Acquire Checkpoint FDE SSD with Encase Forensic
I am currently trying to Acquire an SSD with Checkpoint FDE connected via a Tableau Write Blocker. I have created the case in EnCase Forensic and have got to the point where i select acquire and get the box pop up asking for the .rec file and username. I have got a copy of the .rec file from the companies service desk but they have offered two different solution's in order to decrypt the disk;
1) They can provide me with 2 recovery PIN number's, i am assuming this will not work with EnCase as this is not what EnCase is asking for?
2) I can get a username and password from the service desk which they are saying i then need to create a bootable Win32Disk Imager USB in order to image the drive. Am i correct in thinking that instead of doing this i can just enter the username and password into EnCase when prompted and that will work?
I have never worked with Checkpoint FDE before and have been trying to read up on exactly how it work's, i have looked at the KB article on Guidance Software's Customer Portal and believe i am correct in my assumtion in point 2 from what i have read but just wanted to get it confirmed from someone out there who has worked with Checkpoint FDE before.
Any advice greatly appreciated. )
Just to update the companies server desk has now provided me with a recover.img file which they are insisting i need to use with Win32DiskImager in order to decrypt the drive before i can take the forensic image. IDuring the decryption process i need to contact them in order to obtain a username and password however they are saying this will not work with our forensic software as it is not an ordinary username or password (sadly they seem unable/unwilling to explain exactly what they mean by this.
My question is;
Is there any way i can decrypt and acquire this disk by using EnCase alone or does it require the username and password directly from the end user in order to do this rather than some kind of administrative/recovery credentials?
I am more familiar with bitlocker encryption and used to obtaining the recovery key, popping that in and away you go. I am hoping that Checkpoint FDE can be done in a similar way but i am not sure that it is.
I want to make sure it is definitely not possible to do this just using EnCase before i go down the route of using the Win32DiskImager.
Any help or advice greatly appreciated.
the 2 PIN method is a challenge response system using the checkpoint software. You would have to boot the device to enter these details. If I remember correctly this method does not actually decrypt the device, but it does give you access.
The second method is utilises the companies admin accounts to decrypt the data, and a recovery CD (or USB in this case) with a checkpoint utility
Although I haven't tried it, the Encase method should work using the same details that the company would supply for the recovery CD, ie an account with rights to decrypt the drive, not the users credentials.