WD MyBook Encryption

[JimmyW]

I received a WD wdbaaf0020hbk, 2TB USB drive, that had undergone a
head replacement and subsequent imaging. I realize that the drive
offers encryption, but I'm unclear on exactly what type. In the past,
I've had to get similar drives "unlocked" before processing. This
time, I was told that the encrytpion scheme is seamless, in that the
user can simply access the data when the device is connected by USB.
I also was advised, however, that the internal drive cannot be
accessed if removed. My sense is that the device must authenticate to
a given system through the USB, although a user may be able to run the
WD software on multiple machines. Can anyone provide some facts as to
the encryption scheme associated with these drives? Thanks.

[Madmex]

I may be speaking out of turn, but it sounds like what you are working with is the encryption that is built into the USB to SATA controller.  I have not worked with this so what I am saying is based on my reading and study of others but there is a chip on that USB board labeled "Initio" and that is the chip responsible for the encryption/decryption.

There is also a software solution called "SmartWare" that loads from a small partition on the hard drive and requires a password in order to then decrypt the drive "on the fly" (and these two pieces, the hardware and software, may be the bits that work in concert)

http://forum.hddguru.com/western-digital-2tb-mybook-hdd-t16810.html

Hope that helps!

K.

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.

[Weg, Jimmy]

Thanks very much.  That makes sense with respect to the Initio chip.  If the drive is removed, it can’t be decrypted because it requires

access through the bridge.  Therefore, perhaps it’s possible that this aspect exists regardless of whether the user employs SmartWare, but if he does not, wouldn’t the drive be viewable to anyone who plugs it in to USB?  What also confuses me, is that the original tech claimed to have decrypted the image file that he created after the head job.

 

Jimmy

[Madmex]

Sure, if it's a perfect image onto a good drive, I suppose by "Decrypt it" he could have meant "replaced the repaired drive with the clone, attached it to the USB/SATA board,  and plugged in the usb port to my machine and imaged it that way". :)

I don't know if the controller does any kind of marrying to the pcb/serial on the hard drive (seems unlikely) so any drive would have worked at that point so long as the data locations matched.

Karlo

[Weg, Jimmy]

Thanks, Karlo.  I guess if that’s possible, one should be able to simply take a (working) SATA drive from a MyBook and plug it into a suitable WD bridge and access the drive.  So, unless you use SmartWare, there seems little sense in the Initio protection scheme, if all that it does is “protect” a removed drive.  If, however, the drive is mated to the bridge, that’s another story.  In my case, the tech said that the image file was encrypted by the WD “case” and that he used proprietary methods to decrypt the image.

[Madmex]

I guess it is possible that the tech works for a company that has somehow reverse engineered the encryption used by the mybook but.. sounds like vaporware mixed with perhaps a lack of complete technical understanding of what was involved or even perhaps just a misuse of terms? I dunno..

At any rate, I hope this helped and if u have any more questions, let me know.  As I understand it tho, you are able to access the data? I'm just not sure what side u are approaching this issue from (are you the customer? are you the tech on the other end of a forensics case? are you looking for ways to validate that what the tech claims was even done in case you are being charged for way more than was actually performed on the bill? etc)

Karlo

[Weg, Jimmy]

Thanks very much, Karlo.  I’m the law enforcement agent who received the drive for the forensics.  Basically, a customer submitted the drive to the recovery company.  They replaced the heads and acquired an encrypted image.  They then produced a decrypted image,  checked the file system, and found contraband.  Now, it’s mine, and I intend to work from the decrypted image.  It’s quite possible that the firm’s reps will have to testify, and I want to learn as much as possible about the procedures that were done to this point, so I can judge their validity and explain them to the prosecutor.  At this point, I’m not sure whether I can obtain further details from the recovery firm.  The firm is quite reputable, however, and I think that the evidence they recovered by and any that I recover will be admissible.  It’s just that my understanding of WDs encryption scheme didn’t fit the firm’s explanation.

 

Your and the others advice helped quite a bit.  I’m starting to think that the recovery firm actually restored the encrypted image to a good drive, installed the good drive to the bridge, and imaged it as any normal drive.  That, however, wouldn’t work if SmartWare was in place, unless they have a way around that.

[Networks]

Jimmy

I would be very interested to know how they were able to decrypt the WD drive. I know this issue has come up many times on other forums.

Jim

[Weg, Jimmy]

I agree and will post back if I learn more.  At the moment, I don’t know whether the user employed SmartWare.  If he didn’t, and if it’s as simple as restoing the encrypted image to a new drive, there’s no magic here.

 

Jimmy

 

From: datarecovery...@googlegroups.com [mailto:datarecovery...@googlegroups.com] On Behalf Of Networks
Sent: Friday, September 02, 2011 8:05 AM
To: datarecovery...@googlegroups.com
Subject: Re: WD MyBook Encryption

 

Jimmy

I would be very interested to know how they were able to decrypt the WD drive. I know this issue has come up many times on other forums.

Jim

[Scotticus]

That does sound very interesting. I also am very curious to hear the
outcome on this.

[JimmyW]

I spoke with the DR tech on this case. He explained that, as others
suggested, the internal drive is encrypted through the USB bridge (the
Initio chip, I presume). Unless the user employs SmartWare, the drive
is accessible to anyone who can plug it into a USB port. If the hard
drive is removed, it is not accessible through SATA. However, the USB
bridge is not drive specific, but only WD model specific. So, if I
have the drive and know the WD model, I can pick up a WD enclosure of
the same model, attach the internal drive to the USB bridge, and
access the drive. In the case at hand, they cloned the original and
did just that.

Jimmy

> > For more options, visit this group athttp://groups.google.com/group/datarecoverycertification?hl=en.- Hide quoted text -
>
> - Show quoted text -

[sup...@rambuscomputers.co.uk]

So let me get this right?

Drive is external device which the pcb/bridge encrypts.

 

So if the device is stolen or lost that means the encryption is useless as somebody would access the the device normally through the MYBook & usb connection & it would decrpty it. haha thats funny. Users better put that password on lol.

 

Seems to me that WD are marketing it on the Encryption & the users lack of knowledge.

 

 

 

Michael

[Weg, Jimmy]

Exactly, if what I’m told is correct.  I haven’t tested this.  It’s basically that you need to read the drive through the bridge, and absent the use of SmartWare and a password, there is no encryption key or it’s null, for lack of a better word.  I think that WD is marketing the drive as encryptable, as opposed to encrypted-out-of-box. 

 

Jimmy