1 2 Previous Next 11 Replies Latest reply on Nov 28, 2012 12:14 AM by mirrorless

    Modifying the sdb content

      Hi guys,

       

      I have a question regarding the offline modification of the content of an *.sbd in order to integrate it with some legacy software.

      The original sdb looks like this:

       

                </ConfigEncryption>

                  <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                  <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                </ConfigEncryption>

                <ActualEncryption>

                  <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                  <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                <ActualEncryption>

       

      and I want it to look like this

       

                 <ConfigEncryption>

                  <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                  <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                  <Drive Letter="e:" DiskNumber="0 or 1" PartitionNumber="3 or1">Full</Drive>

                </ConfigEncryption>

                <ActualEncryption>

                  <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                  <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                  <Drive Letter="e:" DiskNumber="0 or 1" PartitionNumber="3 or 1">None</Drive>

                <ActualEncryption>

       

      Regards,

      Dragos.

       

      Message was edited by: dragos.andreca on 11/22/12 10:37:40 AM CST

       

      Message was edited by: dragos.andreca on 11/22/12 10:38:35 AM CST

       

      Message was edited by: dragos.andreca on 11/22/12 10:39:45 AM CST
        • 1. Re: Modifying the sdb content

          You can't modify an sdb.

           

          And your example does not seem to make sense. The config and actual refer to the machine the sdb came from - there can't be a "0 or 1"? The partition and disk are one or the other, not variable.

           

          What are you actually trying to achieve?

          • 2. Re: Modifying the sdb content

            I am trying to achieve either this:

             

                       <ConfigEncryption>

                        <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                        <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                        <Drive Letter="e:" DiskNumber="0" PartitionNumber="3">Full</Drive>

                      </ConfigEncryption>

                      <ActualEncryption>

                        <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                        <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                        <Drive Letter="e:" DiskNumber="0" PartitionNumber="3">None</Drive>

                      <ActualEncryption>

             

            or this:

             

                       <ConfigEncryption>

                        <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                        <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                        <Drive Letter="e:" DiskNumber="1" PartitionNumber="1">Full</Drive>

                      </ConfigEncryption>

                      <ActualEncryption>

                        <Drive Letter="c:" DiskNumber="0" PartitionNumber="1">Full</Drive>

                        <Drive Letter="d:" DiskNumber="0" PartitionNumber="2">Full</Drive>

                        <Drive Letter="e:" DiskNumber="1" PartitionNumber="1">None</Drive>

                      <ActualEncryption>

             

            If you cannot modify an *.sdb I will rephrase my question. How can I generate a new sdb who has the configuration presented in this post based on the configuration presented on my first post. Something like adding an usb thumb drive and syncronizing. How can I do this offline.

             

            Regards,

            Dragos Andreca

            • 3. Re: Modifying the sdb content

              I still dont really understand what you are trying to acheve.

               

              if your machine has three partitions on drive 0 and only c and d are encrypted, then you will get your first example.

               

              Are you trying to change the config of a machine via a sdb file? if so, that cant be done. SDB files are created from machines for import into eem, not the other way around.

               

              You can't reconfigure a machine with an sdb file.

              • 4. Re: Modifying the sdb content

                I am not trying to configure the machine trough the sdb. Let's have the following scenario. I am inserting an usb thumb drive and after that I am sincronizing with the server who builds a new sdb based on my new config. Then I will get the 2nd example resident in post no 2.

                My question is if I insert the thumb drive and I don't sync is it possible to sync offline based on the unsynced sdb and knowing the thumb drive partiotion details ? If it's not clear let's talk over the mail because I don't want to pollute this forum.

                 

                Regards,

                Dragos Andreca

                 

                Message was edited by: dragos.andreca on 11/22/12 1:47:40 PM CST

                 

                Message was edited by: dragos.andreca on 11/22/12 1:48:17 PM CST

                 

                on 11/22/12 1:48:53 PM CST
                • 5. Re: Modifying the sdb content

                  I think I understand now. No. It's not possible to either sync offline, or to change the content of an exported sdb to match a condition which did not exist when it was created.

                   

                  But also, it's rarely necessary to do either as far as I can see.

                   

                  The sdb does not exist until you create it from eem - it's built from the database. You can't lie to the db and convince it that something is encrypted - only the machine itself can do that.

                   

                  The crypt state of the thumb drive is stored on it though in the partition gap, so you don't need the sdb unless you corrupted that somehow. And, even then you can always force decrypt the partition. The key is always the key of the machine which encrypted it.

                   

                  So I guess my next questions are,  why do you need a machine export? (An sdb file)? And what's the purpose of the legacy software you are trying to integrate with?

                   

                  Oh, and encrypting removable drives with eepc is really not ideal as you are no doubt discovering. They are not portable any more. The EEFF product is designed for portable media.

                  • 6. Re: Modifying the sdb content

                    I will give you another example. Let's have in mind the 1st example from the 2nd post (with all the drives unencrypted and EEPC not installed yet). Let's also asume that after you add data to patition e: you unassign the letter and after that you install EEPC. Then the sdb file generated will be as in post 1. If I will assign the e letter back to the partition which didn't had a letter assigned and hit sync I will get the example 1 from the second post.

                     

                    Conclusion.

                     

                    I want to have one unecrypted partition and two encrypted on the same disk and all three partition to show up in the sdb. My problem is that EEPC is unable to store data about a partition that doesn't has a letter assigned (after decryption is finished)

                     

                    Message was edited by: dragos.andreca on 11/22/12 2:29:01 PM CST

                     

                    Message was edited by: dragos.andreca on 11/22/12 2:30:23 PM CST
                    • 7. Re: Modifying the sdb content

                      Is not so much that its unable, it's that we specifically do not encrypt partitions which not have drive letters. It makes it so much more complicated for administrators.

                       

                      The drive letter does not matter much at all other than for helping admins choose what to encrypt.  Internally everything is tracked by drive number and partition number, plus encrypted sector ranges.

                       

                      I still don't see why you want to modify the sdb though, but regardless, it's not possible to do so.

                      • 8. Re: Modifying the sdb content

                        There is a SafeBoot module for a forensic software called Encase who has issues identifying the encrypted and unecrypted partitions and what I asked on all my posts will solve that problem.

                        Guidance software has tool that is able to parse some data out of the sdb. My question was (I understood now that it isn't possible) if there is a tool or SBadmcl undocumentet command (like Cisco has quite often) that is able to inject data, but.. I guess not. Thanks a lot for the support I will figure it out at some point.

                         

                        Regards,

                        Dragos Andreca

                        • 9. Re: Modifying the sdb content
                          mirrorless

                          This is not possible..

                           

                          because you will screw up the encryption disk information especially on encrypted sector

                          SDB contains key and it's depends on SBR (Safeboot Master Boot Record) informations.

                           

                          Probably you can do this by resync up the information back to EEM manager..

                          1 2 Previous Next