homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix
J. Michael Butler

Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix

September 11, 2009

Doing it the HARD way!

Perhaps you remember my previous blog on EnCase and PointSec, which included my plea for Guidance Software and CheckPoint to work together to create a seamless way to decrypt drives without having to go through 20 or 30 steps to get there. I even wrote, out of desperation, A Case for Decryption of the Original, because it would save time consuming steps and not change the data relevant to an investigation.

Time for an update. As noted in my last blog on decrypting the original, VMWare no longer recognizes a raw disk as a valid disk image. Images have to be converted before VMWare will recognize them.

Here is a new and "improved" method that will result in a COMPLETE decrypted image without changing the original. It is more painful because more steps are involved, but it works. (Today). That being said, I STILL want PointSec, now called "End Point Security," to work with Guidance to create a driver that could be used to directly access the disk image and decrypt it in EnCase. This can't be rocket science, right? Let me add an encrypted image to the case, key in a password, and access the data.

In the mean time, gather your tools. You will need the dcfldd for Windows, Live View application, VMWare Server, and Helix for imaging. (Twice).

  • Use Helix or your other favorite method to acquire a raw image of the drive to be decrypted. (There is an open source version of Helix you can download for free, or you can purchase Helix Pro in order to have support, if your prefer.) [Watch for my upcoming blog on using dcfldd to acquire a raw image.]
  • Use Live View to convert the raw image to a VMDK file. (You will have to have the correct versions of VMWare to read the VMDK. Live View will inform you what version of VMWare you should be running.)
  • Acquire the PointSec recovery file from the administrator. (This whole process assumes that you have the administrator ID and password for an administrative install of PointSec. If you don't have that, you are reduced to a manual brute force attack. Good luck!)
  • Using the PointSec recovery file, create Recovery Media. (Believe it or not, you need a real floppy disk to do this. Can't just create a raw floppy image. Go figure.)
  • Create a raw image of the floppy disk in a file on the Windows hard drive using the following command:    
    • (requires you have dcfldd installed — available from sourceforge.com. If you use linux, refer to the floppy drive device (if=/dev/fd0 or as appropriate for your system) as the input file instead of the above syntax.)
dcfldd if=\.\A: of=filename.img
    • Copy the resulting floppy image to your VMWare server where you intend to decrypt the image.
    • Open VMWare
    • Select the VM created by Live View, but do NOT start the machine. (Note that you will not have to create a new virtual machine. 
      • Live View handles all that. But also note that Live View creates a snapshot and other files as well, which cannot be read directly into EnCase Forensic. That is why we must do the final acquisition with Helix in this process.)
    • Add a floppy drive to the VM configuration and select the image created above as the floppy virtual drive. Make sure it will "Connect on Power On" so that the machine will boot to the floppy
    • Edit the CD Rom settings and set it to use an ISO image. Point to a copy of the Helix ISO image. (This is for acquiring the decrypted drive later, but will not be used for the decryption step.)
    • Start the Virtual Machine — it will boot to the floppy image.
    • Enter the requested PointSec administrator credentials and start the decrypt process. The VMDK image will be decrypted.
    • Once you have entered the credentials, the program begins decrypting the hard drive image, posting a % complete message as it goes.
    • Once decrypted, reboot the VM
    • Hit escape ONE TIME during boot to get Boot Menu. (If you hit escape too many times, VMWare will blow by the boot menu, but not to worry, because we have left the floppy image set up as the boot drive. That way the decrypted image will not boot and will, therefore, remain unchanged for maintaining Chain of Custody.)
    • Select CD-Rom from the boot menu to boot to the Helix CD-Rom.
    • Run Helix from the CD.
    • Insert a USB drive with enough spare space to receive the image from the "target" machine. You will mount it later. Helix is able to mount NTFS in read/write mode, so your portable drive can be formatted using NTFS.
    • Once Helix has booted up, use the VMWare toolbar option: VM/Removable Devices/USB Devices to select the USB drive for writing the acquired decrypted image.
    • Open a Terminal Session by clicking on the terminal icon in the Helix tool bar.
    • Execute the following command in order to get root prompt: 
    sudo su —
    • Execute the following command in order to determine drive designations: [note that is dash lower case L, not I or 1]
    fdisk —l 
    • Once the USB drive has been added to the VM, if it is formatted using NTFS, use the following command to mount the drive (substitute correct letter for x based on the results of your fdisk —l listing)
      mount -t ntfs-3g/dev/sdx1/media/sdx1 -o force 
      • Create a directory on the USB drive to receive the image.
      • Change to the directory you just created.
      • Execute the following command in order to record disk parameters for the case: 
      fdisk —l > fdisk.txt
      • Use the following command to acquire the image:
        dcfldd if=/dev/sdx of=filename.img conv=noerror,sync hash=md5 hashlog=filename.img.md5
        • Once completed, for the record, do the following command to save the history of commands into file:
          history > history.txt 
          • then save the mount config in case anyone asks about that with:
          mount > mount.txt
          • Now you have a raw, decrypted image that can be read into EnCase and properly acquired for analysis. Using this method, the original disk is untouched, and the only change to the disk image is that it was decrypted. This preserves proper Chain of Custody and avoids contamination of the evidence.

