All,
I am not sure where to start and how much detail to put in intially!
I have a number of laptops encrypted using Checkpoint. I have the decryption keys.
I want to get the best forensically sound image of the laptops as possible.
Has anyone got any forensic methodology / experience for obtaining an image?
Many thanks in anticipation
Mark
Mark
I would personally forensically clone the original drive to another disk. Forensically mount the cloned drive, then using the disk encryption software apply the key. Create an image of the unencrypted drive.
People with lots of knowledge of Helix may be able to suggest a simpler way of doing this.
Regards
Sam,
thank you for the reply, this is why I did not know how much to put on the first post.
I have taken a bit by bit copy of the original.
I am working on the copy. OK so far…
Check point provide a utility called Full disk encryption dynamic mount utility. I provide the key and no matter how I attach the drive, i can not get the utility to see the drive. I have tried attaching it as an internal drive (via SATA) via a USB connection in a caddy, but it wont see it!
I dont know if i am doing something obviously wrong???!
Thanks
Mark
Probably an obvious question but can your OS see the connected disk?
Sam,
thank you again - no such thing as an obvious question and please ask as i may be missing something extemely simple!
My OS sees it, but thinks it needs formatting.
Mark
It may be due to the way the clone has been created?
If the cloned to disk is bigger and you've selected to expand the space to assign the addition disk space to unallocated then due to disk encryption being the full drive/partition it's attempting to mount it all. One way to do it would be to reshuffle the disk so that only the encrypted sectors are in the partition or to reclone so that the partitions remain the same and the empty space is assigned at the end of the disk. However, this still may not work depending on how the disk encryption has been implemented by Checkpoint (I've not looked but it may be useful to see how it encrypts the drive).
A technically easier way may be to create an encase evidence file of the original disk then mount this using software and from there attempt to mount the disk in the encryption software.
Someone may also be able to advise you about the use of Helix to do this better. I haven't played with Helix (looking at it in the next few months) so I am unable to give you advice about how it may assist.
Kind regards
I have a number of laptops encrypted using Checkpoint. I have the decryption keys.
I want to get the best forensically sound image of the laptops as possible.
Has anyone got any forensic methodology / experience for obtaining an image?
I assume you are referring to the full-disk encryption software PointSec.
There are a number of approaches that have been discussed both here (I'm pretty sure) and in the Guidance forum (useful only for those with Encase, I know).
Method 1 PointSec provides an 'alternate boot' feature, by which you can 'log on' the drive (which installs a decryption module in BIOS), and then boot from another device – where you have your forensic tools. (Enter Ctrl-F10 one or two times before you enter the account name, and instead of booting the main operating system, PointSec will give you a boot menu. The booted environment will have read/write access to the encrypted drive.) This works *only* for BIOS-based boots, which essentially limits your choices of OS to boot to DOS or Windows 95 (and perhaps 98). Booting Linux won't work, as Linux doesn't use BIOS, and thus ignores the decryption module that was installed there. This leads to the problematic fact that you need to use DOS or Win9x device drivers if you do acquiry to a network, USB or FireWire destination drive (and even to/from SATA in some cases), and this means you have to find such drivers, and possibly even move the encrypted drive to a older system, for which you have such drivers – there are rarely suitable drivers for modern hardware. (I tend to do disk-to-disk acquiry to avoid the problems that come with all these old drivers.)
Method 2 PointSec provides a BartPE module on their installation CD. This module, along with the file prot2k.sys (which needs to be obtained from another installation with the same release number, or at least reasonably close), allows you to create a BartPE boot CD. Ensure that you have some useful forensic imaging software added as well (FTK Imager Lite is easy to add), and you can use it to boot from. Again, you may need device drivers, but there are several collections available as BartPE modules already. This takes the most time to set up, and you may need a PointSec'd laptop to experiment on, but is the most convenient if PointSec'ed drives of a fixed release are or will be standard jobs. But you do need to create a new bootCD for every version of that prot2k.sys.
In both cases you typically use a one-time login from the PointSec administrator or service desk – which has to be setup beforehand. If the customer isn't PointSec savvy, they may not have set up everything right to cover this particular situation.
There is a Method 3, but it can only be used if the installation allows the PointSec'd drives to be slaved to another PointSec installation. This is a non-default installation, which allows you to take a PointSec'd drive, attach it to another sstem which has PointSec installed, and then log into it as usual. Very convenient, but also very rare. And probably impossible to set up without actually booting the drive and using the PointSec environment on it.
There may be a Method 4 you may also want to ask CheckPoint – about a year ago, I learned that they were thinking of some kind of data recovery tool intended for service desks when something went badly wrong and the system failed to boot. That tool would probably also do the job, if it has been made available since.
There is also the possibility to uninstall PointSec and acquire the decrypted drive as usual. I don't think it is the best solution, but in some cases it may be the best that remains.
Of course, you can also use a one-time password to login to the drive, boot the operating system, and then do a live acquiry of the disk, but that is clearly also a last-ditch solution.
Added The dynamic mount utility is new to me. I'll need to check that one out.
Thank you for the comprehensive reply.
The dynamic mount utility is now working. I have so far been able to only get it to work on a beta version of windows 7!
But even then it crashes toward the end of the acquisition process.
The utility, when it works provides a means to see the encrypted drive and introduce the decryption key. Once introduced you still need the admin password (which I have) and then it the drive can be seen in clear.
I am still working through the finer points, especially as I still have not been able to get a complete image as yet but I am slowly getting there.
Many thanks
Mark
Mark
How did you get it to see the disk in the end?
Sam
we have been making a forensic copy of the original drive, decrypt the original, image the decrypted drive, and we are good to go.
one could also restore a drive, bit it has to be as similar to the original as possible I believe