Loading ...
Sorry, an error occurred while loading the content.

announcing frag_find: finding file fragments in disk images using sector hashing

Expand Messages
  • Simson Garfinkel
    I ve discussed this idea on-and-off with a few other people on this list. I finally got around to writing up the program. Feedback is appreciated. -Simson
    Message 1 of 12 , Mar 1, 2009
    • 0 Attachment
      I've discussed this idea on-and-off with a few other people on this
      list. I finally got around to writing up the program. Feedback is
      appreciated.

      -Simson




      ===============
      frag_find: finding file fragments in disk images using sector hashing



      frag_find is a program for finding blocks of a TARGET file in a disk
      IMAGE file. This is useful in cases where a TARGET file has been
      stolen and you wish to establish that the file has been present on a
      subject's drive. If most of the TARGET file's sectors are found on the
      IMAGE drive---and if the sectors are in consecutive sector
      runs---then the chances are excellent that the file was once there.

      The idea of using individual sector hashes in this manner has been
      discussed in the forensic community for several years. Frag_find is an
      efficient and easy-to-use tool that perform this process.

      frag_find relies on two observations about files and file systems:

      1 - Most file systems tend to block-align files stored within the file
      system. So if you break up an 8K file into 16 different 512-byte
      blocks, then store that file in a file system, it's likely that
      those 16 different "file blocks" will be stored each in its own
      individual disk sector.

      2 - Most 512-byte blocks within most files are "unique" --- that is,
      they do not appear by chance in other files. This is especially
      true for files that are compressed (like zip and docx files) and
      files that are encrypted. It is less true of files such as
      Microsoft Word doc files that are likely to have one or more
      blocks filled with NULLs or some other constant.

      frag_find deals with the problem of non-unique blocks by looking
      for runs of matching blocks, rather than individual blocks.


      frag_find is fast because:

      * Initial filtering of presence/absence is done using the NPS Bloom
      filter implementation, an efficient memory-mapped Bloom
      implementation designed to be used with hash functions.
      * Hashes are stored in efficient C++ structures.
      * All computations are done in binary, rather than hex.

      OPTIONS:

      The following options are available:
      -b blocksize - sets the blocksize (default is 512 bytes).
      -s <start> - start the image scan at <start> (default is start
      of image)
      -e <end> - stop the image scan at <end> (default is end of
      image)
      -r - prints the raw association map, in addition to
      the cleaned one


      MEMORY USAGE:

      frag_find uses 512MB of RAM for the Bloom filter, approximately 1MB
      of RAM for bookkeeping, and roughly 64 bytes for every block of the
      target file.


      AVAILABILITY:

      frag_find is part of the NPS Bloom package, which can be downloaded
      from http://www.afflib.org/.

      The current version is:

      http://www.afflib.org/downloads/bloom-1.0.1.tar.gz


      Just type ./configure && make && make install


      LICENSE:

      The NPS Bloom Filter implementation is Public Domain.


      EXAMPLES
      Below we have three examples. All were made with the disk images
      available at http://www.digitalcorpora.org/.


      ================================================================
      EXAMPLE 1 - Quick Demo

      The file IMG_0043.JPG was extracted from the disk image
      nps-2009-canon2-gen6.raw. We then tried to use the frag_find
      command to find the file in the disk image from which it was extracted:

      $ frag_find IMG_0043.JPG /corp/images/nps/nps-2009-canon2/nps-2009-
      canon2-gen6.raw


      Blocksize: 512
      Target file: IMG_0043.JPG 5535 blocks
      Image file: /corp/images/nps/nps-2009-canon2/nps-2009-canon2-
      gen6.raw 60800 blocks
      Blocks of target file found in image file: 6252
      Here is where they were found:
      Input Block(s) Found at block
      0-543 3040-3583 (544 blocks)
      544-3423 5248-8127 (2880 blocks)
      3424-4959 8608-10143 (1536 blocks)
      4960-5534 11840-12414 (575 blocks)

      Total time: 1.33 seconds (MacBook Pro with 4GB of RAM)

      ================================================================
      EXAMPLE 2 - An Embedded File System

      In this example we show how frag_find can detect documents that are in
      embedded file systems. This works because most operating systems start
      files on 512-byte boundaries, so files in embedded file systems tend
      to be block-aligned, just like files that are not in embedded file
      systems.


      The file Managing_Information_Risk.pdf was downloaded from the NIST
      website. This file is 3,495,744 bytes long and has a sha1 of
      3c0885483d0833b966346cf17364590a4a4df338.

