Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Home >   Check Point Forums >   Endpoint Security >   Full Disk Encryption

Thread: Using FDE Mount utility

Welcome, Guest Help
Login Login
Guest Settings Guest Settings
This question is answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 17 - Pages: 2 [ 1 2 | Next ] - Last Post: Nov 16, 2010 5:30 PM by: TreyWatts
Guest
Using FDE Mount utility
Posted: Dec 3, 2009 11:22 PM
  Click to reply to this thread Reply

I've been reading the posts re: unlocking an encrypted drive to get access to files by using the FDE Mount Utility. how do i go about getting and using it?

I have an encrypted drive that i've attempted to decyrpt using an ISO but getting the STOP PSmain error 0x5001287 after decrypting 32%.

Thanks in advance!

J. Santiago

Chris Watkins

Posts: 157
Registered: 3/5/09
Re: Using FDE Mount utility
Posted: Dec 4, 2009 12:43 AM   in response to: Guest
Helpful
  Click to reply to this thread Reply

Hi,

You can get the DMU utility from the EndpointSecurity R72 Clients CD

Then on there goto the folder -

FullDiskEncryption\1_Pointsec for PC\Tools\Dynamic Mount utility

You can then use it natively within Windows on a client which isn't running FDE with the affected disk as a slaved device or by integrating into a bartPE boot disk which will work on the client affected by booting straight off that

You'll find the documentation for the DMU utility in the Docs folder under FDE with some more details.

Hope that helps

Guest
Re: Using FDE Mount utility
Posted: Dec 4, 2009 8:02 PM   in response to: Chris Watkins
  Click to reply to this thread Reply

Thanks! I was able to get the utility from our product owners!

Worked like a charm!

Thanks, again!

Mark Abraham

Posts: 7
Registered: 3/28/08
Re: Using FDE Mount utility
Posted: May 6, 2010 7:54 PM   in response to: Chris Watkins
 
  Click to reply to this thread Reply

Are there instructions on installing the dynamic mount utility into a Windows PE environment?

We are building a forensic toolkit based on Vista PE and need to be able to use the dynamic mount utility to gain access to encrypted drives, preferably in Read only mode. Thanks - Mark

Guest
Re: Using FDE Mount utility
Posted: May 9, 2010 1:54 PM   in response to: Mark Abraham
  Click to reply to this thread Reply

Mark,

Please see the attached manual.

======================
http://il.linkedin.com/in/alexturovsky

Mark Abraham

Posts: 7
Registered: 3/28/08
Re: Using FDE Mount utility
Posted: May 11, 2010 5:27 PM   in response to: Guest
 
  Click to reply to this thread Reply

Alex, I am having trouble finding the attached manual. I am very interested now! Thanks - Mark

Guest
Re: Using FDE Mount utility
Posted: May 12, 2010 7:43 AM   in response to: Mark Abraham
  Click to reply to this thread Reply

Mark,

Please see the attached manual again.
*I think it get's deleted automatically after a few days.

Mark Abraham

Posts: 7
Registered: 3/28/08
Re: Using FDE Mount utility
Posted: May 13, 2010 6:55 PM   in response to: Guest
 
  Click to reply to this thread Reply

Thanks for that, I don't see any guidance for installing in Windows PE though... According to the Checkpoint Engineer who called it is currently not possible to use the DMU from Windows PE, only BART 's PE is currently working and even that is unsupported... oh well. One more case lost to technology....

Guest
Re: Using FDE Mount utility
Posted: May 13, 2010 8:17 PM   in response to: Guest
  Click to reply to this thread Reply

How To Use the Dynamic Mount Utility

How To Use the Dynamic Mount Utility
Sometimes you need to access information on the hard disk of a Full Disk Encryption-protected machine and do not want to access this information by performing a recovery, for example, if you need to access a disk for forensic reasons or because a failure of the operating system makes it impossible to retrieve data on a disk. In such cases you can use Full Disk Encryption’s Dynamic Mount Utility.
The Dynamic Mount Utility, which is hardware independent, can be used instead of FDE’s Alternative Boot Menu, which is not hardware independent. With the Dynamic Mount Utility, you can also access hard disks connected via USB.
The utility can be used instead of FDE’s slaving functionality.
The Dynamic Mount Utility can be run without FDE.
You can run the Dynamic Mount Utility on a BartPE CD or on a Windows installation.
The Dynamic Mount Utility is supported on Pointsec PC versions 6.2.0 and later and on all versions of Full Disk Encryption.

Preparing a BartPE CD
To run the dynamic mount utility on a BartPE CD, you need to prepare the Bart ISO image with the FDE dynamic mount plugin.
1.Install PE Builder, which can be downloaded from: http://www.nu2.nu/pebuilder/
2.Copy the folders: FDE_Dynamic_Volume and FDE_Filter to the Plugin folder under the BartPE Creator.
3.Start PE Builder and click the Plugin button and select Install for both Checkpoint FDE - Dynamic mount utility and Check Point FDE - Encryption filter driver
4.Click Build to build the CD.
5.You are now ready to use the CD on a FDE-encrypted hard disk, see the instructions in “Using the Dynamic Mount Utility” on page 6.

Installing the Dynamic Mount Utility in Windows
You can also use the Dynamic Mount Utility on a normal Windows installation as long as FDE is not installed there.
To install the Dynamic Mount Utility, you should use FDE’s dynamic mount standalone MSI installer: Check Point - Full Disk Encryption Dynamic Mount Utility.msi. Execute the installer as an Administrator, and follow the instructions in the dialog. When you have installed the application, you will be asked to reboot; and, upon next startup, you can start the tool from the Start menu, see “Using the Dynamic Mount Utility” on page 6.


Using the Dynamic Mount Utility

You can now use the Dynamic Mount Utility to read and write to an encrypted FDE disk. The Dynamic Mount Utility itself does not alter anything on the accessed hard disk, but the accessed hard disk is not in read-only mode; so you can alter data on it.

Using the Dynamic Mount Utility
Chapter 1 How To Use the Dynamic Mount Utility 7
The encrypted disk can be connected via USB or it can be an internally ‘installed’ disk. Note that when you connect a hard disk via USB, you should always turn your computer off before disconnecting the USB-connected hard disk to prevent any risk of corrupting data.
1.Start the utility from the Start menu: ‘Full Disk Encryption Dynamic Mount Utility’ or execute x:\<program files>\checkpoint\fde_dyn_disk.exe
2.The utility displays a list of all connected hard drives. Select the disk on which FDE is installed and that you want to mount:
Figure 1-1
If mounting the selected hard drive fails (unlocking it fails), you can try to mount the hard drive by clicking Browse and browsing to the relevant recovery file and then selecting the corresponding drive in the list.
3.Once you have select the disk, you will be asked to authenticate to that disk:
Restrictions
8
Figure 1-2
Note that the Set Max Failed Logons Before Reboot system setting also applies to the authentication to the Dynamic Mount Utility. If you exceed the number of logons specified in this setting, you must reboot before you can again try to ‘unlock’ the hard disk.

Restrictions
The Dynamic Mount Utility is supported on Pointsec PC versions 6.2.0 and later and on all versions of Full Disk Encryption.

Permissions
The user account running the Dynamic Mount Utility requires recovery and uninstall permissions. The utility is typically used only by system administrators.

Remote Help
Remote Help is available when authenticating to the hard disk, but Remote Help is not available when authenticating to a recovery file.


Windows Integrated Logon
When using the Dynamic Mount Utility on a machine where Windows Integrated Logon (WIL) is active, you must authenticate with a user account and its credentials.

Benjamin Adducc...

