HDD Password Toshiba
Hello,

i have a Toshiba Laptop which HDD i can't image with FTK. Only zeros with Software Writeblocker. With Hardware Writeblocker you don't See the drive. If you boot the system there ist the info: Input HDD password. I think it's a firmware password. Any suggestions? Is there a tool that shows If it is so?
🗣Civil_Structure_1033

1\. It may be ATA security at work: simplified, hard disks can be assigned a password, and won't allow access unless that password is used to 'login' to the HDD.

Such HDD will, on request, say that security is enabled, so you can use tools such as hdparm (Linux) to identify. (See https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs for an introduction.)

In this case, as long as you have the password, you can also 'login' to the HDD (pre-boot or post-boot) before you image the drive. The details will obviously depend on the platform you use.

2\. Write blocking may affect the issue. If the blocker prevents all requests that are not simple reads, it will also block login requests. Professional tools usually won't make that mistake, but I can't identify the tool you mention, so I can't say if that is the case here.

The password may be assigned by Toshiba, and be part of the hardware platform: that is, the HDD cannot be removed from the computer and work normally, unless you also extract the password. In these cases, it is easier to let the drive remain mounted, and make a image from a forensic boot environment.
👤athulin12


🎖@malwr

Dissect enables you to go from acquisition of thousands of systems to answering the how, when, and what in a matter of hours – A game changer for incident response teams. It’s modular and concise API allows for anyone with Python experience to adapt it to their own needs and create output ..
🗣digicat

Big fat kudos to Fox IT for releasing Dissect as open source. Wonderful contribution to the community.

On GitHub: https://github.com/fox-it/dissect
👤mrkoot


🎖@malwr