      We searched for this file in the 600MB ubnist1.casper-rw.gen3.raw disk
      image:

      $ ./frag_find Managing_Information_Risk.pdf /corp/images/nps/nps-2009-
      casper-rw/ubnist1.casper-rw.gen3.raw

      Target file Managing_Information_Risk.pdf (6827 blocks)
      Image file ubnist1.casper-rw.gen3.raw (1228800 blocks)
      Blocks of input file found in image file: 13654
      Here is where they were found:
      Input Block(s) Found at block
      0-15 669456-669471 (16 blocks)
      16-39 707184-707207 (24 blocks)
      40-95 707216-707271 (56 blocks)
      96-135 707280-707319 (40 blocks)
      136-143 716440-716447 (8 blocks)
      144-151 716576-716583 (8 blocks)
      152-2047 716592-718487 (1896 blocks)
      2048-3029 718504-719485 (982 blocks)
      3030-4079 719486-720535 (1050 blocks)
      4080-4087 720952-720959 (8 blocks)
      4088-4231 740160-740303 (144 blocks)
      4232-4862 746880-747510 (631 blocks)
      4863-5231 747511-747879 (369 blocks)
      5232-6826 747936-749530 (1595 blocks)
      Total blocks of original file found: 6827 (100%)

      Total time: 16 seconds
      (Hardware: MacPro with 7200 RPM SATA drives)

      (For comparison, the time to read the entire
      ubnist1.casper-rw.gen3.raw disk image and compute the SHA1 was 4.5
      seconds.)

      What's interesting about ubnist1.casper-rw.gen3.raw is that this disk
      image is itself an embedded file system in the 2GB file
      ubnist1.gen3.raw. (This file is a bootable Ubuntu distribution). We
      can run the frag_find program on the 2GB file:

      Input file size: 6827 blocks
      Image file size: 4114432 blocks
      Blocks of input file found in image file: 13654
      Here is where they were found:
      Input Block(s) Found at block
      0-15 2108493-2108508 (16 blocks)
      16-39 2146221-2146244 (24 blocks)
      40-95 2146253-2146308 (56 blocks)
      96-135 2146317-2146356 (40 blocks)
      136-143 2155477-2155484 (8 blocks)
      144-151 2155613-2155620 (8 blocks)
      152-2047 2155629-2157524 (1896 blocks)
      2048-3029 2157541-2158522 (982 blocks)
      3030-4079 2158523-2159572 (1050 blocks)
      4080-4087 2159989-2159996 (8 blocks)
      4088-4231 2179197-2179340 (144 blocks)
      4232-4862 2185917-2186547 (631 blocks)
      4863-5231 2186548-2186916 (369 blocks)
      5232-6826 2186973-2188567 (1595 blocks)
      Total blocks of original file found: 6827 (100%)

      Time: 48 seconds for 2GB file)
      (Hardware: MacPro with 7200 RPM SATA drives)

      ================================================================
      EXAMPLE #3 - Running against a 40GB disk image:

      To see how practical frag_find is, we ran it on
      nps-2009-realistic.raw, a 40GB "realistic" disk image developed for an
      unrelated research project. We were looking for the file
      domexuser2.JPG, a 19920 byte JPEG file with the SHA1 of
      6d4821892cc68ebe147812a9dc9c4130b22cac98.


      Blocksize: 512
      Target file: /Users/simsong/domexuser2.JPG 38 blocks
      Image file: /corp/images/nps/nps-2009-domexusers/nps-2009-
      realistic.raw 83886080 blocks
      Blocks of target file found in image file: 39
      Here is where they were found:
      Target Block(s) Found at image block
      0-7 1871623-1871630 (8 blocks)
      8-31 3008583-3008606 (24 blocks)
      32-37 17319871-17319876 (6 blocks)
      Total blocks of original file found: 38 (100%)

      total time: 28 min, 21 seconds
      (Hardware: Macintosh Xserve with data stored on a rather slow Mac
      XServe RAID.)


      ================================================================
    • Nanni Bassetti
      Very nice program....I ll test it ASAP ;-) and I ll report this new in my mailing list. bye ... Dott. Nanni Bassetti Consulente Informatico
      Message 2 of 12 , Mar 1, 2009
      • 0 Attachment
        Very nice program....I'll test it ASAP ;-) and I'll report this new in my
        mailing list.
        bye
        -------------------------------------------------------------
        Dott. Nanni Bassetti
        Consulente Informatico
        http://www.nannibassetti.com/
        Cell. +39-3476587097
        CFI - http://www.cfitaly.net
        INDAGINI DIGITALI - http://www.lulu.com/content/1356430
        Selective File Dumper - http://sfdumper.sourceforge.net/


