reallymine
reallymine copied to clipboard
andlabs
Writing .img file to disk
I managed to run reallymine on my 4tb wd my book using the command "./reallymine decrypt /dev/sdb /media/ubuntu/elements/decrypted.img" and gotten the decrypted.img.
Afterwards, I tried running dd with "dd if=/media/ubuntu/elements/decrypted.img of=/dev/sdc", to a new 6tb hard disk I got, when the dd ran finish, the drive shows as unknown filesystem and I was not able to mount it.
Am I doing something wrong with the dd portion ?
To add on, my disk shows up as /dev/sdb & /dev/sdb1, should I have ran the command on /dev/sdb1 instead ?
Some disks have the wrong blocksize in the filesystem table. Do this and post the output: sudo fdisk -l /dev/sdc
Also, if /dev/sdc is not associated with a physical disk, you may have written a 4TB image into the /dev directory by mistake. Do ls -ltr /dev to see if that has happened.
I unplugged my disk accidentally and become sdf afterwards.
ubuntu@ubuntu:~/go/bin$ sudo fdisk -l /dev/sdf
Disk /dev/sdf: 3.65 TiB, 4000787030016 bytes, 7814037168 sectors
Disk model: 5C4040ALE630
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: gpt
Disk identifier: 5EDF711D-E7E2-41DF-AA9F-062A51AA9C71
Device Start End Sectors Size Type /dev/sdf1 34 32767 32734 16M Microsoft reserved
Partition 1 does not start on physical sector boundary.
That's confusing. Is the drive still in the WD enclosure? Are you sure it is encrypted? What was the chip on the SATA-USB bridge card?
The chip died thus I am using a external enclosure with the drive. It was a JMS chip.
I assumed it is encrypted as I am unable to access the drive and it just shows up as 4tb of unallocated space.
I want to see if it was decrypted properly. Please do these four and post the output. You might have to put sudo in front of them; I'm not sure; it depends on your permissions. dd if=/dev/sdf count=1 | hexdump -C dd if=/dev/sdf count=1 skip=34 | hexdump -C dd if=/dev/sdf count=1 skip=2048 | hexdump -C dd if=/dev/sdf count=1 skip=7814031392 | hexdump -C
The one at 34 is missing. Can you repost them as text instead of images?
Sector 0 looks mostly empty, which is a surprise, but it also looks like it has a partition table. Sector 34 looks like it was not decrypted. When I extract your DEK and decrypt sector 34 I get 512 of the byte 0xe5. That has so little entropy that I must assume that the correct decryption is a block of 0xe5's.
But.... if I decrypt sector 2048 I do see an NTFS file system:
cat melcolmlee-4TB-JMS538S-sector2048.bin | permute 16 fedcba9876543210 | openssl enc -d -aes-256-ecb -nopad -K 34c06a17777f76f97b54712e6862bdb6724657dc7ead2ba128990a33d20e4f2b | permute 16 fedcba9876543210 | hexdump -C
00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 10 01 00 00 |.R.NTFS .....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 01 00 00 |........?.......|
00000020 00 00 00 00 80 00 80 00 ff f5 37 3a 00 00 00 00 |..........7:....|
00000030 00 00 0c 00 00 00 00 00 ff fa 1b 1d 00 00 00 00 |................|
00000040 01 00 00 00 01 00 00 00 13 bc 0a ca eb 0a ca a2 |................|
00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb b8 c0 07 |.....3.....|....|
00000060 8e d8 e8 16 00 b8 00 0d 8e c0 33 db c6 06 0e 00 |..........3.....|
00000070 10 e8 53 00 68 00 0d 68 6a 02 cb 8a 16 24 00 b4 |..S.h..hj....$..|
00000080 08 cd 13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 |...s......f...@f|
00000090 0f b6 d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f |.....?.......Af.|
000000a0 b7 c9 66 f7 e1 66 a3 20 00 c3 b4 41 bb aa 55 8a |..f..f. ...A..U.|
000000b0 16 24 00 cd 13 72 0f 81 fb 55 aa 75 09 f6 c1 01 |.$...r...U.u....|
000000c0 74 04 fe 06 14 00 c3 66 60 1e 06 66 a1 10 00 66 |t......f`..f...f|
000000d0 03 06 1c 00 66 3b 06 20 00 0f 82 3a 00 1e 66 6a |....f;. ...:..fj|
000000e0 00 66 50 06 53 66 68 10 00 01 00 80 3e 14 00 00 |.fP.Sfh.....>...|
000000f0 0f 85 0c 00 e8 b3 ff 80 3e 14 00 00 0f 84 61 00 |........>.....a.|
00000100 b4 42 8a 16 24 00 16 1f 8b f4 cd 13 66 58 5b 07 |.B..$.......fX[.|
00000110 66 58 66 58 1f eb 2d 66 33 d2 66 0f b7 0e 18 00 |fXfX..-f3.f.....|
