by PriesT (firstname.lastname@example.org)
I enjoy my work, for the most part. Once I look past the dealing with stupid idiots and frustrating computers, the small computer repair business I am employed at really is an interesting place.
It is no secret that my passion lies in security, and it is obvious to my co-workers that my heart skips when I am set to recover a DoD password off of a laptop or to fix a problem in the local network. This is all very intriguing, but the latest encounter I have had was directly related to a secure "thumb drive."
Here is the story that our customer gave us, more or less. Apparently this gentleman needed desperately to access the many important documents that he had on his Imation-brand flashdrive. The drive claims to prevent access to all data unless the correct password is entered into a small utility, which then allows you to see the files. Also, after six failed password attempts, the drive wipes itself, destroying any data and preventing all access, supposedly.
Einstein here had done just that, and he wanted his data back. So I set to work. The drive was a 2 GB Imation 18405, which seemed to have been discontinued recently. On inspecting the layout of the drive, I found that it had a small hardware switch that controlled write protection, and a small program that controls if the files on the drive are visible or not.
For those who don't know, the Imation security feature allows you to choose how much data to hide and how much to keep public by splitting the drive into private and public partitions. In this way, the private partition remains hidden until it has been activated by a Windows executable called "LOCK.EXE". This program allows the partition to be viewed as if it were a normally mounted drive.
So my first step in poking around in this small drive was the Imation web site. Naturally, there was no information on password recovery listed there. My next step was the Internet, which also came up empty. At this point, my boss offered an interesting suggestion: run data recovery on it.
Ever since I saw an episode of Hak.5 online: www.hak5.org/archives/169
I have been nervous about running our data recovery programs on a customer's flash drive; they are, of course, meant to be used on physical hard drives. "But," I thought, "What the heck? It's not like this guy would gain anything by not running the programs."
At this point, I had a USB drive which was only 2 MB in size. This was because when the disk was formatted with LOCK.EXE, the user had decided to keep as much of his data secured as was humanly possible. I couldn't really do much here. Using the LOCK.EXE utility again, I managed to erase the password and to start a new with the settings reversed, with 2 MB of secure data and the rest left public. Now there was something to work with.
So I ran our first data recovery program. It found a grand total of one file, woo hoo! This file was none other than the LOCK.EXE file that was readily viewable anyway. What happened next was very odd. I then ran our second program, GetDataBack for FAT, and I recovered every single file the user had lost after encrypting his drive.
The result was a bunch of .DOC files. Once the customer came in to pick up his drive, I told him about the process and asked to confirm if these were the files he had created after locking his drive down. He confirmed that they were.
So in conclusion, I was actually surprised that data recovery worked. I was more surprised by the fact that it was on a flash drive than by the fact that I was recovering "locked" data. I think that the idea Imation has here is a very good one for basic consumers, but against a dedicated adversary, it may not stand up to par.
LOCK.EXE download location: www.imation.com/support/drivers/ImationLOCK.exe
GetDataBack for FAT: www.runtime.org/data-recovery-software.htm
Shout out: gamer4goood.