        --
        Io utilizzo la versione gratuita di SPAMfighter. Siamo una comunità di 6 milioni di utenti che combattono lo spam.
        Sino ad ora
        ha rimosso 64464 mail spam.
        Gli utenti paganti non hanno questo messaggio nelle loro email .
        Prova gratuitamente SPAMfighter qui:http://www.spamfighter.com/lit
      • Mada R Perdhana
        Dear all, does anyone here ever deal with evidence which using PGPDisk? any short way to bypass or maybe access the encrypted disk and read it as unencrypted
        Message 3 of 12 , Mar 3, 2009
        • 0 Attachment
          Dear all,

          does anyone here ever deal with evidence which using PGPDisk? any short way to bypass or maybe access the encrypted disk and read it as unencrypted disk?

          thanks for ur help.

          best regards,

          Mada


          Berselancar lebih cepat dan lebih cerdas dengan Firefox 3
          http://downloads.yahoo.com/id/firefox/
        • Barış HIZIR
          Its real hard process. Even if you know the password. If you dont know the password access data prtk says can broute force to pgp disks. But i never tried
          Message 4 of 12 , Mar 3, 2009
          • 0 Attachment
            Its real hard process. Even if you know the password. If you dont know
            the password access data prtk says can broute force to pgp disks. But i
            never tried before. if you know the password you need to convert whole
            disk to encrypted. I suggest do this process to a clone hdd.

            Bar�� HIZIR


            Mada R Perdhana wrote:
            >
            > Dear all,
            >
            > does anyone here ever deal with evidence which using PGPDisk? any
            > short way to bypass or maybe access the encrypted disk and read it as
            > unencrypted disk?
            >
            > thanks for ur help.
            >
            > best regards,
            >
            > Mada
            >
            > Berselancar lebih cepat dan lebih cerdas dengan Firefox 3
            > http://downloads.yahoo.com/id/firefox/
            > <http://downloads.yahoo.com/id/firefox/>
            >
            >



            [Non-text portions of this message have been removed]
          • Mada R Perdhana
            I already clone the disk, as it is a basic step in forensic, to avoid crashing the evidence disk. regards, Mada Never Trust an Operating System You don t have
            Message 5 of 12 , Mar 3, 2009
            • 0 Attachment
              I already clone the disk, as it is a basic step in forensic, to avoid crashing the evidence disk.

              regards,
              Mada

              "Never Trust an Operating System You don't have the Source for..."
              "Closed Source for device Driver are ILLEGAL and not Ethical... act!"
              "Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot and crash simultaneously!"


              Homepage : www.mrp-bpp.net
              Gmail Account :mrp.bpp@...



              --- Pada Sel, 3/3/09, Barış HIZIR <bhizir@...> menulis:

              > Dari: Barış HIZIR <bhizir@...>
              > Topik: Re: [linux_forensics] Need Help with PGPDisk
              > Kepada: linux_forensics@yahoogroups.com
              > Tanggal: Selasa, 3 Maret, 2009, 5:59 AM
              > Its real hard process. Even if you know the password. If you
              > dont know
              > the password access data prtk says can broute force to pgp
              > disks. But i
              > never tried before. if you know the password you need to
              > convert whole
              > disk to encrypted. I suggest do this process to a clone
              > hdd.
              >
              > Bar�� HIZIR
              >
              >
              > Mada R Perdhana wrote:
              > >
              > > Dear all,
              > >
              > > does anyone here ever deal with evidence which using
              > PGPDisk? any
              > > short way to bypass or maybe access the encrypted disk
              > and read it as
              > > unencrypted disk?
              > >
              > > thanks for ur help.
              > >
              > > best regards,
              > >
              > > Mada
              > >
              > > Berselancar lebih cepat dan lebih cerdas dengan
              > Firefox 3
              > > http://downloads.yahoo.com/id/firefox/
              > > <http://downloads.yahoo.com/id/firefox/>
              > >
              > >
              >
              >
              >
              > [Non-text portions of this message have been removed]
              >
              >
              >
              > ------------------------------------
              >
              > Yahoo! Groups Links
              >
              >
              >

              Wajib militer di Indonesia? Temukan jawabannya di Yahoo! Answers! http://id.answers.yahoo.com
            • Jonathan Fitzgerald
              I have had to work on these, you can get a bootable CD from PGP to decrypt the disk back to its original form but you will need to have 2 clones for evidence
              Message 6 of 12 , Mar 3, 2009
              • 0 Attachment
                I have had to work on these, you can get a bootable CD from PGP to decrypt
                the disk back to its original form but you will need to have 2 clones for
                evidence purposes since all of the sectors change




                ________________________________

                Thank you for choosing CyeXX Telecom/Network Operations,

                a Division of CyeXX, Inc.
                Jonathan Fitzgerald - W4JEF
                http://www.cyexx.com


                1.678.367.4379 // 866.957.9080 = "Standard Business Hours", Monday - Friday,
                10am - 6pm Eastern Standard Time (EST)

                1.678.571.5176 // 866.956.4167 = Cell - 24/7/365
                1.404.424.9410 fax

                Please send any Support Requests to support@... and our friendly staff
                will be there for you.