          Whew, that was way too painful. In my next blog, I will share a method of "slaving" the target drive so that it can be acquired directly into EnCase with the hard disk left in its original state. Still not as easy as it ought to be, but much easier than the VMWare method. The only caveat is that the "Slave" method will allow us to image the decrypted partition(s), but will not allow decryption of the entire hard drive. So at some point, it may be necessary to use the method in this post, not the "Slave" method.

          J. Michael Butler, GCFA Gold #00056, is an Information Security Consultant employed by a fortune 500 application service provider who processes approximately half of the $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide security incident management plan and information security policies for his corporation. He can be reached at jmbutler_1 at hotmail dot com.

          Share:
          TwitterLinkedInFacebook
          Copy url Url was copied to clipboard
          Subscribe to SANS Newsletters
          Receive curated news, vulnerabilities, & security awareness tips
          United States
          Canada
          United Kingdom
          Spain
          Belgium
          Denmark
          Norway
          Netherlands
          Australia
          India
          Japan
          Singapore
          Afghanistan
          Aland Islands
          Albania
          Algeria
          American Samoa
          Andorra
          Angola
          Anguilla
          Antarctica
          Antigua and Barbuda
          Argentina
          Armenia
          Aruba
          Austria
          Azerbaijan
          Bahamas
          Bahrain
          Bangladesh
          Barbados
          Belarus
          Belize
          Benin
          Bermuda
          Bhutan
          Bolivia
          Bonaire, Sint Eustatius, and Saba
          Bosnia And Herzegovina
          Botswana
          Bouvet Island
          Brazil
          British Indian Ocean Territory
          Brunei Darussalam
          Bulgaria
          Burkina Faso
          Burundi
          Cambodia
          Cameroon
          Cape Verde
          Cayman Islands
          Central African Republic
          Chad
          Chile
          China
          Christmas Island
          Cocos (Keeling) Islands
          Colombia
          Comoros
          Cook Islands
          Costa Rica
          Croatia (Local Name: Hrvatska)
          Curacao
          Cyprus
          Czech Republic
          Democratic Republic of the Congo
          Djibouti
          Dominica
          Dominican Republic
          East Timor
          East Timor
          Ecuador
          Egypt
          El Salvador
          Equatorial Guinea
          Eritrea
          Estonia
          Ethiopia
          Falkland Islands (Malvinas)
          Faroe Islands
          Fiji
          Finland
          France
          French Guiana
          French Polynesia
          French Southern Territories
          Gabon
          Gambia
          Georgia
          Germany
          Ghana
          Gibraltar
          Greece
          Greenland
          Grenada
          Guadeloupe
          Guam
          Guatemala
          Guernsey
          Guinea
          Guinea-Bissau
          Guyana
          Haiti
          Heard And McDonald Islands
          Honduras
          Hong Kong
          Hungary
          Iceland
          Indonesia
          Iraq
          Ireland
          Isle of Man
          Israel
          Italy
          Jamaica
          Jersey
          Jordan
          Kazakhstan
          Kenya
          Kiribati
          Korea, Republic Of
          Kosovo
          Kuwait
          Kyrgyzstan
          Lao People's Democratic Republic
          Latvia
          Lebanon
          Lesotho
          Liberia
          Liechtenstein
          Lithuania
          Luxembourg
          Macau
          Macedonia
          Madagascar
          Malawi
          Malaysia
          Maldives
          Mali
          Malta
          Marshall Islands
          Martinique
          Mauritania
          Mauritius
          Mayotte
          Mexico
          Micronesia, Federated States Of
          Moldova, Republic Of
          Monaco
          Mongolia
          Montenegro
          Montserrat
          Morocco
          Mozambique
          Myanmar
          Namibia
          Nauru
          Nepal
          Netherlands Antilles
          New Caledonia
          New Zealand
          Nicaragua
          Niger
          Nigeria
          Niue
          Norfolk Island
          Northern Mariana Islands
          Oman
          Pakistan
          Palau
          Palestine
          Panama
          Papua New Guinea
          Paraguay
          Peru
          Philippines
          Pitcairn
          Poland
          Portugal
          Puerto Rico
          Qatar
          Reunion
          Romania
          Russian Federation
          Rwanda
          Saint Bartholemy
          Saint Kitts And Nevis
          Saint Lucia
          Saint Martin
          Saint Vincent And The Grenadines
          Samoa
          San Marino
          Sao Tome And Principe
          Saudi Arabia
          Senegal
          Serbia
          Seychelles
          Sierra Leone
          Sint Maarten
          Slovakia
          Slovenia
          Solomon Islands
          South Africa
          South Georgia and the South Sandwich Islands
          South Sudan
          Sri Lanka
          St. Helena
          St. Pierre And Miquelon
          Suriname
          Svalbard And Jan Mayen Islands
          Swaziland
          Sweden
          Switzerland
          Taiwan
          Tajikistan
          Tanzania
          Thailand
          Togo
          Tokelau
          Tonga
          Trinidad And Tobago
          Tunisia
          Turkey
          Turkmenistan
          Turks And Caicos Islands
          Tuvalu
          Uganda
          Ukraine
          United Arab Emirates
          United States Minor Outlying Islands
          Uruguay
          Uzbekistan
          Vanuatu
          Vatican City
          Venezuela
          Vietnam
          Virgin Islands (British)
          Virgin Islands (U.S.)
          Wallis And Futuna Islands
          Western Sahara
          Yemen
          Yugoslavia
          Zambia
          Zimbabwe

