An additional consideration for Opal drives is a unique configuration that
exposes a Shadow MBR. This Shadow MBR can be enabled by drive/system
manufacturers to initially identify the drive as a small, non-encrypted volume,
which overrides the actual MBR information. A typical use case for this
configuration is to enable system manufacturers to request credentials from a
user before revealing the actual MBR information on the drive. Regardless of
the use case, it is important to be able to identify situations where only the
Shadow MBR is revealed, to make it clear that the entire drive contents are not
being seen. TX1 will detect when an Opal Shadow MBR is enabled and clearly
inform of its presence. The lock icon will show in the affected drive tile in the
Sources list, and the presence of an Opal MBR will be explicitly called out in
the drive details screen. Note that the Shadow MBR configuration is essentially
a unique form of a locked Opal drive, therefore unlocking the Opal encryption
on TX1 will disable the Shadow MBR (regardless of the underlying encryption
state) and make the full, unencrypted drive contents available for triage/
acquisition. Also, Opal encryption unlock (including Shadow MBR
disablement) is a volatile change, meaning that the drive will revert to its
original configuration after it is power cycled.
Caution
Docking station type devices that have Opal drives in them must support
ATA command pass-through for TX1 to properly detect the presence of
Opal encryption and allow it to be unlocked. Docking stations that do not
support ATA command pass-through may present locked Opal media as
all zeros with no indication of Opal encryption being present in the TX1
user interface. Use caution when acquiring any docking station-based
media. If you suspect a drive in a docking station is Opal-encrypted, but is
not being presented that way in the TX1 user interface, removing the drive
from the enclosure and connecting it directly to TX1 may yield the desired
outcome.
3.3.5.2 BitLocker encryption
Drives and partitions that are encrypted with Microsoft BitLocker can be unlocked
by TX1, as described in the beginning ofEncryption unlock above. The presence of
BitLocker encryption is noted in any area of the user interface that shows
information about the attached drive and/or partitions on the drive. This includes
drive tiles (shown in the Source and Destination drive lists, among other locations),
partition tiles (which show whenever a filesystem is being selected for an operation),
the Drive Details screen, and the Content Breakdown screen.
Note: Note: It is possible for BitLocker drives to have been originally
encrypted and secured in a manner that TX1 will not be able to unlock/
unencrypt. In particular, Smart Card and Trusted Platform Module (TPM)
methods secure a BitLocker encrypted drive with hardware-based interactions
that are not supported by TX1.
3.3. Media utilities (traditional media)
ISTX240300-UGD-EN-1
User Guide
57
To Next Page
Loading...
