iPod – Imaging and Data Recovery

One of the guys from the Nashville Mac Users group asked me about recovering some audio files from an iPod.  A friend of his used an iTalk to record some audio.  About 200MB with of audio file.  For some reason it is not sync’ing from the iPod.  He also has no idea which of his many macs is the master to the iPod.  He would have to let it wipe it out to associate it to a new mac he is sure of as the master.  So I got to playing around.   My iPod is in disk mode.

  1. Open Terminal
  2. df
    This command shows disc usage and what discs are mounted.  Notice below the iPod is shown and it is is disk2s3.  Keep in mind the main disk# can change every time you reboot if you have multiple external drives. 

    /dev/disk2s3                             117013560  93569848  23443712    80%    /Volumes/iPod

  3. I have an external sata with way more free space than my ipod is big. (60GB)
  4. dd bs=512 if=/dev/rdisk2 of=/Volumes/ExtSata/ipodimage.dmg
    This command does a disc image of the raw disk#2 matching up to what we saw in step 2 above.  You want the raw disk (rdisk) since it is faster for making an image.   So we use a block size of 512 (bs) from an input file (if) of /dev/rdisk2 to an output file (of) of /Volumes/ExtSata/ipodimage.dmg
  5. Wait a really long time (was over night) and when the dmg file shows in finder as large as the iPod close terminal, eject the real ipod and try double clicking on the new ipodimage.dmg file.

For me it opened up fine mounting as a disc image.  I could then browse  the contents of the iPod.  Of course I could feed it to one of my forensic tools since it is a disc image and easy to parse with file recovery tools etc.  Now that I know it works.  The question is can I use this to get past any issues on the fellow’s ipod to drag his audio files out of the disc image.  If we encountered any errors I would do the DD command again but add conf=sync,noerror at the end.

The noerror tells DD to keep going and not end if it hits an error.  The sync tells DD to  pad any error spots with null.  That is an attempt to get around any errors on the disc.


Disc Image – Why not to use a plain Dictionary Word

In the process of playing with backing up to disc images I wanted to play around how to automate the password entry. I may get into why in a future post. Whatever you do, do not use a plain dictionary word to secure your images. Here is why. I based it on the scripts I found at: http://ask.metafilter.com/47171/How-to-crack-a-disk-image

Modified and tested. Worked like a champ when I added my chosen password to a dictionary text file of words. In the below example I used a path to where I have a large collection of dictionary files used for password cracking in forensics etc. This is not the fastest thing in the world but it works if the chosen password shows up in the word lists you throw at the image.


for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)


echo -n $word | hdiutil attach /Volumes/iPod/Backup/Backup.sparseimage -stdinpass

if [[ $? = 0 ]]


echo “Password found!”

echo $word

exit 0



echo “password not found :(”

exit 1


Begging to be a presentation at Black Hat.

The other day a public relation email was sent to the Certified Computer Examiner mail list. This email talked about a new secure USB flash drive. That is pretty brave to send such an announcement to forensics professionals. The drive is called the Flash Padlock from Corsair.

I will start with disclosing I have not seen this device in person. My opinions here are strictly based on the vendor documentation from their own web site materials. I did email back to the sender of the announcement that I wouldn’t mind reviewing the drive for the In the Trenches Podcast. Days later and I have yet to receive a reply. But I was still curious. I started reading the materials on the Corsair web site.

The device looks to be very interesting. It is using a combination lock with indicator leds showing the status of the drive. Since the combination is physically entered it is compatible with any computer (Windows, Mac etc) that can recognize flash drives. Corsair provides an online site where you can register the pin you set for your drive. Handy if you forget it. Any computer will let you look it up from their systems. The pin can be up to ten digits in length. No software component is required. This all makes it pretty much impossible to brute force the drive. At least until some enterprising hacker figures out a way to wire up the entry mechanism to a custom interface on a laptop. Another interesting feature is that it locks when the drive is removed from the computer automatically. This is a nice design idea. Makes it less likely anyone will get into the contained data.

They have an interesting PDF White Paper. I see a couple of interesting things in this paper.

  • Page 4 – “A PIN…is not stored anywhere that is accessible from the computer.” Makes you wonder where the pin is stored. Is it hashed, plain text etc? Could someone pull it straight from the flash chips?
  • Page 4 – Read the part about Two Factor Authentication. They claim it is two factor because you have to have the Flash Padlock and know the PIN. I find this debatable. This is like saying a bank vault is using two factor authentication. You have to have possession of the safe and know the combination. To me it is only two factor authentication if the two factors actually authenticate the proper user. Possessing the lock does not mean the lock requires two items of proof of valid access. In my opinion and this is my personal opinion only, this consists of one factor of authentication. So at this point I am starting to get skeptical on this device being the wonder affordable security flash drive.
  • I found no reference of encryption in the white paper at all relating to the Padlock. In fact unless I am blind I find only encryption references in the comparison to other device protection types. So I began to wonder if this PIN is only protecting read access. If some clever security researcher could read the data straight from the flash memory and present it at Black Hat. At the bottom of page 4 there is a reference that the DataLock(tm) technology has been licensed from a company called ClevX. They even nicely provide a link to www.clevx.com.

Finally, I find the last thing that makes me nervous about this device. I needed only look at ClevX’s page on Datalock. http://www.clevx.com/datalock.html Do you see the words that make every security professional cringe? “Proprietary on-board encryption…” At least the data does not sound like it is in plain text.

So seems to me this device would make some skilled security researcher a wonderful paper for Black Hat. I would still love to play with one of these devices and compare it from a usability frame of reference to the Kingston DataTraveller Elite that comes fully encrypted using non-proprietary 256-bit hardware-based AES encryption.


Windows Password Recovery

Every now and then on the Certified Computer Examiner mail list someone asks about recovering passwords in windows. It is easy to change them with a linux boot disk. But there are times when knowing the actually passwords is important. I wrote the below long time back for the In the Trenches podcast.


You have a pc or laptop running windows XP that you really need to know the administrator password for. Perhaps it is a production machine you do not have time to reload and knowing the existing password will give you a hint on who may have changed the password.

Software Needed:

Hardware Needed:

Preparing Ahead of Time:

  • Sam Inside is a commercial package but you can download an eval.
    • We need this because it can import both the SAM and SYSTEM file to extract the password hashes and then export into a pwdump format that Cain can read.
  • Cain and Abel will allow us to recover the lost passwords using Rainbow Tables.
  • You can download already computed Rainbow Tables from the Shmoo group via bittorrent.
    • I keep all my rainbow tables on an external USB2-Firewire Drive.
    • For the larger table types like lanman symbol14 alphanumeric keep the tables divided into subfolders for each “disc” so it is in groups of about five files. We will discuss why in a minute.

Time to Recover a Password

Grab the hashes and use Sam Inside to recover pwdump formatted file.

  • Take the hard drive out of the source system.
    • Place the hard drive into the usb2-firewire carrier and attach to your system.
    • We need two files for Sam Inside to help us.
      • c:\windows\system32\config
        • SAM and SYSTEM registry files – Save these to your local hard drive.
      • Open up Sam Inside and choose File-Import from SAM and SYSTEM registry files.
      • Now choose File-Export as pwdump format and save it to the work folder on your system

Pull the hashes into Cain and Recover the Password

  • Open up cain and choose the Cracker Tab
    • Choose LM and NTLM hashes from tree in left pane.
    • Click the + Icon, choose import from text or sam file. Browse to the file you exported from Sam Inside
    • Select the hashes now showing in the right pane. Right click and choose Cryptanalysis Attack LM
    • Click Add Table on the dialog that comes up. Browse and add the first group of five tables. Then click Start.
    • If it does not find all the hashes then click Remove All and repeat adding the next five tables. Do this until you have used all your tables or the password is recovered.

There you go. Most passwords will be found this way without days or longer of brute force attacks. Keep in mind you are limited by the rainbow table character set you choose to use.

Counter Measures

Keep in mind this recovery process can be misused by malicious people. So if they have physical access to your system you can see your passwords are short lived. You should check out a previous segment on Laptop Hard Drive passwords on the wiki.