          By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

          This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

          Tags:
          • Digital Forensics and Incident Response

          Related Content

          Blog
          CTI_Blog_Image.png
          Incident Response & Threat Hunting, Digital Forensics and Incident Response
          January 23, 2023
          A Visual Summary of SANS CTI Summit 2023
          Check out these graphic recordings created in real-time throughout the event for SANS Cyber Threat Intelligence Summit 2023
          370x370-person-placeholder.png
          Alison Kim
          read more
          Blog
          FOR577.png
          Digital Forensics and Incident Response
          September 22, 2022
          NEW SANS DFIR COURSE IN DEVELOPMENT | FOR577: LINUX Incident Response & Analysis
          FOR577: Linux Incident Response & Analysis course teaches how Linux systems work and how to respond and investigate attacks effectively.
          Viv_Ross_370x370.png
          Viviana Ross
          read more
          Blog
          Untitled_design-43.png
          Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
          December 8, 2021
          Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
          They’re virtual. They’re global. They’re free.
          370x370-person-placeholder.png
          Emily Blades
          read more
          • Register to Learn
          • Courses
          • Certifications
          • Degree Programs
          • Cyber Ranges
          • Job Tools
          • Security Policy Project
          • Posters & Cheat Sheets
          • White Papers
          • Focus Areas
          • Cyber Defense
          • Cloud Security
          • Cybersecurity Leadership
          • Digital Forensics
          • Industrial Control Systems
          • Offensive Operations
          Subscribe to SANS Newsletters
          Receive curated news, vulnerabilities, & security awareness tips
          United States
          Canada
          United Kingdom
          Spain
          Belgium
          Denmark
          Norway
          Netherlands
          Australia
          India
          Japan
          Singapore
          Afghanistan
          Aland Islands
          Albania
          Algeria
          American Samoa
          Andorra
          Angola
          Anguilla
          Antarctica
          Antigua and Barbuda
          Argentina
          Armenia
          Aruba
          Austria
          Azerbaijan
          Bahamas
          Bahrain
          Bangladesh
          Barbados
          Belarus
          Belize
          Benin
          Bermuda
          Bhutan
          Bolivia
          Bonaire, Sint Eustatius, and Saba
          Bosnia And Herzegovina
          Botswana
          Bouvet Island
          Brazil
          British Indian Ocean Territory
          Brunei Darussalam
          Bulgaria
          Burkina Faso
          Burundi
          Cambodia
          Cameroon
          Cape Verde
          Cayman Islands
          Central African Republic
          Chad
          Chile
          China
          Christmas Island
          Cocos (Keeling) Islands
          Colombia
          Comoros
          Cook Islands
          Costa Rica
          Croatia (Local Name: Hrvatska)
          Curacao
          Cyprus
          Czech Republic
          Democratic Republic of the Congo
          Djibouti
          Dominica
          Dominican Republic
          East Timor
          East Timor
          Ecuador
          Egypt
          El Salvador
          Equatorial Guinea
          Eritrea
          Estonia
          Ethiopia
          Falkland Islands (Malvinas)
          Faroe Islands
          Fiji
          Finland
