safeboot/pointsec f...
 
Notifications
Clear all

safeboot/pointsec full hdd encryption is killing forensic?

11 Posts
9 Users
0 Likes
834 Views
(@francis87)
Posts: 18
Active Member
Topic starter
 

I have this problem I wantto investigate a hdd. But it was encrypted with safeboot, I think some of us face the same problem with pointsec.

Is there anyway to do away with the safeboot and start doing my forensic investigation on it ?

 
Posted : 21/04/2009 7:35 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There is a BartPE/UBCD4WIN for it
http//ubcd4win.com/forum/index.php?showtopic=11191

But of course you need the .sdb file or the username/password + the "daily authoirization code"
http//www.eems2.com/v1/public/documents/Removal%20Guide.pdf

Old-old version were said to have a backdoor, but don't think this is happening anymore.

jaclaz

 
Posted : 22/04/2009 12:06 am
(@paul206)
Posts: 70
Trusted Member
 

We use Safeboot at work and I recently had to do an analysis of a laptop that was encrypted. We hooked it up to the network and gave our Safeboot administrator the computer name and he de-crypted it for us so we could image it and run an analysis. When we were done we put the hard drive back in the laptop and turned it on and it then called home to the server and re-encrypted itself.

 
Posted : 27/04/2009 11:54 pm
datacarver
(@datacarver)
Posts: 121
Estimable Member
 

EnCase now supports Safeboot. You will need to contact Guidance for the Safeboot plugin for EnCase.

You have two options with EnCase, point EnCase to the SDB file and machine name OR point it to the Safeboot Server (Requiring server credentials and that the SDB file be in an active table within the database).

I personally think using the offline SDB file is easier and I do not see many places providing you full access to the server.

You will also require the SDMCFG.ini & SbAlg.dll files from the server, and the SDB file of course.

There is also a floppy disk I have that will allow you to boot to the diskette and decrypt the HDD. I do not like this option. I perfer the decryption on the fly with EnCase. Plus, if you use the wrong SDB file with the diskette, it hoses your hard drive and requires you to clone and start again.

As for pointsec, I just came across my first pointsec drive yesterday. I was able to boot into my image of the drive fine with LiveView and VMware and get to a Windows password screen, but EnCase does not even see the contents. I'm still trying to figure out the best way to tackle this drive by simply adding it to your case.
I'll be exploring this suggestion...

 
Posted : 28/04/2009 4:24 am
 Edge
(@edge)
Posts: 15
Active Member
 

We use Safeboot internally and I have done a tonne of SafeBoot recoveries and Forensic work. After we got SafeBoot I spent a few weeks mucking around with it and its actually really easy to bypass, even if you have no access to an SDB file, Safeboot Server or EnCase EDS Module.

A little bit of reverse engineering on v5 can go a long way and on v4 a small flaw in SafeBoot logic can mitigate their entire security. I am not going to discuss on the forum how to reverse engineer or bypass their logic as I have no idea what legal ramifications would exits if I did. francis87 and datacarver PM me, I can help you.

On a side note Guidance's developers have no idea about Safeboot, serious all EnCase looks for when decrypting Safeboot volumes is the word SafeBoot in the first sector of the volume, so if the first 63 sectors becomes corrupt EnCase can't decrypt it, you can't even force EnCase to decrypt the drive (you need to edit the DD image and put the word SafeBoot in the first sectors of the volume to trick EnCase), or say the drive is partial encrypted, Encase doesn't let you decrypt between sectors. The EnCase developers dismissed any need for the above in EnCase, so they have obviously never worked with SafeBoot outside a controlled testing environment.

 
Posted : 28/04/2009 6:15 am
(@athulin)
Posts: 1156
Noble Member
 

E
As for pointsec, I just came across my first pointsec drive yesterday. I was able to boot into my image of the drive fine with LiveView and VMware and get to a Windows password screen, but EnCase does not even see the contents. I'm still trying to figure out the best way to tackle this drive by simply adding it to your case.

You can't do it in Encase straight off. Blackfistsecurity.com has a lot of useful info on PointSec. Note, though, that the neatest method (slaving the disk) needs to be set up in advance.

If you can get your hand on the prot_2k.sys file used, you may be able to build a BartPE CD with the PointSec plugin (available on their installation CD). It works … provided that you get the right file. This may be the simplest way forward for now – just add FTK Imager Lite to the CD, and you are set to go.

I typically move the PointSeced drive to a lab computer, attach a destination drive, and then do a PointSec-login with the alternate boot option, and boot from the EnCase Boot CD. As long as you stay with PATA drives, you should not have any major problems. SATA drives may need to be in some special BIOS mode, or you need to have the right drivers for the lab computer. Same thing with USB drives or network acquiry – you need to ensure that the drives on the boot CD match your hardware. And this is a DOS environment … you need DOS drivers.

You may also want to call a PointSec expert at CheckPoint, and ask for the latest data recovery options …

 
Posted : 28/04/2009 12:10 pm
(@infern0)
Posts: 54
Trusted Member
 

To those who had the experience messing around with Safeboot, and chose to decrypt before performing the acquisition/analysis, what harm did that cause to any of the data in a forensic sense? Had all the date/time stamps been trampled?

 
Posted : 28/04/2009 5:28 pm
datacarver
(@datacarver)
Posts: 121
Estimable Member
 

To those who had the experience messing around with Safeboot, and chose to decrypt before performing the acquisition/analysis, what harm did that cause to any of the data in a forensic sense? Had all the date/time stamps been trampled?

In my dealing with them, it appears that safeboot is mainly a container and did not alter meta-data for the files when the drive was decrypted, but do not quote me. The cases where I have delt with SB has merely been data dumps and the files I collected were not altered. I have come across where the act of decrypting the drive may not allow you to boot the drive normally as it may jack with the MBR, but you are able to attach the drive externally and still see all the data in a tool like EnCase or FTK.

BTW FTK 2.X released something saying that it now supported Safeboot. A couple of members from our team went to test it and it didn't even work. We called support and they were telling us to push a button that was not even available! Then they came back and said it was not working.

 
Posted : 28/04/2009 7:44 pm
datacarver
(@datacarver)
Posts: 121
Estimable Member
 

I just recieved a document from Guidance today for a possible Pointsec workaround. Can someone host this document so the rest of the group can download?

 
Posted : 28/04/2009 8:44 pm
(@smozumdar)
Posts: 1
New Member
 

I just recieved a document from Guidance today for a possible Pointsec workaround. Can someone host this document so the rest of the group can download?

Can you please send the workaround document for Pointsec to my email id - subratomozumdar@gmail.com

 
Posted : 18/02/2011 11:06 am
Page 1 / 2
Share: