Recovering Check Point Endpoint FDE Encrypted Hard Drives

We have been involved in recovering files from several hard drive’s encrypted using the Endpoint Full Disk Encryption product by Check Point. This is a strong encryption product that is turning up on more and more systems.

We are proficient at recovering the data from such systems and the following is a case study about a recent recovery we completed.

We received a HGST (HTS725050A7E635) 500GB 2.5 inch drive which had come out of a Lenovo ThinkPad laptop. The hard drive was completely encrypted using Check Point Software’s Endpoint Full Disk Encryption (FDE), and would not boot.

FDE securely encrypts all the data on a hard drive, including the operating system making the hard drive’s data extremely secure. For further information, read Check Point’s PDF about FDE here: https://www.checkpoint.com/downloads/product-related/datasheets/ds-endpoint-full-disk-encryption.pdf

Our examination showed that the hard drive powered up successfully but had additional protection layer in the form of a BIOS lock. Once this was bypassed we used Ubuntu to clone the hard drive which completed without error. We now had an exact clone of the encrypted hard drive. The next step was to decrypt it. A force decrypt operation was tried which resulted in 0% progress, even when left to run overnight.
The Endpoint Dynamic Mount Utility was used to attempt to access the data. This resulted in an error where no partitions could be found. When the .rec file was tried the whole system crashed.
We then tried to use the Dynamic Mount Utility (DMU) again using BartPE, a Pre-Boot application with the Endpoint Plugin introduced, this again resulted in the same annoying crash.
We then obtained the recovery media on a USB stick which requires an admin username and password to execute a decryption. This information allowed us to decrypt the data on the hard drive to a second hard disk.

Other Hard Disk Encryption Programs

Checkpoint’s FDE is not the only hard drive encryption program on the market, other popular products include Symantec Endpoint, Sophos Safeguard, McAfee Complete Data Protection and Dell’s Data Protection / Encryption. Both Microsoft and Apple also have their own products, namely File Vault and Bitlocker. An interesting article that explores the fundamentals of full disk encryption and compares the various products available can be found on the SearchSecurity web site at http://searchsecurity.techtarget.com/feature/The-fundamentals-of-FDE-Comparing-the-top-full-disk-encryption-products.

If you are having problems recovering the data from a hard drive encrypted with Check Point FDE or similar, please contact us, we should be able to rescue your data.

checkpoint, encryption, HDD

Rona McAvoy

07:42 10 Aug 20

Chris and the team were absolutely amazing. So impressed that they managed to recover my data hassle free, kept me in the loop and even sent a file to show what was recovered before proceeding. They were very professional yet so friendly and personal. Amazing job guys can't rate you all enough :) and THANK YOU for getting all my important photos and memories back for me.

Simon Lanzon

16:31 04 Aug 20

The service they offer was second to non!!! Simply excellent, keeping you updated of the progress all the way through. I would highly recommend Chris at Data Clinic for his professionalism and customer care. The price was over half what other companies charge. Pick up, scan, results and delivery back all at one price!!! Buy with confidence they are great

Frank Ojimba

08:33 09 Jul 20

Title
First Name
Last Name
Primary Phone*
Primary Email
Device Type*
Problem
GDPR opt in