search

Drive-Trust-Alliance / sedutil

DTA sedutil Self encrypting drive software
613 stars 236 forks source link

Data partition inaccessible after Windows 10 Pro 20H2 upgrade #346

Closed superware closed 3 years ago

superware commented 3 years ago

Hello,

I'm hoping sedutil can be used to help me gain access to a data partition I lost access to after a Windows 10 Pro upgrade to the latest 20H2 version.

The laptop is a Dell E5570 with a Crucial MX300 CT525MX300SSD1, the upgrade booted twice and when it finished - partition D, which was a 312GB NTFS, became RAW.

Examining the partition data shows it's totally random indicating encryption, the first and last sectors are identical probably indicating the NTFS boot sector is still there and data is mostly intact. The OS partition C is ok, so I guess D is Opal range-encrypted.

Viewing Windows Logs -> System (eventvwr) shows the following:

The operating system started at system time ‎2020‎-‎12‎-‎23T11:14:03.
11:14:05|EnhancedStorage-EhStorTcgDrv|The following informational event has occurred (0x0, 0x5, 0x0, 0x0). D0Entry
11:14:05|EnhancedStorage-EhStorTcgDrv|A TCG Command has returned an error. Desc: AuthenticateSession Param1: 0x1 Param2: 0x60000001C Param3: 0x900000006 Param4: 0x0 Status: 0x12
11:14:05|EnhancedStorage-EhStorTcgDrv|A TCG Silo has returned the capabilities value of 0x7.
11:14:06|EnhancedStorage-EhStorTcgDrv|The following informational event has occurred (0x0, 0x0, 0x0, 0x0). DeviceStart
11:14:08|Ntfs|Volume D: (\Device\HarddiskVolume5) is healthy. No action is needed.
11:14:49|Ntfs|The file system structure on volume D: has now been repaired.
11:14:49|Ntfs|Volume D: (\Device\HarddiskVolume5) requires an Online Scan. An Online Scan will automatically run as part of the next scheduled maintenance task. Alternatively you may run "CHKDSK /SCAN" locally via the command line, or run "REPAIR-VOLUME <drive:> -SCAN" locally or remotely via PowerShell.
11:14:53|Ntfs|A corruption was discovered in the file system structure on volume D:. The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x1000000000024. The name of the file is "<unable to determine file name>".

TPM is enabled in the BIOS, I don't believe I've ever explicitly enabled BitLocker on any of the partitions. It's possible to roll back the upgrade for 10 days, so I had to extend that setting to 30 days so not to lose the Windows.old folder. I won't do that until I'm sure what went wrong, and if "going back" will make Windows deliver the previous/correct "SID password" or something similar.

Here is sedutil's output:

# sedutil-cli --scan
Scanning for Opal compliant disks
/dev/sda    2  Crucial_CT252MX200SSD1
/dev/sdb  No
No more disk present ending scan
# sedutil-cli --query /dev/sda

/dev/sda ATA  Crucial_CT252MX200SSD1
TPer function (0x0001)
     ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = N, Alignment Granularity = 1 (512), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
   ALL = Y, ANY = N, Policy = N, Locking Objects = 16
DataStore function (0x0202)
    Max Tables = 16, Max Size Tables = 12582912, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1000, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 16, Range Crossing = N

TPer Properties:
  MaxComPacketSize = 131072  MaxResponseComPacketSize = 131072
  MaxPacketSize = 129792  MaxIndTokenSize = 126976  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxSessions = 1
  MaxAuthentications = 21  MaxTransactionLimit = 1  DefSessionTimeout = 240000

Host Properties:
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1

# linuxpba

DTA LINUX Pre Boot Authorization

Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
Drive /dev/sda   Crucial_CT525MX300SSD1            is OPAL NOT LOCKED

I've read @r0m30 past posts referring to Windows "taking ownership", can this be the case here? What does "Locked = N" actually mean? Is there a way to get the partition data back?

Can someone please help? :|

ChubbyAnt commented 3 years ago

Did you ever use SEDutil on this drive? If not, what makes you think SEDutil might help?

Locked = N means that the drive is not TCG locked. What is more interesting is that LockingEnabled = Y is set, which means that that initial setup of this drive for TCG locking has occurred.

Are you confident that you have not been hit by some kind of ransomware malware?

superware commented 3 years ago

Since SEDutil is communicating with Opal enabled drives, I thought it might help me investigate this issue.

Ok, so the initial setup could happen at first Windows installation or during the upgrade. If the drive is not TCG locked, is there anything I can try to gain access to the decrypted data?

Losing access to the D partition occurred immediately after 20H2 version first booted, so I don't think it's related to anything malicious.

If I knew where the key/password being used in AuthenticateSession is stored in Windows, or how's it's being calculated, maybe I can try to get the correct one by rolling the version back on a cloned disk, and use it on the drive.

Any ideas?

superware commented 3 years ago

What does Locked = N, LockingEnabled = Y, MediaEncrypt = Y actually mean?

savchenko commented 3 years ago

I'd be curious about "MediaEncrypt = Y" as well.