SANS Digital Forensics and Incident Response Blog: Tag - CheckPoint

Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before

...


EnCase and Checkpoint PointSec - I'm Not Feeling the Love!

[caption id="attachment_242" align="alignright" width="240" caption="Hard Disk photo courtesy of Jeff Kubina at http://www.flickr.com/photos/kubina/"]//www.flickr.com/photos/kubina/[/caption]

EnCase cannot directly access PointSec encrypted hard drives. I understand that PointSec (owned by Checkpoint) may be talking to EnCase and working on a decryption solution. Today, however, there is no seamless way to forensically access PointSec encrypted data without going through a decryption of the hard drive first. More information may be found at