Create image of WD MyCloud NAS using SSH?

[Eduardo]

Hi guys,

I have a WD MyCloud EX2 Ultra here, and I need to create a full disk image of the 1tb partition in it, for deleted files scan.

The user has the NAS' web interface admin password, but doesn't have the PW for the encrypted EXT4 partition, so reading the disks externally didn't work.  

The NAS still works to access the files because it was set to "remember password, dont ask on boot" option.

WD's website shows that it can be accessed via SSH (https://support-en.wd.com/app/answers/detail/a_id/12860) but I don't have experience with it.

Is it possible to create the full image of the data partition, writing to an external hard drive connected through a USB port?
I figure would need basically two commands, one to list the partitions so I can find the data one, and another to image it to the external destination.

[t...@desertdatarecovery.com]

Just to be clear, the client doesn’t have the PW for the encrypted partition?

 

Looking at the link you sent through, SSH just gives you access to the dashboard when its not available. If you have dashboard access then I don’t see how that can help you. Or an I missing something?

 

Tim Homer - Lead Engineer

Desert Data Recovery

t...@desertdatarecovery.com

www.desertdatarecovery.com

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/682fcc4e-c867-4ce0-b408-0dae4a87b654o%40googlegroups.com.

[Eduardo]

From WD forums I researched SSH seems to have more admin capabilities than what the dashboard shows/allows you to do.

I managed to access it through SSH. 

Here are the initial information after logging in, and the list of commands given to me after using help. 

BusyBox v1.20.2 (2019-07-04 10:46:34 CST) built-in shell (ash)

Enter 'help' for a list of built-in commands.

root@MyCloudEX2Ultra root # help

Built-in commands:

------------------

        . : [ [[ alias bg break cd chdir command continue echo eval exec

        exit export false fg getopts hash help jobs kill local printf

        pwd read readonly return set shift source test times trap true

        type ulimit umask unalias unset wait

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertification+unsub...@googlegroups.com.

[t...@desertdatarecovery.com]

I presume this unit works the same way as WD Smartware encryption (although I have never seen it from the UI side). ISTM that SSH will give you elevated privileges, but will not get around the password issue.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/682fcc4e-c867-4ce0-b408-0dae4a87b654o%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/52f026e8-6902-4da9-ac4b-c04a08fae56fo%40googlegroups.com.

[Alandata Recovery]

can you see the partition data unencrypted?

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/069a01d653e1%243cdcd220%24b6967660%24%40desertdatarecovery.com.

--

Alandata Data Recovery -  (949)287-3282  
"Cleanroom Data Recovery of RAID, VMware, NAS, Linux, Tape, Disk, Forensics"

www.alandata.com   www.alandataRecovery.com

[Eduardo]

I can access it through PuTTY/SSH, navigate to /shares/created_share_name, and use ls to list files and folders. It matches with the contents of the encrypted partition. 
So I started creating a img file of the entire /dev/sda and writing it to an external 3 tb disk - dd if=/dev/sda of=/shares/External/mycloud.img

After around 20gb were cloned I halted the copy, unplugged the External HDD and opened the img on WinHex, and the partition of interest is being copied encrypted. Other NAS OS partitions are unencrypted and can be read no problems.

So I'm stuck between two options: 

- Accessing/copying the insides of the share only results in existing files (no traces of deleted files).

- Reading the MyCloud disk externally or imaging SDA results in having the original encrypted data.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertification+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/682fcc4e-c867-4ce0-b408-0dae4a87b654o%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertification+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/52f026e8-6902-4da9-ac4b-c04a08fae56fo%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertification+unsub...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/069a01d653e1%243cdcd220%24b6967660%24%40desertdatarecovery.com.

[compos mentis]

I'm thinking that one way to get access to the free space might be to coax it into an existing file which can then be decrypted over the network..

Backup any EEPROM(s) on the bridge PCB in the enclosure.

Clone the patient drive and see if the clone works in the same enclosure with the existing password. If not, then check the patient's SA for an encryption key and write it to the clone.

If the clone still doesn't work, then clone the serial number, model number, WWN, etc. If this still doesn't work, then game over.

Otherwise, clone the encrypted partition to an encrypted image file. Divide this 1TB image into two 500GB image files.

Recover all the visible files from the patient and then delete them from the clone over the network.

Write a 1TB file filled with 0x55AA to the clone via the network. This will fill the clone with a recognisable pattern.

Examine the clone, locate this data pattern (it will be encrypted), then overwrite it with the first of the 500GB image files.

Now retrieve the 1TB file from the clone over the network. The first half of the file should be the first half of your decrypted image, the second half should be full of 0x55AA.

Repeat the previous step for the second 500GB image file.

Use your data recovery tool to stitch together the two 500GB images into a single decrypted ext4 volume.

[compos mentis]

Just FYI ...

https://anionix.ddns.net/WDMyCloud/WDMyCloud-Ex2-Ultra/

[compos mentis]

Actually, if the clone doesn't work, you could overwrite the patient, if you don't mind breaking this cardinal rule ...

[Alandata Recovery]

I think that may be using luks

its linux encryption and its file based

I think with luks the file-key is unique to the file

so decrypting free space is a no go

its not whole disk

last time I looked into it there was a shadow filetree with weird filename extensions

those were somehow tied to the key and the file

and part of the key came from the user account.

If its the same setup I was dealing with...

try this

cd to user-share/

find . -type f -print -exec hexdump -C -n16 \{} \; | less

this will recursively hexdump files with names

you should see unencrypted file signatures

like

jpg is FF FF F8 ?

and doc files are D0 CF

and docx and zip files start with PK

--

You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.

To unsubscribe from this group and stop receiving emails from it, send an email to datarecoverycertif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/datarecoverycertification/c06bd1aa-366b-4cf4-8b8f-89de02ccef58o%40googlegroups.com.