±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 1 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

safeboot/pointsec full hdd encryption is killing forensic?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

francis87
Member
 

safeboot/pointsec full hdd encryption is killing forensic?

Post Posted: Apr 21, 09 19:35

I have this problem: I wantto investigate a hdd. But it was encrypted with safeboot, I think some of us face the same problem with pointsec.

Is there anyway to do away with the safeboot and start doing my forensic investigation on it ?  
 
  

jaclaz
Senior Member
 

Re: safeboot/pointsec full hdd encryption is killing forensi

Post Posted: Apr 22, 09 00:06

There is a BartPE/UBCD4WIN for it:
ubcd4win.com/forum/ind...opic=11191

But of course you need the .sdb file or the username/password + the "daily authoirization code":
www.eems2.com/v1/publi...0Guide.pdf

Old-old version were said to have a backdoor, but don't think this is happening anymore.

jaclaz  
 
  

paul206
Senior Member
 

Re: safeboot/pointsec full hdd encryption is killing forensi

Post Posted: Apr 27, 09 23:54

We use Safeboot at work and I recently had to do an analysis of a laptop that was encrypted. We hooked it up to the network and gave our Safeboot administrator the computer name and he de-crypted it for us so we could image it and run an analysis. When we were done we put the hard drive back in the laptop and turned it on and it then called home to the server and re-encrypted itself.  
 
  

datacarver
Senior Member
 

Re: safeboot/pointsec full hdd encryption is killing forensic?

Post Posted: Apr 28, 09 04:24

EnCase now supports Safeboot. You will need to contact Guidance for the Safeboot plugin for EnCase.

You have two options with EnCase, point EnCase to the SDB file and machine name OR point it to the Safeboot Server (Requiring server credentials and that the SDB file be in an active table within the database).

I personally think using the offline SDB file is easier and I do not see many places providing you full access to the server.

You will also require the SDMCFG.ini & SbAlg.dll files from the server, and the SDB file of course.

There is also a floppy disk I have that will allow you to boot to the diskette and decrypt the HDD. I do not like this option. I perfer the decryption on the fly with EnCase. Plus, if you use the wrong SDB file with the diskette, it hoses your hard drive and requires you to clone and start again.

As for pointsec, I just came across my first pointsec drive yesterday. I was able to boot into my image of the drive fine with LiveView and VMware and get to a Windows password screen, but EnCase does not even see the contents. I'm still trying to figure out the best way to tackle this drive by simply adding it to your case.
I'll be exploring this suggestion...  
 
  

Edge
Member
 

Re: safeboot/pointsec full hdd encryption is killing forensi

Post Posted: Apr 28, 09 06:15

We use Safeboot internally and I have done a tonne of SafeBoot recoveries and Forensic work. After we got SafeBoot I spent a few weeks mucking around with it and its actually really easy to bypass, even if you have no access to an SDB file, Safeboot Server or EnCase EDS Module.

A little bit of reverse engineering on v5 can go a long way and on v4 a small flaw in SafeBoot logic can mitigate their entire security. I am not going to discuss on the forum how to reverse engineer or bypass their logic as I have no idea what legal ramifications would exits if I did. francis87 and datacarver PM me, I can help you.

On a side note Guidance's developers have no idea about Safeboot, serious all EnCase looks for when decrypting Safeboot volumes is the word SafeBoot in the first sector of the volume, so if the first 63 sectors becomes corrupt EnCase can't decrypt it, you can't even force EnCase to decrypt the drive (you need to edit the DD image and put the word SafeBoot in the first sectors of the volume to trick EnCase), or say the drive is partial encrypted, Encase doesn't let you decrypt between sectors. The EnCase developers dismissed any need for the above in EnCase, so they have obviously never worked with SafeBoot outside a controlled testing environment.  
 
  

athulin
Senior Member
 

Re: safeboot/pointsec full hdd encryption is killing forensic?

Post Posted: Apr 28, 09 12:10

- datacarver
E
As for pointsec, I just came across my first pointsec drive yesterday. I was able to boot into my image of the drive fine with LiveView and VMware and get to a Windows password screen, but EnCase does not even see the contents. I'm still trying to figure out the best way to tackle this drive by simply adding it to your case.


You can't do it in Encase straight off. Blackfistsecurity.com has a lot of useful info on PointSec. Note, though, that the neatest method (slaving the disk) needs to be set up in advance.

If you can get your hand on the prot_2k.sys file used, you may be able to build a BartPE CD with the PointSec plugin (available on their installation CD). It works ... provided that you get the right file. This may be the simplest way forward for now -- just add FTK Imager Lite to the CD, and you are set to go.

I typically move the PointSeced drive to a lab computer, attach a destination drive, and then do a PointSec-login with the alternate boot option, and boot from the EnCase Boot CD. As long as you stay with PATA drives, you should not have any major problems. SATA drives may need to be in some special BIOS mode, or you need to have the right drivers for the lab computer. Same thing with USB drives or network acquiry -- you need to ensure that the drives on the boot CD match your hardware. And this is a DOS environment ... you need DOS drivers.

You may also want to call a PointSec expert at CheckPoint, and ask for the latest data recovery options ...  
 
  

Infern0
Senior Member
 

Re: safeboot/pointsec full hdd encryption is killing forensic?

Post Posted: Apr 28, 09 17:28

To those who had the experience messing around with Safeboot, and chose to decrypt before performing the acquisition/analysis, what harm did that cause to any of the data in a forensic sense? Had all the date/time stamps been trampled?  
 

Page 1 of 2
Page 1, 2  Next