          France
          French Guiana
          French Polynesia
          French Southern Territories
          Gabon
          Gambia
          Georgia
          Germany
          Ghana
          Gibraltar
          Greece
          Greenland
          Grenada
          Guadeloupe
          Guam
          Guatemala
          Guernsey
          Guinea
          Guinea-Bissau
          Guyana
          Haiti
          Heard And McDonald Islands
          Honduras
          Hong Kong
          Hungary
          Iceland
          Indonesia
          Iraq
          Ireland
          Isle of Man
          Israel
          Italy
          Jamaica
          Jersey
          Jordan
          Kazakhstan
          Kenya
          Kiribati
          Korea, Republic Of
          Kosovo
          Kuwait
          Kyrgyzstan
          Lao People's Democratic Republic
          Latvia
          Lebanon
          Lesotho
          Liberia
          Liechtenstein
          Lithuania
          Luxembourg
          Macau
          Macedonia
          Madagascar
          Malawi
          Malaysia
          Maldives
          Mali
          Malta
          Marshall Islands
          Martinique
          Mauritania
          Mauritius
          Mayotte
          Mexico
          Micronesia, Federated States Of
          Moldova, Republic Of
          Monaco
          Mongolia
          Montenegro
          Montserrat
          Morocco
          Mozambique
          Myanmar
          Namibia
          Nauru
          Nepal
          Netherlands Antilles
          New Caledonia
          New Zealand
          Nicaragua
          Niger
          Nigeria
          Niue
          Norfolk Island
          Northern Mariana Islands
          Oman
          Pakistan
          Palau
          Palestine
          Panama
          Papua New Guinea
          Paraguay
          Peru
          Philippines
          Pitcairn
          Poland
          Portugal
          Puerto Rico
          Qatar
          Reunion
          Romania
          Russian Federation
          Rwanda
          Saint Bartholemy
          Saint Kitts And Nevis
          Saint Lucia
          Saint Martin
          Saint Vincent And The Grenadines
          Samoa
          San Marino
          Sao Tome And Principe
          Saudi Arabia
          Senegal
          Serbia
          Seychelles
          Sierra Leone
          Sint Maarten
          Slovakia
          Slovenia
          Solomon Islands
          South Africa
          South Georgia and the South Sandwich Islands
          South Sudan
          Sri Lanka
          St. Helena
          St. Pierre And Miquelon
          Suriname
          Svalbard And Jan Mayen Islands
          Swaziland
          Sweden
          Switzerland
          Taiwan
          Tajikistan
          Tanzania
          Thailand
          Togo
          Tokelau
          Tonga
          Trinidad And Tobago
          Tunisia
          Turkey
          Turkmenistan
          Turks And Caicos Islands
          Tuvalu
          Uganda
          Ukraine
          United Arab Emirates
          United States Minor Outlying Islands
          Uruguay
          Uzbekistan
          Vanuatu
          Vatican City
          Venezuela
          Vietnam
          Virgin Islands (British)
          Virgin Islands (U.S.)
          Wallis And Futuna Islands
          Western Sahara
          Yemen
          Yugoslavia
          Zambia
          Zimbabwe

          By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

          This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
          • © 2023 SANS™ Institute
          • Privacy Policy
          • Contact
          • Careers
          • Twitter
          • Facebook
          • Youtube
          • LinkedIn