Atola Technology

Extracting and Resetting an Unknown ATA Password

Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.

When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight’s password recovery functionality, therefore this information is not important for the purpose of this guide.

 

To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.

Password Extraction, Reset and Reset until power cycle

Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:

  • To display the password without unlocking the device at this moment, click Extract button. This option does not require write protection on the source port to be switched off.
  • To work with the data on the drive without permanently resetting the password, tick Reset Password until power cycle checkbox and then click on Reset button. This way write protection stays enabled on the source port, and no changes can be made to the drive.

NB. If Reset Password until power cycle option is selected, no power cycles that are executed in the course of automatic checkup, imaging or other operations will affect the temporary unlocked status of the device. Only a deliberate power cycle, such as clicking on Power button, will change the Security status of the drive back to Locked.

  • Finally, to permanently unlock the device, switch off write protection and then click on Reset button.

For the list of hard drives currently supported by Insight’s automatic password recovery, please follow this link.

Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link.

Lifting HPA and DCO restrictions

Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.

To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

  1. The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
  2. Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
  3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.

To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.

Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive’s firmware, and Write Protection won’t let perform such changes.

Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

Lift HPA until power cycle

Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.

To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.

This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.

NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.

For more information about imaging of freezing drives, please follow this link.

Calculating Hash During Imaging

Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.

To view the hashing options:

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. Select the target device or file
  3. In Preset line click on the Show settings link
  4. In the upper part of the Passes and Hash tab there are three checkboxes:
  • Pre-hash source device
  • Hash source during imaging
  • Post-hash target device(s)

Multiselect is available, which allows an operator to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.

Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.

Imaging a Source Drive to an E01 File with a Double Hash

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file you have to add a new target file.

Selecting a new E01 file

1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.

2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.

3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):

4. Click on Select button in the Target Device Selection window.

As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).

Imaging & calculating the hashes

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. In Preset line click on the Show settings link
  3. In Passes and Hash tab check the Hash source during imaging box
  4. In Hash method drop-down menu select Linear
  5. In Hash type drop-down menu select MD5 and SHA-1
  6. Click on Start imaging button

Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:

Screenshot analysis: Imaging a freezing drive

Recently, we received an email from a long-standing client. The drive he was imaging contained a large number of errors. We would like to use this screenshot of a real-case imaging process to illustrate how well Atola Insight Forensic handles imaging hard drives in such dire state.

In the screenshot the numbers show that despite encountering over 1100 errors, Insight has already imaged 605 million sectors out of 1,745 million sectors it has attempted to image in this first pass. The speed may seem low, but Insight is actually able to read it, while most other imagers will likely be unable to even identify such device.

Second, in this screenshot we have yet another example of the freezing drive recovery algorithm in action, which helps make the imaging process much more efficient when imaging severely damaged drives like the one in our example. We have recently posted a guide explaining how it works and helps Insight avoid long idle periods waiting for the disk to become ready.

As for the situation in the screenshot: according to the algorithm, Insight issued two consecutive resets (only after executing the second reset Insight adds a message to the Log saying Device freezes while reading block X – Y, as shown in the red box area of the screenshot). Apparently, the drive has not become ready after both resets, and according to the freezing drive recovery algorithm, Insight executed a power cycle, which proved effective: the drive became ready to start reading the next planned block of sectors.

Finally, there are two graphs that reflect imaging progress: the upper one is called imaging map bar and shows imaging progress throughout the whole drive space. The lower one is called read speed graph and shows the time Insight spent reading recently imaged sectors. You might have noticed a few discrepancies about these graphs:

  • Why does the imaging map bar indicate that 10% of the drive have been imaged, but the progress bar looks more like 30% of the total drive space?
    The bar reflects the media space between the first and the last sectors. The percentage indicates only the ratio of successfully imaged sectors and does not include the skipped blocks: in its first pass Insight performs one-million-sector jumps when encountering bad sectors. When Insight returns to the skipped blocks during the following passes, it will allocate more time to read each sector and will add the successfully imaged sectors to that percentage.
  • Why do the red zones in the Imaging map bar look larger than those in the read speed graph?
    Each pixel in the Imaging map bar stands for thousands of sectors. The map gives priority to showing the location of errors as opposed to showing the location of good sectors. And being limited by the screen size and resolution, the imaging map bar may look very red in the course of imaging a drive with a large amount of errors. Especially during the first pass, before attempting to read the problematic sectors more thoroughly.
  • Why do the equally sized ranges in the read speed graph, contain substantially different numbers of sectors, according to the LBA values? 
    range 1. there are 819,200 sectors between 1,733,217,921 and 1,734,037,121,
    range 2. there are 4,802,816 sectors between 1,734,037,121 and 1,738,839,937,
    range 3. there are 6,794,624 sectors between 1,738,839,937 and 1,745,634,561.
    The spans are different because of the number of bad blocks of sectors located between them. During the first pass, Insight performs a jump by 1 million sectors each time it encounters a block of sectors, which it cannot read.