Writing .img file to disk

[melcolmlee]

I managed to run reallymine on my 4tb wd my book using the command "./reallymine decrypt /dev/sdb /media/ubuntu/elements/decrypted.img" and gotten the decrypted.img.

Afterwards, I tried running dd with "dd if=/media/ubuntu/elements/decrypted.img of=/dev/sdc", to a new 6tb hard disk I got, when the dd ran finish, the drive shows as unknown filesystem and I was not able to mount it.

Am I doing something wrong with the dd portion ?

[melcolmlee]

To add on, my disk shows up as /dev/sdb & /dev/sdb1, should I have ran the command on /dev/sdb1 instead ?

[themaddoctor]

Some disks have the wrong blocksize in the filesystem table. Do this and post the output:
sudo fdisk -l /dev/sdc

[themaddoctor]

Oh, then
sudo fdisk -l /dev/sdb

[themaddoctor]

Also, if /dev/sdc is not associated with a physical disk, you may have written a 4TB image into the /dev directory by mistake. Do
ls -ltr /dev
to see if that has happened.

[melcolmlee]

I unplugged my disk accidentally and become sdf afterwards.

ubuntu@ubuntu:~/go/bin$ sudo fdisk -l /dev/sdf
Disk /dev/sdf: 3.65 TiB, 4000787030016 bytes, 7814037168 sectors
Disk model: 5C4040ALE630
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 4096 bytes / 33553920 bytes
Disklabel type: gpt
Disk identifier: 5EDF711D-E7E2-41DF-AA9F-062A51AA9C71

Device Start End Sectors Size Type
/dev/sdf1 34 32767 32734 16M Microsoft reserved

Partition 1 does not start on physical sector boundary.

[themaddoctor]

That's confusing.
Is the drive still in the WD enclosure?
Are you sure it is encrypted?
What was the chip on the SATA-USB bridge card?

[melcolmlee]

The chip died thus I am using a external enclosure with the drive. It was a JMS chip.

[melcolmlee]

I assumed it is encrypted as I am unable to access the drive and it just shows up as 4tb of unallocated space.

[themaddoctor]

Is it formatted for mac?

[melcolmlee]

No, it was previously formatted as NTFS.

[themaddoctor]

I want to see if it was decrypted properly. Please do these four and post the output. You might have to put sudo in front of them; I'm not sure; it depends on your permissions.
dd if=/dev/sdf count=1 | hexdump -C
dd if=/dev/sdf count=1 skip=34 | hexdump -C
dd if=/dev/sdf count=1 skip=2048 | hexdump -C
dd if=/dev/sdf count=1 skip=7814031392 | hexdump -C

[melcolmlee]

[themaddoctor]

The one at 34 is missing.
Can you repost them as text instead of images?

[melcolmlee]

Tried posting them as text but cant seem to have the correct formatting

[melcolmlee]

Is it okay if i attach as txt file ?

[melcolmlee]

output.txt

[themaddoctor]

Sector 0 looks mostly empty, which is a surprise, but it also looks like it has a partition table.
Sector 34 looks like it was not decrypted. When I extract your DEK and decrypt sector 34 I get
512 of the byte 0xe5. That has so little entropy that I must assume that the correct decryption is
a block of 0xe5's.

But....
if I decrypt sector 2048 I do see an NTFS file system:

