Tuesday, November 30, 2010

An easier way for Full Disk Encryption Boot CD

Easily the most popular entry on this blog is how to create a boot CD that can read a hard drive that has been encrypted with Pointsec or FDE. Let me take a minute to refresh you of how that is done.

First, we install PE Builder on a working machine.
Then we grab the Pointsec Filter driver and put it into the plugin folder.
Next we have to stop some Pointsec services on a machine that is running Pointsec and working. From there we can grab a copy of a file call prot_2k.sys. Put that file into one of the plugin folders. Now you're ready to boot your CD. Then, you boot the non-working machine to the hard drive, rather than the CD and press CTRL+F10 at the logon screen to redirect into your boot disk. Congratulations, you've created a CD that will work with just that one version of Pointsec.

Thank goodness the bad old days are behind us. Several versions ago, Check Point released the Dynamic Mount Utility and now the process of making a boot CD couldn't be (much) easier. DMU is included with the installation media in the form of a zip file. The zip file contains two folders. So all you need to do is install Bart PE Builder, and copy those two folders into the plugin directory. Point Bart at your Windows XP disk and create your iso. That's it. Best of all, your new boot CD will work with any version of Pointsec or FDE (at the time of this writing). So you don't have to keep a CD for each version of the software that is floating around your organization.

Booting the CD also got quite a bit easier. Remember I said that you used to boot to the hard drive when you wanted to use a CD? Counter intuitive, right? Now you boot from the CD. When Bart comes up you can open the file management utility, but you'll notice that you can't read the C drive, you just know that it is there. But if you click on Go and look in programs, you'll find a new program for reading the Check Point encrypted drive. Run that program and authenticate with valid credentials. Now close that application and go back to the file management utility. Voila! You can now read the contents of the drive.

Here is a video of me making a boot CD using this method. I also wanted to make a video of me using it in the Bart environment, but alas the Bart disk doesn't have drivers that can see my virtual hard drive on my virtual machine. Anyone know what plugin to add? I'm using Virtualbox here if that helps.



Anonymous said...

Great information. Do you know if this will work with windows 7

Black Fist said...

Yes. It works even if the encrypted OS is Windows 7.

Anonymous said...

Where are you? I miss your blog posts. I'm looking at deploying check point and came to check out your latest posts. You were doing an awesome job, I look forward to more security tips from you!

Maarten said...

Do you have any instructions on getting this to work with a Microsoft WinPE 3.x pre-boot environment? Still have no clue why the good people of pointsec decided to support an "enthousiast" tool such as BartPE and leave out the Microsoft's tool that is used in so many other corporations?


Black Fist said...

@Maarten I couldn't agree with you more. The best I've been able to get is "Yeah you can probably make it work, but we have no idea how." Unfortunately this is not my area of expertise so I don't know how to engineer a driver for Windows PE.

Anonymous said...

Hi Black Fist

Atm i got a hp elitebook with windows vista business os. The os is wont load into windows and it got checkpoint endpoint protection installed. I got admin/service access to get through, but my task is to get the data out of HDD and everything its encrypted. Do you have a solution to this?

Thanks in advance