SANS Digital Forensics and Incident Response Blog: Tag - Decryption

Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before

...


PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.


Lawyers Aren't So Bad, After All

This sentiment may vary depending upon whose side of a case you choose. I have had the good fortune to work with several capable lawyers. It has been my experience that lawyers are good listeners when they need input from me concerning my field - forensics. The important thing is to make sure you have a good relationship with legal. The communication lines have to be open, no matter what you think of the "legal eagles" with whom you are dealing.

Just Push a Button...

I wrote code in a former life for a guy who ran a trucking firm. He didn't even know how to turn the computer on. However, when he wanted some new feature, his comment was, invariably, "...you should just be able to push a button

...


EnCase and Checkpoint PointSec - I'm Not Feeling the Love!

[caption id="attachment_242" align="alignright" width="240" caption="Hard Disk photo courtesy of Jeff Kubina at http://www.flickr.com/photos/kubina/"]//www.flickr.com/photos/kubina/[/caption]

EnCase cannot directly access PointSec encrypted hard drives. I understand that PointSec (owned by Checkpoint) may be talking to EnCase and working on a decryption solution. Today, however, there is no seamless way to forensically access PointSec encrypted data without going through a decryption of the hard drive first. More information may be found at