2 Replies Latest reply on Nov 21, 2012 8:48 PM by mirrorless

    Can a machinekey be extracted from a .sdb file?

      I am trying to decrypt an image of a HDD using FTK 4.0.  I have the .sdb file for the HDD, but the FTK interface requires the key be entered rather than the .sdb file.  Is there a way to extract the key from the .sdb file.  Thanks in advance.

        • 1. Re: Can a machinekey be extracted from a .sdb file?

          Use the getmachinekey command of sbadmcl - for example


          sbadmcl.exe -command:getmachinekey -help

          • 2. Re: Can a machinekey be extracted from a .sdb file?

            Not sure, probably need to reverse engineer the sdb file   it's seem to be in binary format..

            Simon might know how to conver SDB file to key file for FTK.


            If you have MEE manager maybe can import then used sbdamcl.exe to extract it out as guide from http://digfor.blogspot.com/2011/07/safeboot-with-encase-or-ftk_18.html


            Access to the SafeBoot server is requred when working with both EnCase and FTK.There is no need to export/copy out any files for decrypting with FTK. For Safeboot versions 4.x and 5.x the decryption key can be obtained by runing SbAdmCl.exe command line tool. It's location can vary from version to version on the Safeboot server.


            SbAdmCl.exe -AdminUser:admin -AdminPwd:password -command:GetMachineKey -Machine:Machinename


            To extract decryption keys for a group of computers the same command can be issued with  -Group:* instead of -Machine:Machinename


            The command should return 32 bit Encryption Key(s) that can be entered in FTK when the encrypted evidence files are added to the case.


            In McAfee Endpoint Encryption Version 6.x the key is exported from the server by using ePO (ePolicy Orchestrator). Check "Exporting the recovery information file from ePO" section of McAfee EETech User Guide for details. Once the .xml file is exported, a base64 key located between < key > and < / key >  needs to be copied, decoded and converted to hex. The easiest way to accomplish the task is to utilise this online "Base64 -> hexadecimal string decoder", which should produce the decryption key required by FTK.