00000120 66 f7 f1 fe c2 8a ca 66 8b d0 66 c1 ea 10 f7 36 |f......f..f....6|
00000130 1a 00 86 d6 8a 16 24 00 8a e8 c0 e4 06 0a cc b8 |......$.........|
00000140 01 02 cd 13 0f 82 19 00 8c c0 05 20 00 8e c0 66 |........... ...f|
00000150 ff 06 10 00 ff 0e 0e 00 0f 85 6f ff 07 1f 66 61 |..........o...fa|
00000160 c3 a0 f8 01 e8 09 00 a0 fb 01 e8 03 00 fb eb fe |................|
00000170 b4 01 8b f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 |.....<.t........|
00000180 eb f2 c3 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 |.....A disk read|
00000190 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 00 | error occurred.|
000001a0 0d 0a 4e 54 4c 44 52 20 69 73 20 6d 69 73 73 69 |..NTLDR is missi|
000001b0 6e 67 00 0d 0a 4e 54 4c 44 52 20 69 73 20 63 6f |ng...NTLDR is co|
000001c0 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 73 |mpressed...Press|
000001d0 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f | Ctrl+Alt+Del to|
000001e0 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 | restart........|
000001f0 00 00 00 00 00 00 00 00 83 a0 b3 c9 00 00 55 aa |..............U.|
00000200
Either
- the disk was not decrypted
- you sent samples from the encrypted disk and not the disk with the decrypted image on it.
Oh my, I'm so sorry, I thought you meant for me to send the info on the encrypted disk.
Let me try doing the dd step again, I formatted the new harddisk as I was planning to attempt again.
Whatever you do next, just know that the filesystem is NOT at sector 34. It is at sector 2048. So you have to mount it with an offset, or replace the partition table on the decrypted image.
For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)
For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)
Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked.
Thanks for the help ! I will try mounting with offset.
Have you tried mounting the decrypted image itself? Like mad doc said. Offset at 2048 for your filesystem
On Wed, May 12, 2021, 11:16 AM melcolmlee @.***> wrote:
For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)
Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked.
Thanks for the help ! I will try mounting with offset.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/122#issuecomment-839911182, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRL5XV4VM2ZWEEWOU6DTNKSVHANCNFSM44YSYCBA .
OK, so it was decrypted correctly. But sector 0 and the partition table have been corrupted. Maybe you plugged the bare disk into a windows machine at some time in the past.
Your NTFS filesystem is at sector 2048.
So you should be able to either
- mount the disk with an offset or
- repartition the image with fdisk
If you are going to work on linux, try 1. If you want to write the decrypted image to a disk and use it in a windows machine, try 2.
Have you tried mounting the decrypted image itself? Like mad doc said. Offset at 2048 for your filesystem … On Wed, May 12, 2021, 11:16 AM melcolmlee @.***> wrote: For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure) Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked. Thanks for the help ! I will try mounting with offset. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#122 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRL5XV4VM2ZWEEWOU6DTNKSVHANCNFSM44YSYCBA .
OK, so it was decrypted correctly. But sector 0 and the partition table have been corrupted. Maybe you plugged the bare disk into a windows machine at some time in the past.
Your NTFS filesystem is at sector 2048.
So you should be able to either
1. mount the disk with an offset or 2. repartition the image with fdiskIf you are going to work on linux, try 1. If you want to write the decrypted image to a disk and use it in a windows machine, try 2.
Noted, will try 1 for now.
Your welcome.
On Wed, May 12, 2021, 11:46 AM melcolmlee @.***> wrote:
YES ! It worked with the offset.
Thank you guys for the help !
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/122#issuecomment-839933486, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRPSFIHSI4S4BGVX4IDTNKWHXANCNFSM44YSYCBA .
For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)
March 2013