Bypassing Passwords on Harddisks
From SecuriWiki
zeldelcoc This page is being edited by Greg Murdoch.
Most hard disks in current use come with the functionality to set passwords at the hardware level. This feature is seldom used but is very important from a forensic recovery point of view. Firstly because it can be used in an attempt to prevent a successful forensic analysis of a disk and secondly as it is trivially possible for a virus, worm or user to set these passwords on another persons hard drive maliciously. Here I will talk only talk about ATA hard drive passwords. In this page Cracking Passwords, Emma and Michelle talk about cracking passwords in general.
Contents |
ATA Disks
Advanced Technology Attachment (ATA) is a standard that originally only concerned with hard drives but has since been extended to cover a number of computer devices such as CD-ROM drives and tape drives. The original standard ATA-1, also known as IDE, covered hard drives that are quite small by todayâs standard with a maximum capacity of 504 MB. Later ATA-2 and ATA-3, also known as EIDE, extended this to 8.4 GB and 137 GB. ATA-3 added the Security Mode feature set, which includes the ability to set the passwords we are discussing here. The next standard, ATA/ATAPI-4, added support for CD-ROMs and other devices were added and the naming convention was changed to reflect this. This indicates that these password techniques may also be applied to CD-ROMs and Tape Drives. In further standards the maximum capacity was increased to 144 PB, and the maximum bus speed was also increased. These latter specifications ATA/ATAPI-4 to ATA/ATAPI-7 are also known by their bus speed, ATA-33, ATA-66, ATA-100 and ATA-133. ATA/ATAPI-6, or ATA-100, introduced Device Configuration Overlays which can also be used to hide data. Most hard drives in current use conform to one of these last specifications.
Security Mode
ATA-3 defines the following ATA commands; Security Disable Password, Security Erase, Security Freeze Lock, Security Set Password and Security Unlock. Together they provide the ability to password protect a compatible ATA device. There are two passwords that can be set, the User Password and the Master Password. In addition there are two security levels High and Maximum that change the effect of using the Master Password. As these passwords are part of the ATA standard and the functionality is part of the hard drive itself, the operating system in use has no access to the internals. This greatly complicates bypassing these passwords when they are correctly used.
User Password
When a user password is present on an ATA disk and the disk is powered on, it required that the user password be supplied before any data on the disk can be read. It must be possible for this to be performed before the operating system boots, in order to allow booting from a password protected disks. This means that often this is handled by the computer BIOS. In use the BIOS will prompt the user for the user password every time the machine boots, and then the BIOS will issue the Security Unlock password to the protected disk. This makes software key loggers useless, as the operating system is not running (assuming no one was crazy enough to write a BIOS based key logger). Hardware key loggers, such as [1], would still work and are probably the best way of retrieving ATA hard disk passwords.
When the password has been entered, the hard disk is unlocked until the next time it power cycles. This is of interest when encountering a live system. If the plug in pulled, then the hard disk will have reverted to it's locked state. Also worth noting is that some BIOS implementations do not pass the exact password entered by the user to the hard disk. Instead they send a modified version. If the hard disk is only ever used on the same machine then this will always work. But if the hard disk is removed to be imaged in a different machine then the correct User Password will not work. This means that a computer with the same BIOS as the original will be needed.
When the User Password is not known, an attempted dictionary attack is not easy. First the BIOS issue above may mean the actual User Password is not dictionary based, even if the password entered by the user themselves is. Secondly the ATA specification states that the disk must maintain a counter of failed password attempts and require a power cycle after every 5 failed attempts.
The Security Freeze Lock command can be used to disable the use of any of the Security Mode commands until the next hard disk reboot. This was supposed to have been set by the BIOS during boot, after a disk is unlocked and before the operating system is started. This would require any attempts to gain access to the disk without the passwords to use a machine with a BIOS that doesn't do this. As most BIOS's for desktops don't do this step this is not hard.
Master Password
When the User Password is not known then the Master Password can be used. The effect of using this password varies based on the security level. In High Security level using the Mater Password is identical to using the User Password. In Maximum Security level using the Master Password can regain use of the disk, however first the commands Security Erase Prepare and Security Erase Unit must be issued, wiping all data on the disk. This regains the use of the disk, and it can then be reformatted and used again, but destroys any information a forensic analyst may have been interested. As such the security level should be checked before attempting to use the master password.
If the security level is set to High, then it might be possible to bypass the User Password by using the default Master Password. Many vendors supply disks with a default Master Password set, so if this has not been changed it will still work. Finding out what the default password is may require the cooperation of the vendor however.
Hardware
The ATA password only prevents access to the data, but does not encrypt or modify the data itself. This leave open the possibility of several hardware based bypassed. If a forensic analyst was sufficiently equipped, it would be possible to dismantle the hard disk and read the data straight from the disk platters inside.
Another more sophisticated approach involves acquiring a second disk identical to the first, and physically swapping the ATA controller chips.
This is wrong and should be changed. The password is stored on the first sector of the first platter in the disk and not on a controller or in anything that can be replaced. Please read the ATA standards document before giving people wrong information.
some hard disks manufacturers put the password on the platter and the controller (in fact ,on the eeprom or flash rom on the board) , yes , the two of them , when the password level is set to MAX level
This leaves the data on the first disk with the unpassworded controller from the second disk, thus providing access to the data contained inside. Another alternate would be to copy the firmware on these chips rather than move the chips themselves.(a bug is discovored in some models , which helps removing the password ,by upgrading the firmware of the drive , it rewrites the security are too , leaving it with no password) The ATA specification provides the Download Microcode command which may be used. These approaches will fail, however, on hard disks that store some of the firmware or the passwords themselves on the hard disk platters.
There are data retrieval companies that claim to be able to bypass this password check on all hard drives without opening the hard drives themselves. But their methods, should they work as advertised, have not been made public.
Tools
The following program can be used to issue all the ATA commands discussed above HDAT2 [2]
