Many organizations use Pointsec (Check Point) full disk encryption in order to keep their data secure, especially in the case of laptops. As forensics investigators, we are occasionally tasked with creating forensically sound, decrypted images of Pointsec encrypted drives for preservation or investigation. This is a notoriously difficult task, as no existing forensics tool has the push-button ability to create a decrypted image from an encrypted one. While there are a few online resources documenting this process, they are contradictory and occasionally incorrect. In order to help out other investigators faced with this challenge, we are going to present a set of steps and pointers for acquiring a forensically sound (with caveats) decrypted image from a Pointsec encrypted drive image. Note that this post is not about breaking the encryption, just about creating a decrypted image assuming we have required security credentials. Also, since the process has failed a few, rare times in our lab, alternative methods will be presented in a future post.
Things you need:
- A Pointsec encrypted raw drive image
- A workstation with LiveView (and an underlying VMWare installation)
- A custom BartPE CD with the Pointsec Dynamic Mount Utility (DMU) for mounting the encrypted image, and with FTK Imager. Instructions for creating this disk with DMU can be found in the Dynamic Mount Utility Administration Guide (currently HERE: https://updates.checkpoint.com/fileserver/SOURCE/direct/ID/11801/FILE/CP_2.0_FDE_Dynamic_Mount_Utility_AdminGuide.pdf). You will need to add FTK Imager to the disk as well.
- A network share to write the decrypted image to.
- Use LiveView to generate the configuration files only for the encrypted drive image.
- Open the newly-generated configuration file (.vmx) with VMWare Workstation and:
- Set the CD-ROM to the correct drive letter
- Add and configure a Network Adapter (use NAT if in doubt)
- Open the vmx file itself in a text editor and add the following line to the end:
Bios.BootDelay = “10000”
(this adds a 10 second boot delay, or else step 6 becomes difficult)
- Load the BartPE CD into the physical computer’s CD ROM tray
- Launch the virtual machine in LiveView, select to continue when prompted.
- Hit ESC to enter the VMWare boot menu, and select the CD-ROM drive to boot the BartPE CD.
- Once BartPE is fully loaded, configure networking at the prompt.
- Set the correct network settings.
- Map a network share for writing the decrypted image.
- Run the DMU utility and select the encrypted drive.
- Enter the require credentials (local Administrator has worked for us in the past).
- Once the drive appears as “unlocked,” use FTK Imager to create an image of the unlocked local drive onto the mapped network drive.
Troubleshooting and implementation notes:
- We have tried imaging the unlocked drive with dd and dcfldd, but neither run correctly inside BartPE.
- You may have to configure networking and / or map the network drive in BartPE more than once before it sticks. Be sure to use the provided “PE Network Configurator.” Configuring with “NET USE” or “ipconfig” from the command line does not appear to work correctly (or at all).
- Sometimes when booting BartPE or when running DMU, you get a BSOD “STOP 0x0500????”. These error codes do not appear to be documented anywhere, and to get around it you need to use one of the alternate methods we will present in the next installment.
- DMU does not have an option to mount the encrypted volume read-only. Forensically, this means that the decrypted image will not be exactly as the encrypted image was, but since we were not booted to the encrypted image, and we are careful not to touch any files on the volume (right?), this method should be perfectly acceptable with proper documentation.
Hopefully this guide will help other investigators to gather a forensically sound disk image of Pointsec encrypted laptops. In future posts, we will present alternatives methods to the one presented that accomplish the same task.