                ________________________________

                Notice: The information contained in this electronic mail transmission
                (including any attachments) is intended by Cyexx, Choice Data Recovery. for
                the use of the named individual or entity to which it is directed and may
                contain information that is privileged or otherwise confidential. It is not
                intended for transmission to, or receipt by, anyone other than the named
                addressee (or a person authorized to deliver it to the named addressee). It
                should not be copied or forwarded to any unauthorized persons. If you have
                received this electronic mail transmission in error, please delete it from
                your system without copying or forwarding it, and notify the sender of the
                error by reply email or by calling Cyexx.Inc. at 1-678-367-4379, so that our
                address record can be corrected.


                -----Original Message-----
                From: linux_forensics@yahoogroups.com
                [mailto:linux_forensics@yahoogroups.com] On Behalf Of Baris HIZIR
                Sent: Tuesday, March 03, 2009 7:00 AM
                To: linux_forensics@yahoogroups.com
                Subject: Re: [linux_forensics] Need Help with PGPDisk

                Its real hard process. Even if you know the password. If you dont know
                the password access data prtk says can broute force to pgp disks. But i
                never tried before. if you know the password you need to convert whole
                disk to encrypted. I suggest do this process to a clone hdd.

                Barýþ HIZIR


                Mada R Perdhana wrote:
                >
                > Dear all,
                >
                > does anyone here ever deal with evidence which using PGPDisk? any
                > short way to bypass or maybe access the encrypted disk and read it as
                > unencrypted disk?
                >
                > thanks for ur help.
                >
                > best regards,
                >
                > Mada
                >
                > Berselancar lebih cepat dan lebih cerdas dengan Firefox 3
                > http://downloads.yahoo.com/id/firefox/
                > <http://downloads.yahoo.com/id/firefox/>
                >
                >



                [Non-text portions of this message have been removed]



                ------------------------------------

                Yahoo! Groups Links
              • Mada R Perdhana
                Never Trust an Operating System You don t have the Source for... Closed Source for device Driver are ILLEGAL and not Ethical... act! Isn t it, MS Windows
                Message 7 of 12 , Mar 3, 2009
                • 0 Attachment
                  "Never Trust an Operating System You don't have the Source for..."
                  "Closed Source for device Driver are ILLEGAL and not Ethical... act!"
                  "Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot and crash simultaneously!"


                  Homepage : www.mrp-bpp.net
                  Gmail Account :mrp.bpp@...

                  Do u mean that PGP provide a live cd which could help us to decrypt the disk?

                  --- Pada Sel, 3/3/09, Jonathan Fitzgerald <jonathan.fitzgerald@...> menulis:

                  > Dari: Jonathan Fitzgerald <jonathan.fitzgerald@...>
                  > Topik: RE: [linux_forensics] Need Help with PGPDisk
                  > Kepada: linux_forensics@yahoogroups.com
                  > Tanggal: Selasa, 3 Maret, 2009, 7:20 AM
                  > I have had to work on these, you can get a bootable CD from
                  > PGP to decrypt
                  > the disk back to its original form but you will need to
                  > have 2 clones for
                  > evidence purposes since all of the sectors change
                  >
                  >
                  >
                  >
                  > ________________________________
                  >
                  > Thank you for choosing CyeXX Telecom/Network Operations,
                  >
                  > a Division of CyeXX, Inc.
                  > Jonathan Fitzgerald - W4JEF
                  > http://www.cyexx.com
                  >
                  >
                  > 1.678.367.4379 // 866.957.9080 = "Standard Business
                  > Hours", Monday - Friday,
                  > 10am - 6pm Eastern Standard Time (EST)
                  >
                  > 1.678.571.5176 // 866.956.4167 = Cell - 24/7/365
                  > 1.404.424.9410 fax
                  >
                  > Please send any Support Requests to support@... and
                  > our friendly staff
                  > will be there for you.
                  >
                  > ________________________________
                  >
                  > Notice: The information contained in this electronic mail
                  > transmission
                  > (including any attachments) is intended by Cyexx, Choice
                  > Data Recovery. for
                  > the use of the named individual or entity to which it is
                  > directed and may
                  > contain information that is privileged or otherwise
                  > confidential. It is not
                  > intended for transmission to, or receipt by, anyone other
                  > than the named
                  > addressee (or a person authorized to deliver it to the
                  > named addressee). It
                  > should not be copied or forwarded to any unauthorized
                  > persons. If you have
                  > received this electronic mail transmission in error, please
                  > delete it from
                  > your system without copying or forwarding it, and notify
                  > the sender of the
                  > error by reply email or by calling Cyexx.Inc. at
                  > 1-678-367-4379, so that our
                  > address record can be corrected.
                  >
                  >
                  > -----Original Message-----
                  > From: linux_forensics@yahoogroups.com
                  > [mailto:linux_forensics@yahoogroups.com] On Behalf Of Baris
                  > HIZIR
                  > Sent: Tuesday, March 03, 2009 7:00 AM
                  > To: linux_forensics@yahoogroups.com
                  > Subject: Re: [linux_forensics] Need Help with PGPDisk
                  >
                  > Its real hard process. Even if you know the password. If
                  > you dont know
                  > the password access data prtk says can broute force to pgp
                  > disks. But i
                  > never tried before. if you know the password you need to
                  > convert whole
                  > disk to encrypted. I suggest do this process to a clone
                  > hdd.
                  >
                  > Barýþ HIZIR
                  >
                  >
                  > Mada R Perdhana wrote:
                  > >
                  > > Dear all,
                  > >
                  > > does anyone here ever deal with evidence which using
                  > PGPDisk? any
                  > > short way to bypass or maybe access the encrypted disk
                  > and read it as
                  > > unencrypted disk?
                  > >
                  > > thanks for ur help.
                  > >
                  > > best regards,
                  > >
                  > > Mada
                  > >
                  > > Berselancar lebih cepat dan lebih cerdas dengan
                  > Firefox 3
                  > > http://downloads.yahoo.com/id/firefox/
                  > > <http://downloads.yahoo.com/id/firefox/>
                  > >
                  > >
                  >
                  >
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  >
                  >
                  > ------------------------------------
                  >
                  > Yahoo! Groups Links


                  Menambah banyak teman sangatlah mudah dan cepat. Undang teman dari Hotmail, Gmail ke Yahoo! Messenger sekarang! http://id.messenger.yahoo.com/invite/
                • Steve Burgess
                  Prtk is supposed to work with whole-disk encryption. But it may take a while. I ve run it for several weeks on an encrypted laptop disk and gotten no positive
                  Message 8 of 12 , Mar 3, 2009
                  • 0 Attachment
                    Prtk is supposed to work with whole-disk
                    encryption. But it may take a while. I've run it
                    for several weeks on an encrypted laptop disk and
                    gotten no positive result. I'll keep trying, though!

                    -Steve Burgess

                    Steven G Burgess
                    Burgess Computer Forensics
                    "Helping you win with incisive discovery"
                    2255 South Broadway, Suite 9
                    Santa Maria, CA 93454
                    (ph) 805-349-7676 (f) 805-349-7790
                    toll free: 866-345-3345
                    <mailto:steve@...>steve@...
                    Computer Forensics, Expert Witness
                    Data Recovery, Transfer & Conversion


                    At 04:12 AM 3/3/2009, you wrote:

                    >I already clone the disk, as it is a basic step
                    >in forensic, to avoid crashing the evidence disk.
                    >
                    >regards,
                    >Mada
                    >
                    >"Never Trust an Operating System You don't have the Source for..."
                    >"Closed Source for device Driver are ILLEGAL and not Ethical... act!"
                    >"Isn't it, MS Windows a real multitasking OS?,
                    >Why? 'Cause It can boot and crash simultaneously!"
                    >
                    >
                    >Homepage : www.mrp-bpp.net
                    >Gmail Account :<mailto:mrp.bpp%40gmail.com>mrp.bpp@...
                    >
                    >
                    >--- Pada Sel, 3/3/09, Barış HIZIR
                    ><<mailto:bhizir%40gmail.com>bhizir@...> menulis:
                    >
                    > > Dari: Barış HIZIR <<mailto:bhizir%40gmail.com>bhizir@...>
                    > > Topik: Re: [linux_forensics] Need Help with PGPDisk
                    > > Kepada:
                    > <mailto:linux_forensics%40yahoogroups.com>linux_forensics@yahoogroups.com
                    > > Tanggal: Selasa, 3 Maret, 2009, 5:59 AM
                    > > Its real hard process. Even if you know the password. If you
                    > > dont know
                    > > the password access data prtk says can broute force to pgp
                    > > disks. But i
                    > > never tried before. if you know the password you need to
                    > > convert whole
                    > > disk to encrypted. I suggest do this process to a clone
                    > > hdd.
                    > >
                    > > Bar�� HIZIR
                    > >
                    > >
                    > > Mada R Perdhana wrote:
                    > > >
                    > > > Dear all,
                    > > >
                    > > > does anyone here ever deal with evidence which using
                    > > PGPDisk? any
                    > > > short way to bypass or maybe access the encrypted disk
                    > > and read it as
                    > > > unencrypted disk?
                    > > >
                    > > > thanks for ur help.
                    > > >
                    > > > best regards,
                    > > >
                    > > > Mada
                    > > >
                    > > > Berselancar lebih cepat dan lebih cerdas dengan
                    > > Firefox 3
                    > > >
                    > <http://downloads.yahoo.com/id/firefox/>http://downloads.yahoo.com/id/firefox/
                    > > > <http://downloads.yahoo.com/id/firefox/>
                    > > >
                    > > >
                    > >
                    > >
                    > >
                    > > [Non-text portions of this message have been removed]
                    > >
                    > >
                    > >
                    > > ------------------------------------
                    > >
                    > > Yahoo! Groups Links
                    > >
                    > >
                    > >
                    >
                    >Wajib militer di Indonesia? Temukan jawabannya
                    >di Yahoo! Answers! <http://id.answers.yahoo.com>http://id.answers.yahoo.com
                    >
                    >

