Pointsec Encrypted image

Perform a search using Google for the terms "EnCase and Checkpoint PointSec – I’m Not Feeling the Love!" There is an article on the SANS Institute Computer Forensics Blog.

Thanks. got it!!!! But didn't realise it was so tricky…

Thanks. got it!!!! But didn't realise it was so tricky…

If things are set up right, it needn't be tricky.

If you are on reasonably good terms with the people who hold the PointSec keys, you simply ask them to prepare a rescue CD – PointSec provides a BartPE plugin for that on the PointSec distribution CD, but you have to add the right .DLL that fits that particular release of the software. (Yes, you probably need to add the usual BartPE USB, SATA and network drivers as well, unless you acquire to/from a PATA drive.) With that CD in hand, you just boot from it (load additional drivers manually, if you need to), login to PointSec as usual, and then get FTK imager light (or perhaps the old DOS-based EnCase), off a USB drive, and run from there. This is the best solution I know, so far. (You may want to talk with PointSec, though, to check that they haven't a better solution for data rescue available themselves.)

Actually, this a better way to go, because you will only have to be given a single-use password to login, and some kind of helpdesk needs to assist you. But if you are given the uninstallation keys, I have the impression that you have been given the PointSec crown jewels, and since noone can know if you keep them to decrypt other drives from the same PointSec environment, they have to build and deploy a new PointSec infrastructure with new keys, if they're anywhere near serious about encryption. (I'm not a PointSec admin, so I may be mistaken – indeed I hope I am.)

You can reuse the rescue CD for other drives using the same release of PointSec (or more correctly, the same .DLL) But if you are doing this professionally, you will need to get a rescue CD that matches each release you may come in touch with – and even then, I'm not too sure about if you don't need a PointSec license as well.

Actually, you can do a slightly more non-robust acquiry that doesn't need a .DLL login to PointSec the usual way (yes, risk for writebacks if you fail), but use CTRL-F10 (isn't it?) to boot from secondary medium instead of main drive, typically the old EnCase Boot Floppy or similar contents transferred to USB or CD. (You have to boot something that relies on BIOS for disk access, so that PointSec can insert its decryption routines there. Nothing else will do.) This is non-robust, as it relies on that boot CD to have all the necessary drivers for the hardware you use. I use a very old Fujitsu-Siemens computer when I do this, where USB and network equipment have been verified to work with the drivers on the EnCase boot floppy, and BIOS doesn't add any weirdness. It's not a solution to use on unfamiliar hardware, though.

I've done the method described by Athulin before on an encrypted laptop and it worked fine. (one time login provided by a Pointsec admin, booted to alternate device, in this case an EnCase boot disk, then imaged as normal)
You may want to note that at the time I tried this, linux boot cd's definitely wouldnt play with pointsec, so it had to be a DOS boot cd.