An old colleague of mine, Brian Olson, contacted me and offerred to share an EnScript that he wrote. The EnScript was designed to help those of you who may have SafeBoot encryption deployed in your organization.
Here is a description of the EnScript directly from Brian:
The SafeBoot Management Console generally associates the key with the asset, we have encountered several situations where we could not easily locate the correct key to decrypt a SafeBoot encrypted drive. In some cases we found computers where the hard drive was swapped between assets by our internal helpdesk technicians, multiple decryption keys existed for the same asset, or even worse - keys were renamed.
I (Brian) wrote this EnScript to assist an Examiner with identifying the correct SafeBoot .SDB Database File (Decryption Key) based on meta data stored by SafeBoot to the hard drive. This EnScript will provide the Examiner with a brief report with enough information to locate the correct SafeBoot Database and Object information by searching for the Machine ID. From there, the .SDB key can be exported and used to decrypt the volume from within EnCase or using SafeBoot Vendor Tools.
Physical Device: 0
SafeBoot Signature found in Device '0' Sector 1.
SafeBoot Encryption Information
SafeBoot Alg: 00000012
Database ID: 1234ABCD
Machine ID: 000012AB
SBFS Sector Map: 1668231
SBFS Sector Map Count: 23
SBFS KeyCheck: 123456ABCDEF
Region 1 Information
Region 1 - Start Sector: 63
Region 1 - End Sector: 156296385
Region 1 - Sector Count: 156296322
This EnScript is still in Beta, but has been mostly reliable in our environment. I (Brian) would appreciate any feedback from any other SafeBoot users regarding the accuracy of this EnScript in their environments.
Some Known Issues include:
- Currently identifies only one “Region” (Encrypted Volume). Multiple Region Support is a planned feature.
- Power Failure State still needs further testing and improvements. May still report Inactive...
- ‘End Sector’ Region may be “0” on McAfee Enterprise Encrypted Disks.