                    Steven G Burgess
                    Burgess Computer Forensics
                    "Helping you win with incisive discovery"
                    2255 South Broadway, Suite 9
                    Santa Maria, CA 93454
                    (ph) 805-349-7676 (f) 805-349-7790
                    toll free: 866-345-3345
                    <mailto:steve@...>steve@...
                    Computer Forensics, Expert Witness
                    Data Recovery, Transfer & Conversion

                    [Non-text portions of this message have been removed]
                  • Tedi Heriyanto
                    Hi Mada, I guess you want to decrypt the PGP Whole Disk Encryption. I have no experience with this tool, but from my experience using similar tool from other
                    Message 9 of 12 , Mar 4, 2009
                    • 0 Attachment
                      Hi Mada,

                      I guess you want to decrypt the PGP Whole Disk Encryption. I have no experience with this tool, but from my experience using similar tool from other vendor, you need a specialized boot disk (recovery disk) to decrypt the partition. But beware the process will take quite sometime and may not succeed at all.

                      Here is the information about recovering PGP Whole Disk Encryption

                      HOW TO: Create Recovery Disks for PGP Whole Disk Encryption :

                      https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=854&p_created=1196966896&p_sid=hhNwcXrj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTYzLDE2MyZwX3Byb2RzPSZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9V2hvbGUgRGlzayBSZWNvdmVyeQ**&p_li=&p_topview=1

                      Hope this help.

                      Thanks

                      --- On Tue, 3/3/09, Mada R Perdhana <mrp_bpp@...> wrote:

                      > Do u mean that PGP provide a live cd which could help us to
                      > decrypt the disk?
                    • Barış HIZIR
                      You can check this page for info. http://breach-inv.blogspot.com/2007/05/defeating-whole-disk-encryption-part-1.html ... [Non-text portions of this message
                      Message 10 of 12 , Mar 4, 2009
                      • 0 Attachment
                        You can check this page for info.
                        http://breach-inv.blogspot.com/2007/05/defeating-whole-disk-encryption-part-1.html

                        Tedi Heriyanto wrote:
                        >
                        >
                        > Hi Mada,
                        >
                        > I guess you want to decrypt the PGP Whole Disk Encryption. I have no
                        > experience with this tool, but from my experience using similar tool
                        > from other vendor, you need a specialized boot disk (recovery disk) to
                        > decrypt the partition. But beware the process will take quite sometime
                        > and may not succeed at all.
                        >
                        > Here is the information about recovering PGP Whole Disk Encryption
                        >
                        > HOW TO: Create Recovery Disks for PGP Whole Disk Encryption :
                        >
                        > https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=854&p_created=1196966896&p_sid=hhNwcXrj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTYzLDE2MyZwX3Byb2RzPSZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9V2hvbGUgRGlzayBSZWNvdmVyeQ**&p_li=&p_topview=1
                        > <https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=854&p_created=1196966896&p_sid=hhNwcXrj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTYzLDE2MyZwX3Byb2RzPSZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9V2hvbGUgRGlzayBSZWNvdmVyeQ**&p_li=&p_topview=1>
                        >
                        > Hope this help.
                        >
                        > Thanks
                        >
                        > --- On Tue, 3/3/09, Mada R Perdhana <mrp_bpp@...
                        > <mailto:mrp_bpp%40yahoo.com>> wrote:
                        >
                        > > Do u mean that PGP provide a live cd which could help us to
                        > > decrypt the disk?
                        >
                        >



                        [Non-text portions of this message have been removed]
                      • echo6
                        ... Hash: SHA1 Hmmm, the blog post is quite old. A couple of observations, regarding Adam s tools, the python memimage and winlockpwn tool won t work using a
                        Message 11 of 12 , Mar 18, 2009
                        • 0 Attachment
                          -----BEGIN PGP SIGNED MESSAGE-----
                          Hash: SHA1

                          Hmmm, the blog post is quite old. A couple of observations, regarding
                          Adam's tools, the python memimage and winlockpwn tool won't work using a
                          Windows host, you need a Linux box with libraw1394 and a kernel with
                          support for /dev/raw1394, e.g. device drivers ---> IEEE 1393 (FireWire)
                          Support ---> Raw IEEE1394 I/O Support.

