Wednesday, November 5, 2008

Pointsec for PC: Reading a slave hard drive

One of the popular topics on this blog is how to recover your data from a Pointsec encrypted machine in case something goes wrong. Luckily for us, there are several different techniques that you can use to get your data back. Some of them are more convenient than others and reflect the level of brokenness that your machine is suffering from.

Today I'm going to talk about what you need to do to take an encrypted disk from a machine that has a broken installation of Windows, put it into a working machine running Pointsec, and read the contents of the drive. I will probably call this the broken drive a few times and I want to make sure that we're clear about this. I'm not talking about a drive that has been physically damaged or is no longer functioning. I am talking about a working hard drive with a working Pointsec Pre-Boot Environment but a malfunctioning Windows installation that wont let you get to your files.

Step one: Be prepared. You should prepare your workstations for this ahead of time, in other words before things go bad. There are two permissions that need to be in place for this to work. The most important for this scenario is that the Pointsec installation on the broken machine must allow the hard drive to be slaved. You need to set this BEFORE your users install a rogue driver that blue screens the whole machine.

Open the Pointsec Management Console and edit the local settings. In the Hardware Devices group find the setting labelled "Allow Hard Drive to be slaved" and set it to yes. If this is not done, then this hard drive cannot be a slave in another Pointsec machine. If you didn't do this, and now you have a machine that wont boot properly, then you can stop reading here. You will need to create a recovery disk and decrypt the drive rather than slaving it to a working machine. You could also look at creating a boot disk to recover files.

Step two: Configure your working machine to use a slave hard drive. Open the management console on your working machine and go to the same folder that we were looking at in step one. You will find a setting in here called "Allow a slave hard drive." As you can imagine, if this is set to "no" then you wont be able to connect the broken computers hard drive to this machine. So set it to yes. I usually leave it at no until I need it because I really don't want my end users to run around slaving hard drives and such.

Step three, take the broken hard drive and install it in your working machine as a slave to the working hard drive. You need to make sure that the broken hard drive is on the IDE cable as a slave and you might need to mess with some pins on the hard drive. That stuff is specific to your hard drive and beyond the scope of this article.

Step four, boot into the Pre-Boot Environment. If you're not using Windows Integrated Login then it is as simple as turning on the computer. If you are using WIL then you need to hold down both shift keys while the computer is booting. Press them down when you see the words Pointsec for PC appear in the upper left corner. This will take you to a menu where you can disable Windows Integrated Login and continue.
Step five, authenticate to both drives. You will be presented with a login screen for the primary hard drive. Log in with valid credentials. After you log in you will be presented with the same screen, this time for the second hard drive. Log in with valid credentials for that hard drive.

If everything goes well you should be able to boot into Windows and see the other drive in My Computer. Retrieve your files and back them up somewhere. Then you can just re-image the computer or you can actually try to fix it.


Anonymous said...

I've done this method multiple times. Seveal times it worked like a charm. Other times, slave HDD doesn't accept the correct PointSec credential at boot-up... After that happens, it seems like the HDD is in worse condition... (e.g. decryption stops with PSMain error) So, I'm afraid to use this method now. Did this ever happen to you?

Black Fist said...

I've never had to resort to using this trick to get at my data. I've only ever done it in a testing environment that I've set up. So I'm afraid I've never seen the problem you're talking about.

Anonymous said...

Thank you, Black Fist.
Also, thank you for your great website!!

Smallfry said...

In the article, you mentioned that the slave drive has to be slave IDE.

Does this method also work for Pointsec encrypted drives connect via USB?

Kris.Erwin said...

Echoing what Smallfry posted, do you know of any way to access the encrypted data on a drive which has been removed from a bad machine and connected to a working machine via an USB adapter?

Much easier connecting drives this way than opening up the machine and connecting tjem through the IDE or SATA internal interfaces.

Black Fist said...

@smallfry @kris.erwin,
I don't know of a way to use this same technique to read a drive that has been connected to the USB port. I can certainly see why this would be a useful feature.

You might be able to do it if you were to make a bitwise image of the failing hard drive and connect that to a virtual machine as a slave drive. Doing that might prove to be as much work as connecting the failing drive directly to the IDE bus though.