Difference between pages "Hard Drive Passwords" and "Incident Response"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Vendors)
 
 
Line 1: Line 1:
Some hard drives support passwords. These passwords can be implemented in computer's operating system, its BIOS, or even in the hard drive's firmware.  Passwords implemented in the OS are the easiest to remove, those in the firmware are the hardest.
+
{{Expand}}
  
Sometimes people use the term "password" but the hard drive is really [[Full Disk Encryption|encrypted]], and the password is used to unlock a decryption key. These passwords cannot be removed — the encryption key must be cracked or discovered through another means.
+
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
  
=Vendors=
+
== Tools ==
* Disklabs (www.disklabs.com) is able to remove some forms of hard drive passwords.
+
  
* Dell will assist law enforcement in removing the passwords from password-protected hard drives. You need to provide Dell with a copy of the search warrant and the computer's service tag #. Reportedly this can be done over the phone, once you have a good relationship with Dell.
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather userful and/or volatile data. The [[SysInternals]] suite is frequently cited as a good example of incident response tools. They are self-contained, useful, discrete, and do not create a large footprint on the victim system.  
  
* [http://www.hdd.profesjonalnie.pl/to.php Seagate HDD Service Device for 2,5" drives BASIC Kit]: The tool works with 2,5" drives of Seagate. Main functionality - ATA PASSWORD removal from 2,5" drives.
+
Standalone tools have been combined to create '''Script Based Tools''' like [[First Responder's Evidence Disk|FRED]] or the [[Windows Forensic Toolchest|WFT]]. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools, such as [[Microsoft|Microsoft's]] [[COFEE]] allow the user to pick and choose which standalone tools will be used in a given examination.
  
* [http://www.acelaboratory.com/pc3000.htm PC-3000 for Windows] has "An opportunity to unlock USER and MASTER passwords used in a HDD".
+
The final category of tools are '''Agent Based Tools''' such as [[Mandiant|Mandiant's]] [[First Response]]. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
  
* [http://www.hdd-tools.com/products/rrs/ With Repair Station you can remove an unknown ATA-password; both security levels are supported: High and Maximum]
+
== See Also ==
 +
* [[List of Standalone Incident Response Tools]]
 +
* [[List of Script Based Incident Response Tools]]
 +
* [[:Category:Incident response tools|Incident response tools category]]
  
* [http://www.vogon-investigation.com/password-cracker-solution.htm Using the Vogon Password Cracker POD, the protection from the drive can be removed]
+
== External Links ==
 +
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
 +
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
  
* [http://www.salvationdata.com SalvationData] sells a system for "Stage 2 physical data damage" recovery from HDDs. The company sells tools such as [http://www.salvationdata.com/data-recovery-equipment/hd-doctor.htm HD Doctor Suite],[http://www.salvationdata.com/data-recovery-equipment/data-compass.htm Data Compass]and [http://www.salvationdata.com/data-recovery-equipment/hd-hpe-pro.htm HD HPE Pro]for swapping out platters from one drive into another drive, changing the firmware on drives, and other kinds of operations. You can buy it from http://www.computersciencelabs.com.
+
== Tools ==
 +
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
 +
* [[GRR]]
  
= Master Passwords =
+
== Books ==
 
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
''These passwords were received from unofficial sources, they may not work!''
+
 
+
* Western Digital: ''WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD''
+
* Maxtor: ''Maxtor*INIT SECURITY TEST STEP*F'' (''*'' means ''00h'')
+
* Seagate: ''Seagate''
+
* Fujitsu, Hitachi, Toshiba: 32 spaces
+
* Samsung: ''tttttttttttttttttttttttttttttttt''
+
* IBM:
+
** ''CED79IJUFNATIT''
+
** ''VON89IJUFSUNAJ''
+
** ''RAM00IJUFOTSELET''
+

Revision as of 04:14, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Contents

Tools

Incident response tools can be grouped into three categories. The first category is Individual Tools. These are programs designed to probe parts of the operating system and gather userful and/or volatile data. The SysInternals suite is frequently cited as a good example of incident response tools. They are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create Script Based Tools like FRED or the WFT. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools, such as Microsoft's COFEE allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are Agent Based Tools such as Mandiant's First Response. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

See Also

External Links

Tools

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.