Full disk encryption is great for security, but encrypting data carries with it some incidental risk. Forgotten or otherwise unknown encryption passphrases and keys can lead to serious consequences in many situations. In forensics and incident response we use and encounter encryption all the time, and accessing encrypted data in a timely fashion can be critical. I'd like to share a trick I learned while dealing with a "bricked" encrypted device utilizing SafeGuard Easy ("SGE") from Utimaco Software, a fairly common full disk encryption solution.
Safeguard Easy offers a powerful full disk encryption tool, including a built in user management system and a post-BIOS, pre-OS boot-time authentication option with what seems to be a form of exponential backoff timer to prevent brute-force username/password guessing. Incorrectly entering a boot-time passphrase just a handful of times will cause a cumulative timeout between allowed attempts?this timeout continues to double (approx.) with each incorrect attempt. Anyone who has attempted multiple passphrases when booting a Safeguard Easy encrypted system will quickly notice delays of a few seconds, then minutes, and eventually hour+ timeouts between allowed attempts. Rebooting or cold booting has no effect on this timer, which persists indefinitely. After as few as five or six incorrect attempts an SGE device becomes quite inaccessible. Even users with valid username/password combinations (including administrators!) can no longer attempt to access the operating system.
I was stuck once with an SGE system that was in exactly this poor state, waiting more than an hour between each allowed attempt. Even with the correct username and password available, any attempt to boot the OS was fruitless. After some Googling, a search through the Utimaco Knowledgebase, and some trial and error, I was able to find a solution to my problem. Utimaco provides a valuable method for Safeguard administrators to bypass normal boot-time authentication limits and lockouts.
Utimaco offers Bootable Rescue Image files for every version of the product through their website's Support pages. These BRIs are a set of floppy images and .ISO files that can be used to create bootable media that bypass whatever boot-time security settings are in place. When booting my "brick" with the appropriate .ISO image for that version (image files are specific right down to major and minor version number and they will not work if there is a conflict), I was presented with a similar process for entering a boot-time passphrase, except that now there was no lockout, and no growing timeouts. Armed with this, I was able to successfully authenticate within a reasonable amount of time. Authenticating via BRI as a valid user will allow booting straight to the operating system, and authenticating as Safeguard Administrator will allow complete removal of the encryption product without booting the OS. Hopefully this little "Easter Egg" will help save someone else some time and frustration.
Mike Worman, GCFA Gold #124, GCIA Gold #282, is an incident response, forensics, and information security subject matter expert for a major international telecommunications carrier. He holds a BS in Computer Systems Engineering from the University of Massachusetts, an MS in Information Assurance from Norwich University, and is CISSP certified.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