                          If you haven't got the password from the suspect, a recovery key, a
                          memory dump you are screwed :(

                          If you have a memory dump and the suspect was using a TrueCrypt version
                          prior to version 6, you may be able to retrieve the key. AAron Walters
                          has managed it, as has Chris Hargreaves.

                          With the bioskbsnarf python script from Adam's tool, or the script
                          Harlan wrote in perl you may be able to retrieve "a passphrase" from
                          what remains of the keyboard buffer within the real mode memory area.
                          However, there are a lot of other factors to consider, BIOS versions
                          vary greatly, implementation of full disk encryption, was a BIOS
                          password used etc.

                          Jon.

                          Barış HIZIR wrote:
                          > You can check this page for info.
                          > http://breach-inv.blogspot.com/2007/05/defeating-whole-disk-encryption-part-1.html
                          >
                          > Tedi Heriyanto wrote:
                          >>
                          >> Hi Mada,
                          >>
                          >> I guess you want to decrypt the PGP Whole Disk Encryption. I have no
                          >> experience with this tool, but from my experience using similar tool
                          >> from other vendor, you need a specialized boot disk (recovery disk) to
                          >> decrypt the partition. But beware the process will take quite sometime
                          >> and may not succeed at all.
                          >>
                          >> Here is the information about recovering PGP Whole Disk Encryption
                          >>
                          >> HOW TO: Create Recovery Disks for PGP Whole Disk Encryption :
                          >>
                          >> https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=854&p_created=1196966896&p_sid=hhNwcXrj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTYzLDE2MyZwX3Byb2RzPSZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9V2hvbGUgRGlzayBSZWNvdmVyeQ**&p_li=&p_topview=1
                          >> <https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=854&p_created=1196966896&p_sid=hhNwcXrj&p_accessibility=0&p_redirect=&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTYzLDE2MyZwX3Byb2RzPSZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9V2hvbGUgRGlzayBSZWNvdmVyeQ**&p_li=&p_topview=1>
                          >>
                          >> Hope this help.
                          >>
                          >> Thanks
                          >>
                          >> --- On Tue, 3/3/09, Mada R Perdhana <mrp_bpp@...
                          >> <mailto:mrp_bpp%40yahoo.com>> wrote:
                          >>
                          >>> Do u mean that PGP provide a live cd which could help us to
                          >>> decrypt the disk?
                          >>
                          >
                          >
                          >
                          > [Non-text portions of this message have been removed]
                          >
                          >

                          -----BEGIN PGP SIGNATURE-----
                          Version: GnuPG v1.4.6 (GNU/Linux)
                          Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

                          iD8DBQFJwVB0bSv1saVS9ucRAodTAJ0bj3t8kclSKvhLXsGojlqjTk0h+gCdEX/8
                          jwp1a9WX2CWj2G1IXQNeNgY=
                          =VXC9
                          -----END PGP SIGNATURE-----
                        • Mada R Perdhana
                          yes, indeed, I m screwed, another disk contai .pgd file which another virtual disk encrypted with pgp.;( Never Trust an Operating System You don t have the
                          Message 12 of 12 , Mar 18, 2009
                          • 0 Attachment
                            yes, indeed, I'm screwed, another disk contai .pgd file which another virtual disk
                            encrypted with pgp.;(
                            "Never Trust an Operating System You don't have the Source for..."
                            "Closed Source for device Driver are ILLEGAL and not Ethical... act!"
                            "Isn't it, MS Windows a real multitasking OS?, Why? 'Cause It can boot and crash simultaneously!"


                            Homepage : www.mrp-bpp.net
                            Gmail Account :mrp.bpp@...


