing to a locally mounted file system?

How are they reading the memory, Sha_d0h?

What page size are they using?

Do these tools you use allow you to change the page size?


On the Linux topic, I would not agree that pulling the plug on a Linux system is sound forensic procedure. Perhaps in a specific case it may be the best solution, but as a general statement I would disagree. In fact, very rarely would I ever recommend pulling the plug.

Cheers!

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#11
well then you should read the forensic procedure in both the encase manual and the Computer Evidence: Collection & Preservation (Networking... by Christopher LT Brown, both state that this is the best course of action and is sound forensic procedure...

do your homework.

1) The environment is so dirty(lots of compromises) that pulling the plug is the safest move.

2) It's the traditional method, and it's been proven - so people are comforted by that fact.

just because its not the BEST procedure its a SOUND procedure used and accepted by the community

on to the live system
the forensic live tools write the memory dump to the drive that you insert and is capable of being an autorun procedure

maybe instead of asking me about the tools RTFM thats what they're for
https :// www .wetstonetech.com/cgi/shop.cgi?view,14,faq
 

farmerdude

New Member
Jan 11, 2006
789
0
#12
Sha_d0h,

Manuals ... People should be open enough to question what they read and perform their own research prior to deciding a course of action or worse, spreading the disease.

For all those who say pull the plug I say they know little to which they speak. Let's review what may be missed by pulling the plug;

1 memory contents
2 network information
3 user information
4 process information
5 open files
6 executing applications
7 hidden file systems (think RAM-based file systems)
8 identification of key file storage locations

Seems like the potential for a lot of information to be missed by pulling the plug. These above, and everything they include (passwords, keys, clear text copies of encrypted data, suspicious processes, the actual run level of the system, etc.).

Further, what detrimental changes may occur by virtue of pulling the plug;

1 corrupt the local file system(s)
2 corrupt open files (simple files such as PDF and complex such as databases)
3 loss of data not flushed to disk (still in buffer)
4 tipping the subject off that someone may be tracking them (they've lost their connection)
5 interrupting other users
6 hardware failure (not all hardware handles loss of power splendidly)
7 inability to access data (corrupt, or now encrypted) forever, or in a timely manner

This is everything I work hard to get across in my advanced training - it _is_ important to _understand_ the environment you're working within, and the technologies you work with. If you don't understand, you pull the plug.

Live analysis is case specific. But it is becoming more and more common around the World due to the changing technologies.

BTW, in _my_ manuals I am an advocate for live analysis and data collection. Have been since 2001. So by your virtue of EnCase and Tech Pathways stating pull the plug as being right those who've invested in my training are doing the right thing, too. Because that information is in my manual (well, an almanac ;) ). :) LOL I am having fun here. Don't take it personally.


But most important, Sha_d0h, you left all of us in this forum hanging on the following three questions:

1) How are these tools reading memory?

2) What page size are these tools using?

3) Do these tools allow you to change the page size?

I asked because you're an advocate of these tools. And as such, it would seem you have experience with them. And with experience that (should) translates into lab testing (validation and verification) before field use. So it would seem likely to me that these questions would be easy enough for anyone to answer who is advocate of said tool. These questions are _vital_ to any memory acquisition tool. They're not from out in left field, the what ifs of the world.


BTW, your answer about where the data is saved illustrates beautifully the lack of understanding many folks have about live analysis. (Not necessarily _you_ personally!)

Why would you write data to a locally mounted file system from a live system?

Or, to phrase that differently, I ask - why is it never a good idea to mount a file system locally on a live system to write data to?


Cheers!

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu