Hi, I'm trying to examine a 256MB USB drive that has been protected using LockItEasy (www.cososys.com). The owner split the space into 2 equal chunks, one standard FAT16, the other encrypted using the utility. When I try to image this device it appears as only 128MB in size and what you get is the unprotected part of the drive. The device size, according to both Linux and encase is only 128MB. The utility works on most USB thumbdrives.
It looks similar to HPA/DCO in concept but I didn't find anything explaining how this works on USB devices. The write blockers I use do not detect the hidden partition. > 1) What utility do you think was used to encrypt the partition? Why? The USB drive was protected using a tool called LockItEasy (www.cososys.com). As part of the protection process it copies the executable to the unprotected part of the device. The tool partitions any compatible USB drive into two pieces, an unprotected section (visible, the new device size is reported on this) and a protected section (this space is not visible to the OS). e.g. using the tool if you split a 256MB drive into two equal pieces, afterwards the drive appears to be only 128MB in size. > 2) What specifically did you do when trying to image the drive? Details > are helpful. The drive was connected to a USB writeblocker and then to the forensic examination stations. These consist of both Linux and Windows (using Encase) platforms. If you look at fdisk or lsusb info the size of the device reported is that of the unprotected partition. The writeblocker, which is aware of HPA/DCO on drives, reports only the unprotected partition. Irrespective of the tool used to image the drive, all you capture is the unprotected part. > 3) Are you supposed to be trying to access this drive? Is it yours, or > are you authorized by the owner or an appropriate representative of the > owner (e.g. an employer) to try to examine the drive? Yes I am authorised to analyse the device by the company I work for. My question was whether anyone has seen this type of size manipulation before on USB devices and whether any tools exists that would allow the full device to be captured. I am aware of HPA/DCO but the tools I normally use, which are designed for ATA devices give errors about unrecognised commands. Thanks, Mike
