SafeBoot Info EnScript
An old colleague of mine, Brian Olson, contacted me and offerred to share an EnScript that he wrote. The EnScript was designed to help those of you who may have SafeBoot encryption deployed in your organization.
Here is a description of the EnScript directly from Brian:
The SafeBoot Management Console generally associates the key with the asset, we have encountered several situations where we could not easily locate the correct key to decrypt a SafeBoot encrypted drive. In some cases we found computers where the hard drive was swapped between assets by our internal helpdesk technicians, multiple decryption keys existed for the same asset, or even worse - keys were renamed.
I (Brian) wrote this EnScript to assist an Examiner with identifying the correct SafeBoot .SDB Database File (Decryption Key) based on meta data stored by SafeBoot to the hard drive. This EnScript will provide the Examiner with a brief report with enough information to locate the correct SafeBoot Database and Object information by searching for the Machine ID. From there, the .SDB key can be exported and used to decrypt the volume from within EnCase or using SafeBoot Vendor Tools.
Example Report:
SafeBoot Information
Physical Device: 0
SafeBoot Signature found in Device '0' Sector 1.
SafeBoot Encryption Information
SafeBoot Alg: 00000012
Database ID: 1234ABCD
Machine ID: 000012AB
SBFS Sector Map: 1668231
SBFS Sector Map Count: 23
SBFS KeyCheck: 123456ABCDEF
Region 1 Information
Region 1 - Start Sector: 63
Region 1 - End Sector: 156296385
Region 1 - Sector Count: 156296322
PowerFail Status
Status: Inactive
This EnScript is still in Beta, but has been mostly reliable in our environment. I (Brian) would appreciate any feedback from any other SafeBoot users regarding the accuracy of this EnScript in their environments.
Some Known Issues include:
- Currently identifies only one “Region” (Encrypted Volume). Multiple Region Support is a planned feature.
- Power Failure State still needs further testing and improvements. May still report Inactive...
- ‘End Sector’ Region may be “0” on McAfee Enterprise Encrypted Disks.
Download Here
4 comments:
Thanks for putting this together. I ran a test, but the machine ID came up with Machine ID: 00000001, when it is actually ID: 0001b56c.
Full Ouput:
========================
05/19/10 01:57:18PM Info [SafeBoot Information EnScript] SBinfo Script Started
SafeBoot Signature found in Device '0' Sector 16922648
Extracting SafeBoot Key Info from Device: 0
=== SafeBoot Information ===
SafeBoot Alg: 10000000
Database ID: 02381e00
Machine ID: 00000001
SBFS Sector Map: 520097792
SBFS Sector Map Count: 0
SBFS KeyCheck: 1023820001000
=== Region 0 Information ===
Region 0 - Start Sector: 16922660
Region 0 - End Sector: 16922920
Region 0 - Sector Count: 941948944
=== PowerFail Status ===
Status: Unknown - Error Reading Power Fail Status
05/19/10 01:57:19PM Info [SafeBoot Information EnScript] Script Completed
Thanks for the response! I'd like to get more information from you to assist me with making improvements to this EnScript.
First and foremost, I need to know what version of SafeBoot you are running? Do you get the same results on other drives from your environment?
Please EMail me - dbrianolson(at)gmail(dot)com
- Brian Olson
How do you export the .sdb key using the data that this script provides? I have an encrypted image and magic key.. I need the .sdb file for encase to decrypt the image.
You can export the .SDB file from the Admin Console. Locate the machine based on the found Machine ID number. You can find the machine using the Find function under the Groups drop-down menu. Select the drop-down box "In" to select Object ID and enter the machine ID found with the EnScript. Now, right-click on the machine and select Export Configuration. Type a name for the key in the 'Export To' field. You do not need to include users or files in the export so you do not need any 'Options' boxes checked.
Post a Comment