Saturday, January 5, 2013

Encrypted drives

I was recently helping a potential customer with a data recovery problem.  The problem was a Western Digital external drive (1TB) that had a damaged USB connector on the case.  The drive was removed and placed in a USB caddy (for common practise).  The drive appears physically OK, but very few files could be read.

A few scans and logs were transfered and it appears that there were files at the end of the disk, but the middle area was almost totally blank, ie very few file signatures recognised.  The next stage was a a disk scan (a CnW Forensic feature) which scans the complete drive and shows the broad category of data in each sector.  This includes text, blank, directory entry and compressed.  Most of the middle was deteceted as compressed.  A compressed sector (in this logic) is one with many different byte values in the sector and will detect Zip files, JPEGs, MPEGS, music files as well as encrypted data.

The customer had not used encryption, or a program such as TrueCrypt so the results did not make much sense.  However, the more I thought about it, the more the data looked as the disk was compressed.

A bit of Google research did reveal something I was not expecting.  WD do make external drives with built in compression, controlled by the internal controller board.  This is enabled, even if a password is not entered and could explain the situation with this drive.  The only solution is to read the drive with the original controller board.  Otherwise, to read the encrypted data can vary between very difficult to impossible.

This configuration came a surprise for me, and I must now be aware that the dirve case may be important, and not just accept the naked drive.