7

My colleague at work lost the password to his external hard drive (HDD not SSD), a WD Elements. He remembers that his password was simple and 8 characters maximum.

The problem is the encryption software he used will self destruct after 5 password attempts, we are down to 4 attempts.

Product:

Lumension Endpoint Security 4.6

Is there an exploit or some way of disabling this countdown? Otherwise, I assume there is a way of copying the encryption header from the program into John The Ripper, or something? I am no expert.

Worst case scenario if I make a forensic image using EnCase will I at least be covered in the event that I make any terrible mistakes?

Any other side channel attacks are welcome.

The password prompt when I open exe file

user5623335
  • 381
  • 1
  • 4
  • 12
  • 6
    Just try on the imaged disk. If the disk encryption software have capabilities to sync a network "master admin password" into the disk , then you can ask the admin to key in the their password to unlock the disk. By any mean, an encrypted disk using self-wipe without a master password sync is a time await disaster. – mootmoot Jun 13 '18 at 12:25
  • @mootmoot It is not synced at all, there is no master password. I will try doing it with an imaged disk, I might write a script to bruteforce it and either restore original image after 4 attempts or mount it as read-only. – user5623335 Jun 13 '18 at 13:56
  • 1
    You are not redacting those disk names at all, just so you know. – forest Jun 14 '18 at 02:44
  • @forest It's not a huge problem or I would have done a better job. Mind showing me what you can see and how? – user5623335 Jun 14 '18 at 09:08
  • 2
    I don't have time to check it right now but since you leave part of virtually every letter exposed, it's easy to narrow down the letters used. Not that it matters if it's not a big deal though. – forest Jun 14 '18 at 10:31

1 Answers1

2

Have you tried any of the options that Lumension offers?

Secure recovery of passwords, data and forensics

  • Challenge/response over the phone with the help desk for recovery of forgotten passwords

  • Local self-help to recover forgotten passwords during pre-boot without calling the help desk or the need for an Internet connection

From their brochure on the Disk Encryption feature for Endpoint Security

As there are no currently listed exploits to be found, your only options are:

  • Try the Above
  • Image and restore on the threshold over and over again

Worst case scenario if I make a forensic image using EnCase will I at least be covered in the event that I make any terrible mistakes?

Best way to find out is to try:

Make the image, load it into the application, try a login attempt, try a login attempt on the other disk and see if the application has a way to identify the disk and link the counters and if you can use them safely apart from each other.

  • Find a 0-Day

You could also reverse engineer (debug) the application and see if there is a counter somewhere you can control/reset. Of course this would take some time, knowledge and would have to be tested extensively before trying on your actual target.

Honestly, if I were in the situation you say you are, I would just contact their Helpdesk and find out a way to get around this. It's version 4.6, they released 8 now. I say odds are in your favor.

Nomad
  • 2,359
  • 2
  • 11
  • 23