Wednesday, May 19, 2010

SafeBoot Info EnScript

An old colleague of mine, Brian Olson, contacted me and offerred to share an EnScript that he wrote. The EnScript was designed to help those of you who may have SafeBoot encryption deployed in your organization.

Here is a description of the EnScript directly from Brian:
The SafeBoot Management Console generally associates the key with the asset, we have encountered several situations where we could not easily locate the correct key to decrypt a SafeBoot encrypted drive. In some cases we found computers where the hard drive was swapped between assets by our internal helpdesk technicians, multiple decryption keys existed for the same asset, or even worse - keys were renamed.

I (Brian) wrote this EnScript to assist an Examiner with identifying the correct SafeBoot .SDB Database File (Decryption Key) based on meta data stored by SafeBoot to the hard drive. This EnScript will provide the Examiner with a brief report with enough information to locate the correct SafeBoot Database and Object information by searching for the Machine ID. From there, the .SDB key can be exported and used to decrypt the volume from within EnCase or using SafeBoot Vendor Tools.

Example Report:
SafeBoot Information
Physical Device: 0
SafeBoot Signature found in Device '0' Sector 1.
SafeBoot Encryption Information
SafeBoot Alg: 00000012
Database ID: 1234ABCD
Machine ID: 000012AB
SBFS Sector Map: 1668231
SBFS Sector Map Count: 23
SBFS KeyCheck: 123456ABCDEF
Region 1 Information
Region 1 - Start Sector: 63
Region 1 - End Sector: 156296385
Region 1 - Sector Count: 156296322
PowerFail Status
Status: Inactive

This EnScript is still in Beta, but has been mostly reliable in our environment. I (Brian) would appreciate any feedback from any other SafeBoot users regarding the accuracy of this EnScript in their environments.

Some Known Issues include:

  • Currently identifies only one “Region” (Encrypted Volume). Multiple Region Support is a planned feature.
  • Power Failure State still needs further testing and improvements. May still report Inactive...
  • ‘End Sector’ Region may be “0” on McAfee Enterprise Encrypted Disks.
Bugs or Comments can be reported to Brian at: dbrianolson (at) gmail.com

Download Here

4 comments:

Anonymous Wednesday, 19 May, 2010  

Thanks for putting this together. I ran a test, but the machine ID came up with Machine ID: 00000001, when it is actually ID: 0001b56c.

Full Ouput:
========================
05/19/10 01:57:18PM Info [SafeBoot Information EnScript] SBinfo Script Started

SafeBoot Signature found in Device '0' Sector 16922648

Extracting SafeBoot Key Info from Device: 0



=== SafeBoot Information ===

SafeBoot Alg: 10000000

Database ID: 02381e00

Machine ID: 00000001

SBFS Sector Map: 520097792

SBFS Sector Map Count: 0

SBFS KeyCheck: 1023820001000



=== Region 0 Information ===

Region 0 - Start Sector: 16922660

Region 0 - End Sector: 16922920

Region 0 - Sector Count: 941948944



=== PowerFail Status ===

Status: Unknown - Error Reading Power Fail Status



05/19/10 01:57:19PM Info [SafeBoot Information EnScript] Script Completed

Brian Wednesday, 19 May, 2010  

Thanks for the response! I'd like to get more information from you to assist me with making improvements to this EnScript.

First and foremost, I need to know what version of SafeBoot you are running? Do you get the same results on other drives from your environment?

Please EMail me - dbrianolson(at)gmail(dot)com

- Brian Olson

Anonymous Thursday, 09 December, 2010  

How do you export the .sdb key using the data that this script provides? I have an encrypted image and magic key.. I need the .sdb file for encase to decrypt the image.

Anonymous Thursday, 21 April, 2011  

You can export the .SDB file from the Admin Console. Locate the machine based on the found Machine ID number. You can find the machine using the Find function under the Groups drop-down menu. Select the drop-down box "In" to select Object ID and enter the machine ID found with the EnScript. Now, right-click on the machine and select Export Configuration. Type a name for the key in the 'Export To' field. You do not need to include users or files in the export so you do not need any 'Options' boxes checked.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles