Monday, July 7, 2008

Pointsec for PC: Creating a Boot Disk

Edit: November 30, 2010: Stop building your boot CD using this method. It is much easier to do now and instructions can be found here: http://www.blackfistsecurity.com/2010/11/easier-way-for-full-disk-encryption.html

Quick Note:
I am not an authorized distributor of Checkpoint's software. Please don't ask me to send you software that I do not have permission to send. I'm sorry if you lost your installation media, but I'm sure the people at Checkpoint can work something out with you. I will delete comments asking me to send software.

Did you know that you take a computer that is encrypted with Pointsec for PC and boot it to a CD? Maybe you did know that, but finding the documentation that describes how to create the CD is actually more difficult than creating the CD itself. Here I will outline the steps that I used to create a bootable CD that can read the encrypted contents of a hard drive protected by Pointsec.

The procedure that I'm going to describe was written for Pointsec for PC version 6.2. I have verified that it is the same process for Pointsec 6.3.

There is one thing that I need to clear up right away. This is not a way of getting around the encryption on a computer, and it is not evidence that your computer is not being protected by Pointsec. This bootable disk will still require that you enter valid credentials for the hard drive that you are trying to access. In fact, once we've finished creating the CD, we're actually going to boot to the hard drive first, authenticate, and then boot to the CD. This is very valuable as a troubleshooting step when the Pre-Boot Environment is working properly but the operating system is not. A good example I can think of is when a device driver becomes corrupted. You might log into the Pre-Boot Environment, but then Windows blue screens while it is loading. You might normally just image the machine and move on, but this one has some files that your user hasn't backed up. If you don't have one of these boot CDs handy then you would have to use your recovery file to create a boot device and remove the encryption. This takes a while and is a real pain when you just want to recover a couple files. Another item of interest is that since you're going to authenticate to working Pre-Boot Environment, you don't need to use the computers recovery file and you don't need to create a unique CD for each computer that you're going to recover from.

Materials Needed: In order to create a boot disk you will need the following

  • 1 working computer running Pointsec for PC. The version running needs to be the same as the version on the computer you are going to recover from.
  • 1 Windows XP installation CD
  • The latest version of PE Builder, available at http://www.nu2.nu/pebuilder/
  • The installation media for the version of Pointsec that you are running.
Install PE Builder
Download the latest version of PE Builder and install it on a working computer that is running the same version of Pointsec for PC as the machine you're going to recover from. You can accept the defaults for the installation. In the version that I used, it installed itself to c:\pebuilder3110a. If this is different for you, that's fine, just make sure in the next step that you provide the real path not the path that I list. Do not run the program once the installation is complete.

Seriously, don't ask me to distribute Check Point software! People seem to have trouble reading the note at the begining of this post. If you ask in the comments it wont even show up on the blog because I'll reject it. I do not have permission to distribute Check Points software and neither does anyone else who is likely to be reading this blog. So please dont ask me.

Install the Pointsec plugin for PE Builder
Included with your installation media is a folder called Resource Kit, and in that folder you'll find another folder called BartPE Pluginbuilder. Inside that folder you'll find another zip file that needs to be extracted. Extract the zip file to c:\pebuilder3110a\plugin.

When the extraction is complete you should have a folder in c:\pebuilder3110a\plugin called Pointsec. This Pointsec folder should have two subfolders called files and images. Make sure that the directory structure is correct. It is very easy to accidentally extract the zip file and end up with a path like c:\pebuilder3110a\plugin\pointsec\pointsec\files, which is not correct. There should only be one folder called pointsec.

Next you have to copy the Pointsec filder driver to the plugin folder. You will probably have to stop the Pointsec service and the Pointsec Service Start Service because the file you need will be locked. Navigate to c:\windows\system32\drivers and copy the file prot_2k.sys. Navigate to c:\pebuilder3110a\plugin\pointsec\files and paste the prot_2k.sys file.

Create the boot image
Insert your Windows XP installation CD into the CD ROM on your machine. Open PEBuilder, which will give you the option to search for Windows installation files. You may want to skip that step and just type d:\ or whatever your disk drive letter is. Click the plugins button and make sure that the Pointsec for PC Encryption filder driver is included in the list and that it is enabled. Click the close button to go back to the builder screen and then click build to create your ISO image.

