EnCase and Checkpoint PointSec – I’m Not Feeling the Love!

//www.flickr.com/photos/kubina/
Hard Disk photo courtesy of Jeff Kubina at http://www.flickr.com/photos/kubina/

EnCase cannot directly access PointSec encrypted hard drives. I understand that PointSec (owned by Checkpoint) may be talking to EnCase and working on a decryption solution. Today, however, there is no seamless way to forensically access PointSec encrypted data without going through a decryption of the hard drive first. More information may be found at http://www.guidancesoftware.com/products/ef_modules.aspx#eds, and http://www.guidancesoftware.com/products/pop_dlx.aspx?ref=ef – registration may be necessary.

Normal procedure for investigation startup:

  1. Acquire the drive with EnCase.
  2. Start the examination.

Procedure for investigation involving PointSec decryption:

  1. Acquire raw, encrypted hard disk image to be examined using dd or dcfldd. Hash and compare to the original disk.
  2. Acquire the decryption key file.
  3. Using PointSec software, write to a floppy disk using the decryption passphrase. This boot floppy is used to decrypt the target hard disk.
  4. Use dd or dcfldd to create a bit for bit image of the floppy disk.
  5. Set up a new Virtual Machine, using VMWare, and point to the floppy disk image as the floppy disk drive, and to the raw encrypted hard drive image as the VM hard disk.
  6. Start up the VM, booting from the floppy image.
  7. After keying in the appropriate passphrase(s), the hard disk image will be decrypted as if it were the original hard drive.
  8. Go out for beer and peanuts. Take your time.
  9. Add the decrypted image to EnCase as the subject drive of the investigation. New hashes will have to be taken, and everyone will have to trust that the data has not changed even though the hash has.
  10. Start the examination.

PointSec and EnCase – Send flowers
Here are the steps, in a perfect world, to start the investigation with a future EnCase version that speaks PointSec:

  1. Acquire the encrypted drive with EnCase.
  2. Key in the password.
  3. Start the examination.

Perhaps we all need to send an encouraging card or some flowers to the meetings, and tell those guys we want to see a group hug, today. We need to feel the love!

J. Michael Butler, GCFA Gold #56 is an Information Security Consultant employed by a fortune 500 application service provider who processes over half of the approximately $5 trillion of U.S. residential mortgage debt. He also authored his company’s enterprise wide information security policies.

2 thoughts on “EnCase and Checkpoint PointSec – I’m Not Feeling the Love!”

  1. The world is not perfect, but if the drive is encrypted with Utimaco Safeware’s SafeGuard Easy, then the process will be:

    1. Acquire the encrypted drive with EnCase.
    2. Key in the username and password.
    3. Start the examination.

    How sweet it is….

Comments are closed.