                            --- Pada Rab, 18/3/09, echo6 <echo6_uk@...> menulis:

                            Dari: echo6 <echo6_uk@...>
                            Topik: Re: [linux_forensics] Need Help with PGPDisk
                            Kepada: linux_forensics@yahoogroups.com
                            Tanggal: Rabu, 18 Maret, 2009, 2:50 PM



















                            -----BEGIN PGP SIGNED MESSAGE-----

                            Hash: SHA1



                            Hmmm, the blog post is quite old. A couple of observations, regarding

                            Adam's tools, the python memimage and winlockpwn tool won't work using a

                            Windows host, you need a Linux box with libraw1394 and a kernel with

                            support for /dev/raw1394, e.g. device drivers ---> IEEE 1393 (FireWire)

                            Support ---> Raw IEEE1394 I/O Support.



                            If you haven't got the password from the suspect, a recovery key, a

                            memory dump you are screwed :(



                            If you have a memory dump and the suspect was using a TrueCrypt version

                            prior to version 6, you may be able to retrieve the key. AAron Walters

                            has managed it, as has Chris Hargreaves.



                            With the bioskbsnarf python script from Adam's tool, or the script

                            Harlan wrote in perl you may be able to retrieve "a passphrase" from

                            what remains of the keyboard buffer within the real mode memory area.

                            However, there are a lot of other factors to consider, BIOS versions

                            vary greatly, implementation of full disk encryption, was a BIOS

                            password used etc.



                            Jon.



                            Barış HIZIR wrote:

                            > You can check this page for info.

                            > http://breach- inv.blogspot. com/2007/ 05/defeating- whole-disk- encryption- part-1.html

                            >

                            > Tedi Heriyanto wrote:

                            >>

                            >> Hi Mada,

                            >>

                            >> I guess you want to decrypt the PGP Whole Disk Encryption. I have no

                            >> experience with this tool, but from my experience using similar tool

                            >> from other vendor, you need a specialized boot disk (recovery disk) to

                            >> decrypt the partition. But beware the process will take quite sometime

                            >> and may not succeed at all.

                            >>

                            >> Here is the information about recovering PGP Whole Disk Encryption

                            >>

                            >> HOW TO: Create Recovery Disks for PGP Whole Disk Encryption :

                            >>

                            >> https://pgp. custhelp. com/cgi-bin/ pgp.cfg/php/ enduser/std_ adp.php?p_ faqid=854& p_created= 1196966896& p_sid=hhNwcXrj& p_accessibility= 0&p_redirect= &p_lva=&p_ sp=cF9zcmNoPTEmc F9zb3J0X2J5PSZwX 2dyaWRzb3J0PSZwX 3Jvd19jbnQ9MTYzL DE2MyZwX3Byb2RzP SZwX2NhdHM9JnBfc HY9JnBfY3Y9JnBfc GFnZT0xJnBfc2Vhc mNoX3RleHQ9V2hvb GUgRGlzayBSZWNvd mVyeQ**&p_ li=&p_topview= 1

                            >> <https://pgp. custhelp. com/cgi-bin/ pgp.cfg/php/ enduser/std_ adp.php?p_ faqid=854& p_created= 1196966896& p_sid=hhNwcXrj& p_accessibility= 0&p_redirect= &p_lva=&p_ sp=cF9zcmNoPTEmc F9zb3J0X2J5PSZwX 2dyaWRzb3J0PSZwX 3Jvd19jbnQ9MTYzL DE2MyZwX3Byb2RzP SZwX2NhdHM9JnBfc HY9JnBfY3Y9JnBfc GFnZT0xJnBfc2Vhc mNoX3RleHQ9V2hvb GUgRGlzayBSZWNvd mVyeQ**&p_ li=&p_topview= 1>

                            >>

                            >> Hope this help.

                            >>

                            >> Thanks

                            >>

                            >> --- On Tue, 3/3/09, Mada R Perdhana <mrp_bpp@yahoo. com

                            >> <mailto:mrp_ bpp%40yahoo. com>> wrote:

                            >>

                            >>> Do u mean that PGP provide a live cd which could help us to

                            >>> decrypt the disk?

                            >>

                            >

                            >

                            >

                            > [Non-text portions of this message have been removed]

                            >

                            >



                            -----BEGIN PGP SIGNATURE--- --

                            Version: GnuPG v1.4.6 (GNU/Linux)

                            Comment: Using GnuPG with Mozilla - http://enigmail. mozdev.org



                            iD8DBQFJwVB0bSv1saV S9ucRAodTAJ0bj3t 8kclSKvhLXsGojlq jTk0h+gCdEX/ 8

                            jwp1a9WX2CWj2G1IXQN eNgY=

                            =VXC9

                            -----END PGP SIGNATURE--- --


























                            Lebih bergaul dan terhubung dengan lebih baik. Tambah lebih banyak teman ke Yahoo! Messenger sekarang! http://id.messenger.yahoo.com/invite/

                            [Non-text portions of this message have been removed]
                          Your message has been successfully submitted and would be delivered to recipients shortly.