Burn to a CD
Burn the ISO to a CD using the software of your choice.

Boot to the CD
It seems counter-intuitive, but the way to boot from the CD is to boot from the hard drive first. Remember, your Pre-Boot Environment must be working properly for this to work. You may need to configure your BIOS to boot to the hard drive and not the CD.

If you're using Windows Integrated Login then you wont have the opportunity to authenticate to the Pre-Boot Environment. You can turn off WIL even if your computer isn't working properly by following these directions.

When you get to the Pre-Boot Environment screen, press CTRL+F10. Nothing visible will happen when you press the key combination, but after you login you will be taken to the Alternate Boot Menu. From here you can instruct Pointsec to boot to the CD that you created. Once the boot process is complete you should be able to read the hard drive and copy files to a network share.

79 comments:

Anonymous said...

I followed these instructions but when I get to the alternative pointsec boot menu and enter a number I receive the following message - "Unable to set First Boot device - press any key". I am unable to boot to the CD. Any thoughts?

Black Fist said...

I haven't seen that error before. I know there is something in the release notes mentioning that not all of the options presented in the Alternate Boot Menu may be available for your computer, but damn! The CD-ROM?

I think a good first step is to verify that your boot CD works alright. Go to a machine that is not running Pointsec and see if you can boot with your CD. If it doesn't work then we need to get that problem fixed first.

Anonymous said...

Thanks for your reply. I tried the CD on a working computer earlier and of course it worked perfectly.

Is it possible to slave the encrypted drive in another PC that is encrypted as well so at least I can get to the data? I need to get to the data without decrypting because that can take hours.

Black Fist said...

Yes, you can slave the drive, which reminds me that I should write a post on how to do that.

Essentially the encrypted drive needs to have "allow hard drive to be slaved" permission, and the computer that you put it in needs to have "allow a slave hard drive" permission. You will also have to turn off Windows Integrated Login if you're using that. You'll be asked to authenticate to both of the drives, and when Windows boots up you will be able to browse the slave drive.

Anonymous said...

Hi, I am having problems with my laptop, encrypted with Poinsec of course.

I get a black screen that says "NTLDR is missing". Thats all.

Is there an way to get to my files? I really need to access the hard disk.

I will apreciate any ideas.

Thanks in advance.
mt

Black Fist said...

Since I have several anonymous posters here, I'm going to refer this answer to Anonymous.NTLDR. I'm not sure if Anonymous.NTLDR is the same person as the other Anonymous that was posting.

Typically when you get the message that NTLDR is missing it means that you have a serious problem with your windows installation. The good news is that you can recover your data from the machine. My experience has been that unless you throw the hard drive in a wood chipper you will be able to get your data back. What you want to do is go to a computer that has a working installation of Pointsec and then navigate to the server where you kept your recovery file. Double click on the file and follow the instructions to create boot media for your broken computer. You can decrypt the entire drive and then use something like Knoppix to recover your data.

You can also try using the directions on this post to create a boot CD, but as other commenters have mentioned, BartPE can be a little persnickety about drivers

Anonymous said...

I am Anonymous.NTLDR.

Thanks for the response.

The thing is that the recovery file is in the same laptop. So I don't have it.

Pointsec 6.1.3 is the version I have installed on the laptop. I don't have the installation CD so I can't get the pointsec plugin for BartPE.

I search it on the web. And nothing.

With this being said, is there any magic solution for me?

Black Fist said...

Now you're in trouble. If you save the recovery file to the local encrypted drive and you don't have a backup on a network drive somewhere then you will not be able to create a recovery disk and decrypt the drive. As I have told my students "Do not save the recovery file to the local hard drive or you will endure much sadness." It is the technical equivalent of locking your keys in the car.

At this point your best bet is to call support. They might be able to help you get a copy of the prot_sys file that you need. Remember, the file is version specific so using any old copy of prot_sys that you find on the web will not work. Once you have the right version of the file, you can follow these directions to create a boot CD and get to your data.

Anonymous said...

Hehe.. I didn't knew about the existence of a recovery file until this happened.

Anyway I have a copy of the same prot_2k.sys version.

The only thing I don't have is the pointsec plugin from the CD installation.

It is posible to get a free copy somewhere?

My email is mtuma@hotmail.com

Thank you for all the support, and farewell! Congrats on the great blog.

Black Fist said...

I don't know if there is a place to download the file. If you have a support contract then you can get it from User Center. I tried to email you my copy but hotmail came back and said that your email address was no good.

Richard said...

I too am looking for the pointsec plugin to play with. I would love to ba bable to add it to my Bart PE disk. if you have a moment could you email it to me at Rich@acoupleofadmins.com

Thanks

Anonymous said...

This is great information, thanks! Can you tell me if it is possible/impossible or unknown if you can create a boot CD for PointSec version 5.2.3? I have a drive from a laptop that has a corrupted Windows OS. There are just a few files I need off of it.
Thanks
PSM

Black Fist said...

I haven't worked with Pointsec software that old before. I would guess that you need to look at the distribution media and see if it includes the BartPE plugin or not. I know that you wont be able to use the prot_sys file from a newer version of Pointsec to read a disk encrypted with an older version.

Your best bet might be to completely decrypt the drive with a recovery disk and get your files back that way. If you're only dealing with one computer, you will probably spend more time creating the boot disk than you would going through the recovery process.

George said...

I have two questions... if I can't get access to the installation media with the zip file, how else can I access that piece? Also, a coworker has the prot_2k.sys file, but when we try to copy it so I can use it, we get the message that it is in use by another program. Since it is being used by Pointsec, how can I copy the file? Mildly desperate here :)

Ahmad Muzayyin said...

Hi,
I have a problem with pointsec, when i logged in first time and go to password menu, it will appear user databased damaged. what should we do?

Black Fist said...

Hi George.
If you can't copy the prot_2k.sys file then you need to stop the two pointsec services. Once you've stopped the services you should be able to copy that file.

As for getting a copy of the zip file, I'm not sure what to do. I would probably call support for this one. I've had a few people ask me to send them copies of files, but I'm pretty sure that I don't have permission to redistribute Checkpoint's software.

Anonymous said...

Hello I have a problem that the first time I have a user boot in after pointsec log on i am getting Missing Operating system it is on a vista PC any ideas?

Anonymous said...

This works great on a working laptop. The problem for me is I cannot get to alternate boot menu after entering pointsec. It immedietly bluescreens and pops the following error:

Error Code: 0x5000cfc
Stack Backtrace
PSMain: 6927
PSMain: 19fd1
PSMain: 1ab06
PSMain: 1ae2f
PSMain: 8d58
PSMain: 7ea3
PSMain: 4a2fa
PSMain: 3f8e7
PSMain: 40094
PSMain: ce5
PSMain: 78
PSMain: ba

Of course, the users recovery files are on the encrypted drive...

I googled and read about a tool called 0x50012b8_recovery_tool but cannot find it anywhere.

Any advice?
thanks,

David

Black Fist said...

Anonymous Vista: I have only seen the problem of missing operating system once...and it happened today. I was going over some pointsec stuff with a guy that was running a boot manager that I had never heard of. He was triple booting his machine and after installing Pointsec he got the dreaded "Black Screen of Inconvenience", which is my name for when the computer just gives you a black screen. I had him run fixboot to get past that and then we got the missing operating system messages.

But it sounds like you're already in a fairly hosed state, so you probably cant make things much worse. I would try booting to an XP installation CD, going to recovery and running fixboot just to see what happens.

Black Fist said...

David: I have told many people over the last year that if you keep your recovery files on the local machine then you will endure much sadness. you are now enduring.

I've never heard of the program that you've mentioned. I am doubtful that it would work though. Right now your computer is encrypted with a well respected encryption algorithm that is well implemented. It is unlikely that anyone has written a tool that can undo that.

Anonymous said...

This is David.

Thanks for the reply. I actually read about that program on the checkpoint forums and it is available from checkpoint support supposedly. Problem is our support aggreement expired and will cost 9k to renew which probably wont be happening soon. Since we are migrating to another solution early next year.
The user is handed a set of instructions to backup their recovery files once a month and this person failed to do so. We originally had it setup to copy them to a network share but we have a few laptop that never hit our domain so we had to redirect recovery files to local drives and give users instructions. I was just hoping someone else had come across this problem. It appears to be a corrupt DB issue. I googled "Error Code: 0x5000cfc" and users reported that tool worked.

StateUser said...

I'm glad this is possible with Bart PE. How hard would it be to get this going in Windows PE 2.1? I've already moved most of my BartPE stuff over to WinPE, and the pointsec stuff has been a bugger. Any suggestions?

Black Fist said...

@StateUser
I wish I had an answer for you. I have only seen instructions for Bart. Pointsec only comes with a plugin for Bart. I bet that it would work, but I'm not very familiar with either Bart or WinPE

Francisco Ribeiro said...

HI friend,

I have a big trouble here with my pointsec. After reset my computer ( as daily usual), it came back only to the "pointsec to PC..." point, and than I receive a bip and the screen become black. I can press enter and the machine reboot going to same point. I am not able to receive the login screen again to imput my login and passwd.
I could boot my laptop with my windows XP CD and get the "C" promp, but as my files are encripted, I am not able to see them. Do you know if there is a way to fix this problem?. Is there a way to run some file from my CD drive that will insert my credentials and access my data ?. please, help me :O)

Anonymous said...

Hi friend,

Me again ( Francisco ). Now, when I restarted my machine, I receive a message as " There is no valid license on the disk" than after press OK, I receive another message as "cannot open user database", and when I press OK, the laptop restarted. Do you have an ideia how can I fix this ?
Thanks,

Francisco

Black Fist said...

@Francisco
What version of Pointsec are you running? There was a bug that was fixed in version 6.2 HFA2 and 6.3 that sounds really close to what you're dealing with.

I think your best bet would be to use your recovery file to create a boot disk that will decrypt your whole drive. Since the preboot environment isn't working you're not going to be able to use the instructions above to get at your data. Hopefully you didn't save your recovery file on the encrypted machine.

Francisco said...

Black Fist, it´s me Francisco.
Well, this laptop is from my company and I do not know where or what is this recovery file.
There are several friends using laptops with pointsec installed here. Do you think is possible get this recovery file from one of those laptops? I mean, I am wondering if there is a king of file that I could run from my CD drive ( after boot from there) that could give me the ponitsec login back. So I could recover my files.
The IT guy told me that he does not have the pointsec installation CD because he push all machines as image from Intranet network and those images are pushed already with pointsec installed ( new version). He wants to format my machine but I really would like to see if there is a way to save at least some files.

kitgerrits said...

Hey guys,

I have a poinsec'd corporate laptop with a dead O/S (BSOD on driver load).
I have other laptops with the same model and O/S, both with and without pointsec (so I can get hold of the .sys file).
My only problem is, that I cannot get my hands on the Pointsec install CD (corporation, eh?).

I have found the pluginbuilder software, but I can make head nor tail of the instructions.

Can anyone tell me how to rebuild the pointsec plug-in for BartPE?

Giantkiller said...

I've made two boot disks using xp pro-sp2, the latest bartpe, and pointsec 6.2 plugin. One was made with a local admin account and the other with a domain admin account. To the best of my knowledge, your instructions were followed to the letter. The test laptop system is a vista unit in perfect working order. I authenticate to pointsec @ boot and then call the menu to select the Boot cd made. It boots and bartpe appears to be working. I can not see the hard drive or any of its files. I'm thinking its either the fact that the OS is vista or the SATA Driver for the HD. Can you send a content list of the plugin directory for the pointsec once the boot disk is made to make sure I have all the files and in the right place?

JimMoore said...

I do incident response / investigations for my day job. Tonight, my day is stretching into the night. I have a PC with some compromise/malware on it that is encrypted with Checkpoint/Pointsec .

I need to determine the time(s) of intrusion/infection. Adaware caught something. But before it could clean it, the malware popped Adaware, McAfee, and Spybot. I suspect that it is rootkitted.

So I brought the laptop back to my lab, and started scratching my head. The pointsec/checkpoint admin for the network gave me 2 options, decrypt the drive using the rescue disk, or use BartPE (which was on my list of things to learn).

I read your post, which is very good and very well written. I am just wondering about getting the DOS EnCase onto BartPE along with PointSec, and wondering if I will get a nice clean EnCase image of the swap file, unallocated space and everything, or if BartPE will try to use it after Pointsec allows access, and I will bet less than tne best results.

Anyone go down this forensics road before?

God bless,

Jim

kitgerrits said...

Two things:
1/ I would make a bit-for-bit backup of the entire disk with a generic Linux boot CD, in case something goes wrong.
2/ The encase DOS disk looks like it might work. From what I gather, I think pointsec hooks gate A20 so loading anything like mscdex, smartdrv or ntfspro will kill pointsec.

My notes are at: this page

Anonymous said...

The previous post(s) beg the question - can we create a BartPE environment where the CD will boot, allow access to the disk because of entered ID and password, but not mount the hard drive?.. or mount it r/o?.. or write block the drive somehow?

Just a thought...
jmb

Black Fist said...

@anonymous
I don't think you would be able to create a Bart Disk that can read only. You might want to try slaving the hard drive instead. Check out the directions here: http://www.blackfistsecurity.com/2008/11/pointsec-for-pc-reading-slave-hard.html

Essentially you could take the encrypted hard drive, attach a hardware write blocker to the drive and then connect it as an IDE slave to a working machine. You should be able to make an unencrypted sector by sector copy. I don't have the equipment to test this myself though, so I can't tell you for sure.

Giantkiller said...

I was hoping someone could help and respond to my previous post? I can not see the hard drive. What am I doing wrong after validating and boot to Bart?

Anonymous said...

I would like to be able to build a Pointsec enabled Bart PE disk. But, alas my company is not willing to distribute the bart pe plugin to any of the Administrators. For some reason they decided we were too dumb to use it. I am a very experienced server administrator and would like to be able to fix simple problems. Such as bad drivers without decrypting and re-encrypting entire drives. Would anyone be willing to email me the zip file containing the bart pe plugin. I have everything else to build the disk. don450x at yahoo dot com.

Giantkiller it sounds like your bartpe does not have the driver needed for your hard drive. If you give me some more details I could likely help you find the right driver.

Anonymous said...

I have a DD type bit by bit image of a hard drive encrypted with Pointsec that was created as part of a forensic collection that I need to decrypt. The original PC is gone but I do have access to the recovery disk and the passwords. Is there anyway to get this to decrypt?

Thanks,
RA

Giantkiller said...

I could be wrong but I think the blog is a resource for the "How To" in the recovery of secured data rather than the release of that which is not sanctioned. I myself have never violated this in my twenty years in the field. Policy is determined by the company and the IT group translates this into the organizations security. Right or wrong in your eyes it must be respected and followed. If the intellectual property is valuable you speak of then you should approach it through channels that control the IT group. The cost to construct a boot CD is far less than the loss of information. And this my friend is a business decision.

Anonymous said...

Giantkiller, I never thought of it that way. Thank you for straightening me out. I'm am sure you are right.

Black Fist said...

@anonymous
I don't know of a way to decrypt a disk without booting it. If I were you I would try to boot the DD image somehow and then use the normal recovery process to decrypt it. I think that VMWare can use a raw disk image, and I bet there has to be something else out there if VMWare can't do it.

I would try booting the encrypted drive up just to see if your Virtual Machine is having any problems with the raw image. Then shutdown. Create your recovery disk and boot the VM using that. Decrypt the encrypted image. Now analyze it offline.

Worst case scenario...you should be able to write your dd image onto a physical hard drive and boot that in a computer. This sounds pretty interesting. If you want to bounce some more ideas around, hit me up at kevin()blackfistsecurity.com

Anonymous said...

Hi,

I have a PC with pointsec encrypted. Os is working fine but the user forgot the login password.
I tried to reset the password with bartpe. ERD cammader plugin was available but found locksmith is disable. somebody told it is boz of pointsec. so i added pointsec plugin to bartpe. but still i face the same problem.
do u have any clue?

Fluff533 said...

I'm looking for some assistance with the creation of the Boot Disk. I've tried creating it twice now and still cannot see my c: drive. I'm able to authenticate at PBA and bring up the alternative boot menu and boot from my Bart PE CD and I have my network drivers working great, but only see Ramdisk (B:) and BartPE (X:). Am I missing a step? The notebook in question is a Lenovo T61 widescreen. Thanks.

Anonymous said...

I am also having the same problems as GiantKiller. I can boot up with BartPe however I cannot see the HDD. I am using pointsec 6.3 and Toshiba Portege M700.
Do you guys thnk the problem is with the SATA controller?

R said...

@GiantKiller,
I was having the same issue as you were.I have downloaded the SATA controller drivers from Intel and added to pebuilder\drivers\scsiadapters
run infcachebuild, and built a new boot cd
It works a treat. I can see the local drive and copy files to a network share.
Give it a try.
Hope this helps!!!!

Giantkiller said...

It sounds like the drivers for the hard drive bus are missing as they were for me. XP recognizes only so many devices and or the generic drivers will not work. Make sure the proper IDE or SATA drivers are installed in Bart PE and that the syntax is correct. Sometimes you might have them incorporated into Bart PE but the naming convention is wrong

Giantkiller said...

The correct Sata Driver is a must. You mentioned 6.3. Ensure you have the correct version of the Pointsec plugin. They both (Pointsec of the hard drive & Pointsec of the BartPE boot CD) must be the same. It is very possible to corrupt the hard drive if you fail to do so.

Mark said...

Hello,

I am one of the people that hasn't backup up a few projects to the network yet whilst getting a Windows system error early in the morning at work.

(Pointsec asks for the windows CD to recover windows after i fill in the Username/Password pointsec fields)

I am wondering the following:
The pointsec HDD works with a SATA interface.

What if i reinstall windows on another disk(hdd2), install pointsec on that environment and use the same Username and Password for the pointsec encryption.

will i see the disk(hdd1) again?

or is this a totally wrong assumption.

Black Fist said...

@Mark
It sounds like you want to try taking your unreadable drive and put it into a working machine that has Pointsec installed and read the data that way. Yes it will work, as long as you have valid credentials for the unreadable drive.
Here are some instructions

AS said...

Question to R:

Could you post detailed steps for creating WinPE with SATA drivers and infcachebuild? I created WinPE with PointSec but can't see the HDD and I just saw your comment about the HDD being SATA and needing driver. I've been researching but cannot find good instruction. If you could help me out, I'd really appreciate it! Thank you!!!

Giantkiller said...

The steps to create a WINPE (BARTPE) as well as how to place drivers and install them are posted at the BART site listed at the top of the web page. The specific drivers such as (IDE,SATA) are available from the MFG of the laptop.

Anderson Vilas said...

I do not have the sys file .
Can we guarantee that with another laptop with pointsec and put the old HD from the crashed laptop as slave to the new laptop also with pointsec installed would make me restore the lost data?
I mean new laptop with my login for windows and pointsec and after that , try access the slave lost disk? Maybe this would automatically ask for a secondary authentication and get the data even without the recovery file .sys used to create bootdisk , right?

Anderson

Giantkiller said...

If you have pointsec on your working laptop, then you have the "sys" file. Read the top segment of the blog very carefully. If you build the Boot CD you do not need to boot from another hard drive. Use the CD to pull your files.

Andrew said...

Hi,
What an interesting find here, just a quick run through, my company laptop decided to BSOD upon XP bootup, we are using pointsec 6.3.1 HFA2 and the tech support guy is insisting there is no way to recover data. I know I can access the preboot menu okay my only problem is the recovery file is on the laptop itself.

I have been issued with another laptop (spare) with the same version of pointsec installed. am I right to assume if I can get the prot_2k.sys file from the working laptop and somehow convince central IT guys to give me the plugin from the install CD I should be able to build a bootable CD to read off the data without the recovery file?

Black Fist said...

@andrew
I guess that depends on why the data is unrecoverable. If there is a problem with the drive where the sectors have gone bad for some reason then your IT staff may be right.

Having said that, then yes. You should be able to follow these instructions and read the contents of the drive if you can satisfy a few "ifs."
"IF" number one, your new laptop needs to be running the same version of Pointsec as the old laptop if you're going to use the prot_2k.sys file from your new computer.
"IF" you know a valid password for the pre-boot environment on your old computer.

For future reference, I would highly recommend that you make backups of your files and especially make a copy of the recovery file and keep it somewhere else. I am really surprised to hear that your IT people are deploying this and not keeping copies of the recovery file. They will suffer much pain if they continue with this practice. It's only a matter of time before someone's laptop fails and it's a person with enough clout in the company to make life hard on them.

BM said...

Worked like a charm, thank you! The only quirk was convincing the helpdesk team to supply the Pointsec Resource Kit, but more than that, they supplied the complete ISO!
Kudos for this article, and also for the Ctrl+F10 tip!
Thanks!

B. Pittman said...

I have gone thru the instructions of creating a Bart boot cd and login. But after login into Bart its not recognizing the encrypted hard drive. Any suggestions?

Thank you
Brian

BM said...

Brian, have you gone through the Pointsec regular login screen? Only after that you should boot from the CD.

Giantkiller said...

Assuming you have followed the process correctly in making the CD, then you do not have the drivers installed on the CD. Part of creating the Boot CD is integrating the drivers for the hardware into it.

Anonymous said...

Hi I followed all the instruction, created a BARTPE disk with no errors at all have the necessary prot_2k.sys, then boot the disk, after a few minutes BSOD...prot_2k.sys what would be the problem

Giantkiller said...

You do not have the proper drivers loaded into the build - these would the critical - IDE or Sata, networking and or video - get those correct drivers blended into the build deck to make the boot CD. THe steps to do this are on the Bart website

Anonymous said...

hi,

i already created a boot disk recovery using the tools in pointsec but there are 2 partitions C and D but it only shows only the C Drive and then i decrypt the C drive. so how shoul i decrypt the drive? please advise. Thanks

Anonymous said...

@GiantKiller, Thanks I'll try to add some additional drivers, but what i've observed the BartPE created is working perfectly on a machine that has no pointsec, but when tried to a machine with a pointsec, thats the error...prot_2k.sys, thanks

Giantkiller said...

You must satisfy point-sec security in the boot process as detailed on the blog. The prot_2K.sys file only comes into play with pointsec and only with the version of pointsec it was designed for. If it was not loaded properly or was the wrong version, it would not work.

Anonymous said...

In regard to decrypting bit for bit image files taken from a PointSec encrypted drive, you may wish to look at: http://blogs.sans.org/computer-forensics/2009/09/11/decrypting-a-pointsec-encrypted-drive-using-live-view-vmware-and-helix/.

While complex, convoluted, and way too painful, this process will yield a forensically sound image of an entire decrypted drive with all metadata intact for the drive, not just the unlocked partition(s).

If all you need to do is access/recover the data without regard to Chain of Custody, then mounting the drive r/w using BartPE or slaving or any other method will be fine.

jmb

Lee said...

Would anyone please be able to send me the plugin

Our install is on a network share and no-one seems to know who put it there and didnt copy the resource kit folder.

phoned pointsec who arnt very helpful the guy said he has never heard of a resource kit or bartPE :|

email address: leewilson74@hotmail.co.uk


great walk through by the way

Benjamin Adducchio said...

So the DMU piece built-in to BartPe is beautiful and works great except on Windows 7 64-bit. Attempted use on two differnet hardware platforms with no success. Works on XP fine (R71, R72 and R73), not tested on Vista. Wondering if you ran into this problem or have any insight. Thanks and awesome site.

Anonymous said...

We've used this successfully with Windows XP. We are testing R73 on 64bit Windows 7 and haven't had the same luck. Using the wow64 version of prot_2k.sys the CD boots OK, but we get an error when we try to select the encrypted volume. Anyone have better luck? Thanks in advance.

Daniel said...

Black Fist, thank you for your work. I have followed your instructions on downloading bart pe. I can not find the resource kit. Can you please be more specific. Thank you.

Daniel said...

Can anyone provide me with a Point Sec Resource Kit 6.3.x. Thank you.

Anonymous said...

Talked w/ Checkpoint support and they indicated the DMU version currently avaiable doesn't work w/ 64-bit Windows 7. New version is tentatively scheduled for the middle of Q1 2010.

Anonymous said...

Running pointsec 6.3.1 HFA7 and followed the instructions to build a bartpe disk.

I'm just testing and the test system is actually booting fine. Once I hit ctrl-F10 and log into preboot and select boot from PE, the system boots directly to windows.

ie the system does not boot to bart's.

is HFA7 supported?

Black Fist said...

@anonymous from Jan 11:
Does you BART disk work on a machine that is not encrypted? The only reason I can think of that it wouldn't boot to the disk is if there was something wrong with the disk and the disk is not bootable. In that case it would fall back to booting the hard drive.

Roman said...

@ Daniel, you can contact me, i have the plugin for 6.3.1.

Roman said...

@ Daniel, you can contact me, i have the working plugin for 6.3.1

greetings

Giddyup said...

@roman. Any chance I can get a copy of that resource kit?

John said...

Guys, know it is a long shot but is anyone able to provide me with a version the Resource Kit (pointsec.zip) for verion 4.3? My Windows XP has corrupted and it wants DLLs after authenticating in PointSec. Incidentally does the CTRL +F10 work with earlier versions of PointSec? I do not get a CD boot option after PointSec authentication with CTRL+F10. Any suggestions? jT

Jason said...

I have followed your instructions to a T and nothing is happening after pressing Ctrl + F10 on the Pre-Boot Environment screen. It just goes ahead and loads the OS. We do have WIL enabled on both the console and laptop. It does the same thing even if i try temporarily disabling WIL in the customization secion.

We are using version 6.3.1.1270.

What am I doing wrong?!!!

Laurent said...

I'm pretty f****d here.

Got Pointsec v7 installed on a stupid Dell Latitute E6500 laptop and I ran into some problems booting WinXP.

HDD is fine I'm sure of that, I just need to modify my boot.ini because of a custom HAL installed caused a BSOD with SP3 just installed. Even Fail-safe doesn't work.

But here's the thing. I reach Pointsec login, do CTRL-F10, I log my Pointsec credentials and after I just get 3 choices of alt device:
1. Floppy
2. Fixed Disk
3. PE custom disk

This Dell is HDD/DVD SATA embedded and nothing seems to be detected (no USB nor CD-ROM) as alternate device. Tried a BIOS update(booting Hiren from CD directly) and played with all the SATA/USB settings to no avail.

Ok then I had the idea to boot the Pointsec HDD onto another PC (HP desktop) so I would get more alternate device.

Bingo, put my 2.5 SATA HDD on my HP desktop, let the HDD reach PointSec, CTRL-F10, log in, and voilĂ  I have CD-ROM, USB, etc device.

Then, I boot Hiren mini-winxp from CD but when I click my C & D partition from the PointSec HDD, I get "THIS DRIVE ISN'T FORMATED, WOULD YOU LIKE TO FORMAT IT NOW?"

Gosh, I almost got it :(

My tought it that Pointsec detect and only allow access to date on the PC is was installed right, even with right credentials on another PC right?

Any idea?

If only I could get a CD-ROM booting after the WindowsXP has started (like at F8 fail-safe menu)

Will try to get the .rec from my HQ server tomorrow, if not I'm f***k right?

Giantkiller said...

The Boot CD has to have the drivers for the hardware the disk is in as well as the pointsec driver. If either is missing it will not work becasue the boot cd will not see it.

Pink Floyd said...

Hi,
I have a situation here where the laptop that had the encryption on it died. The hdd is ok. When i plug it into another system to get the files off it i'm running into trouble. Have loaded off the hdd and put in my log info, pressed ctrl and f10 and then when the logon goes through i see: POINTSEC ... starting Alternative Boot Menu... But it just sits at that screen. Any idea how to move on from here? ANy help would be very much appreciated.