cat melcolmlee-4TB-JMS538S-sector2048.bin | permute 16 fedcba9876543210 | openssl enc -d -aes-256-ecb -nopad -K 34c06a17777f76f97b54712e6862bdb6724657dc7ead2ba128990a33d20e4f2b | permute 16 fedcba9876543210 | hexdump -C
00000000  eb 52 90 4e 54 46 53 20  20 20 20 00 10 01 00 00  |.R.NTFS    .....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 01 00 00  |........?.......|
00000020  00 00 00 00 80 00 80 00  ff f5 37 3a 00 00 00 00  |..........7:....|
00000030  00 00 0c 00 00 00 00 00  ff fa 1b 1d 00 00 00 00  |................|
00000040  01 00 00 00 01 00 00 00  13 bc 0a ca eb 0a ca a2  |................|
00000050  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb b8 c0 07  |.....3.....|....|
00000060  8e d8 e8 16 00 b8 00 0d  8e c0 33 db c6 06 0e 00  |..........3.....|
00000070  10 e8 53 00 68 00 0d 68  6a 02 cb 8a 16 24 00 b4  |..S.h..hj....$..|
00000080  08 cd 13 73 05 b9 ff ff  8a f1 66 0f b6 c6 40 66  |...s......f...@f|
00000090  0f b6 d1 80 e2 3f f7 e2  86 cd c0 ed 06 41 66 0f  |.....?.......Af.|
000000a0  b7 c9 66 f7 e1 66 a3 20  00 c3 b4 41 bb aa 55 8a  |..f..f. ...A..U.|
000000b0  16 24 00 cd 13 72 0f 81  fb 55 aa 75 09 f6 c1 01  |.$...r...U.u....|
000000c0  74 04 fe 06 14 00 c3 66  60 1e 06 66 a1 10 00 66  |t......f`..f...f|
000000d0  03 06 1c 00 66 3b 06 20  00 0f 82 3a 00 1e 66 6a  |....f;. ...:..fj|
000000e0  00 66 50 06 53 66 68 10  00 01 00 80 3e 14 00 00  |.fP.Sfh.....>...|
000000f0  0f 85 0c 00 e8 b3 ff 80  3e 14 00 00 0f 84 61 00  |........>.....a.|
00000100  b4 42 8a 16 24 00 16 1f  8b f4 cd 13 66 58 5b 07  |.B..$.......fX[.|
00000110  66 58 66 58 1f eb 2d 66  33 d2 66 0f b7 0e 18 00  |fXfX..-f3.f.....|
00000120  66 f7 f1 fe c2 8a ca 66  8b d0 66 c1 ea 10 f7 36  |f......f..f....6|
00000130  1a 00 86 d6 8a 16 24 00  8a e8 c0 e4 06 0a cc b8  |......$.........|
00000140  01 02 cd 13 0f 82 19 00  8c c0 05 20 00 8e c0 66  |........... ...f|
00000150  ff 06 10 00 ff 0e 0e 00  0f 85 6f ff 07 1f 66 61  |..........o...fa|
00000160  c3 a0 f8 01 e8 09 00 a0  fb 01 e8 03 00 fb eb fe  |................|
00000170  b4 01 8b f0 ac 3c 00 74  09 b4 0e bb 07 00 cd 10  |.....<.t........|
00000180  eb f2 c3 0d 0a 41 20 64  69 73 6b 20 72 65 61 64  |.....A disk read|
00000190  20 65 72 72 6f 72 20 6f  63 63 75 72 72 65 64 00  | error occurred.|
000001a0  0d 0a 4e 54 4c 44 52 20  69 73 20 6d 69 73 73 69  |..NTLDR is missi|
000001b0  6e 67 00 0d 0a 4e 54 4c  44 52 20 69 73 20 63 6f  |ng...NTLDR is co|
000001c0  6d 70 72 65 73 73 65 64  00 0d 0a 50 72 65 73 73  |mpressed...Press|
000001d0  20 43 74 72 6c 2b 41 6c  74 2b 44 65 6c 20 74 6f  | Ctrl+Alt+Del to|
000001e0  20 72 65 73 74 61 72 74  0d 0a 00 00 00 00 00 00  | restart........|
000001f0  00 00 00 00 00 00 00 00  83 a0 b3 c9 00 00 55 aa  |..............U.|
00000200

Either

1. the disk was not decrypted
2. you sent samples from the encrypted disk and not the disk with the decrypted image on it.

[melcolmlee]

Oh my, I'm so sorry, I thought you meant for me to send the info on the encrypted disk.

Let me try doing the dd step again, I formatted the new harddisk as I was planning to attempt again.

[themaddoctor]

Whatever you do next, just know that the filesystem is NOT at sector 34. It is at sector 2048.
So you have to mount it with an offset, or replace the partition table on the decrypted image.

[themaddoctor]

For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)

[melcolmlee]

For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)

Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked.

Thanks for the help ! I will try mounting with offset.

[MrDecay]

Have you tried mounting the decrypted image itself? Like mad doc said. Offset at 2048 for your filesystem

…

On Wed, May 12, 2021, 11:16 AM melcolmlee ***@***.***> wrote: For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure) Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked. Thanks for the help ! I will try mounting with offset. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#122 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEATVRL5XV4VM2ZWEEWOU6DTNKSVHANCNFSM44YSYCBA> .

[melcolmlee]

I ran the same 4 command previously on decrypted.img
output2.txt

[themaddoctor]

OK, so it was decrypted correctly. But sector 0 and the partition table have been corrupted. Maybe you plugged the
bare disk into a windows machine at some time in the past.

Your NTFS filesystem is at sector 2048.

So you should be able to either

1. mount the disk with an offset
   or
2. repartition the image with fdisk

If you are going to work on linux, try 1. If you want to write the decrypted image to a disk and use it in a
windows machine, try 2.

[melcolmlee]

Have you tried mounting the decrypted image itself? Like mad doc said. Offset at 2048 for your filesystem
…
On Wed, May 12, 2021, 11:16 AM melcolmlee @.***> wrote: For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure) Let me update you when I am done with dd. I am using one of those harddisk docking station, my view is currently blocked. Thanks for the help ! I will try mounting with offset. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#122 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRL5XV4VM2ZWEEWOU6DTNKSVHANCNFSM44YSYCBA .

OK, so it was decrypted correctly. But sector 0 and the partition table have been corrupted. Maybe you plugged the
bare disk into a windows machine at some time in the past.

Your NTFS filesystem is at sector 2048.

So you should be able to either

1. mount the disk with an offset
   or

2. repartition the image with fdisk

If you are going to work on linux, try 1. If you want to write the decrypted image to a disk and use it in a
windows machine, try 2.

Noted, will try 1 for now.

[melcolmlee]

YES ! It worked with the offset.

Thank you guys for the help !

[MrDecay]

Your welcome.

…

On Wed, May 12, 2021, 11:46 AM melcolmlee ***@***.***> wrote: YES ! It worked with the offset. Thank you guys for the help ! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#122 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEATVRPSFIHSI4S4BGVX4IDTNKWHXANCNFSM44YSYCBA> .

[melcolmlee]

For my own curiosity, what is the manufacture date on the disk? (stamped on the label of the disk, not on the enclosure)

March 2013

[themaddoctor]

YW