Posts: 6
Registered: 8/12/09
Re: Using FDE Mount utility
Posted: May 24, 2010 7:43 PM   in response to: Guest
 
  Click to reply to this thread Reply

It is nice to see that this is now documented; however, the current DMU v1.3 installation included does not support Windows 7 x64 installations. When using BartPE, you start the DMU utility and select the encrypted drive. It then prompts you to supply the admin credentials to access the drive, as described in above post. If the hard drive contains the x64 install you receive an error, “Failed to Initialize.” Checkpoint developed a new prot_2k.sys on 15 May 2010 which was included with the recent release, located in .\FullDiskEncryption\Resource Kit\PROT_2K.SYS \. In the DMU installation, .\FDE\Tools\Dynamic Mount Utility\ FDE - Dynamic Mount Utility.zip --> .\FDE_Filter\Files, the prot_2k.sys is an older version from July 2009. The following step needs to be added in order to support the x64 drives:

Preparing a BartPE CD
To run the dynamic mount utility on a BartPE CD, you need to prepare the Bart ISO image with the FDE dynamic mount plugin.
1. Install PE Builder, which can be downloaded from: http://www.nu2.nu/pebuilder/
2. Copy the folders: FDE_Dynamic_Volume and FDE_Filter to the Plugin folder under the BartPE Creator.
3. Replace {PE Builder}\plugin\FDE_Filter\Files\prot_2k.sys (dated July 2009) with .\FullDiskEncryption\Resource Kit\PROT_2K.SYS \prot_2k.sys (dated 15 May 2010) from the CD.
4. Start PE Builder and click the Plugin button and select Install for both Checkpoint FDE - Dynamic mount utility and Check Point FDE - Encryption filter driver
5. Click Build to build the CD.
6. You are now ready to use the CD on a FDE-encrypted hard disk, see the instructions in “Using the Dynamic Mount Utility” on page 6.

Benjamin Adducc...

Posts: 6
Registered: 8/12/09
Re: Using FDE Mount utility
Posted: May 24, 2010 7:46 PM   in response to: Guest
 
  Click to reply to this thread Reply

Alex-
Is it possible for Checkpoint to ALSO replace the prot_2k.sys file in the DMU application when they release update? Thanks...

Marshall Grover

Posts: 27
Registered: 11/13/09
Re: Using FDE Mount utility
Posted: Jun 1, 2010 3:24 PM   in response to: Mark Abraham
 
  Click to reply to this thread Reply

what I have do to deal with encrypted drives forensically is:

I already have a VMware drive with the forensic tools installed

1) create a DD image of the suspect drive using FTK imager.
2) use liveview 0.7b to create a VMWare disk of the DD image.
3) change the suspect drive to IDE 0,1. add the vmware drive with the forensic tools to the VMware machine as the first hard drive, IDE 0,0.
4) boot the VMWare machine and you should get the 2 pointsec authentication prompts.

once you have put in the passwords you should be able to do the investigation normally.

I had to do this to get around the limits of the DMU. it crashes the OS about 1/3 the time when booting. 1/3 of the time it crashes the OS when it detects the drive i plugged in via USB or SATA.

Guest
Re: Using FDE Mount utility
Posted: Jun 7, 2010 3:12 PM   in response to: Benjamin Adducc...
  Click to reply to this thread Reply

Benjamin,

Please submit an SR with the link to this forum. Via a SR we will move this forward to R&D.

tim jones

Posts: 1
Registered: 6/11/10
Re: Using FDE Mount utility
Posted: Jun 11, 2010 7:00 AM   in response to: Benjamin Adducc...
 
  Click to reply to this thread Reply

I can't seem to find this updated prot_2k.sys via the download center. Any chance you could attach it here?

Thanks.

Guest
Re: Using FDE Mount utility
Posted: Sep 16, 2010 8:30 AM   in response to: tim jones
  Click to reply to this thread Reply

Just download the new FDE 7.4 HFA3 1618, it has the new driver as well.
https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=11136

======================
http://il.linkedin.com/in/alexturovsky

Legend
Expert: 751 + pts
Advanced: 301 - 750 pts
Enthusiast: 101 - 300 pts
Novice: 0 - 100 pts
Check Point
Helpful Answer (5 pts)
Correct Answer (10 pts)