Forensics
Protected partitions on USB drives (DCO/HPA?) Mar 02 2007 10:23AM
Michael Smith (msmith eazimail com)
Hi,

I'm trying to examine a 256MB USB drive that has been protected using
LockItEasy (www.cososys.com). The owner split the space into 2
equal chunks, one standard FAT16, the other encrypted using the utility.
When I try to image this device it appears as only 128MB in size and
what you get is the unprotected part of the drive. The device size,
according to both Linux and encase is only 128MB. The utility works on
most USB thumbdrives.

It looks similar to HPA/DCO in concept but I didn't find anything
explaining how this works on USB devices. The write blockers I use do
not detect the hidden partition.

> 1) What utility do you think was used to encrypt the partition? Why?

The USB drive was protected using a tool called LockItEasy
(www.cososys.com). As part of the protection process it copies the
executable to the unprotected part of the device. The tool partitions
any compatible USB drive into two pieces, an unprotected section
(visible, the new device size is reported on this) and a protected
section (this space is not visible to the OS). e.g. using the tool if
you split a 256MB drive into two equal pieces, afterwards the drive
appears to be only 128MB in size.

> 2) What specifically did you do when trying to image the drive? Details
> are helpful.

The drive was connected to a USB writeblocker and then to the forensic
examination stations. These consist of both Linux and Windows (using
Encase) platforms. If you look at fdisk or lsusb info the size of the
device reported is that of the unprotected partition. The writeblocker,
which is aware of HPA/DCO on drives, reports only the unprotected
partition. Irrespective of the tool used to image the drive, all you
capture is the unprotected part.

> 3) Are you supposed to be trying to access this drive? Is it yours, or
> are you authorized by the owner or an appropriate representative of the
> owner (e.g. an employer) to try to examine the drive?

Yes I am authorised to analyse the device by the company I work for.

My question was whether anyone has seen this type of size manipulation
before on USB devices and whether any tools exists that would allow the
full device to be captured. I am aware of HPA/DCO but the tools I
normally use, which are designed for ATA devices give errors about
unrecognised commands.

Thanks,

Mike

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus