Recovering Check Point Endpoint FDE Encrypted Hard Drives

We have been involved in recovering files from several hard drive’s encrypted using the Endpoint Full Disk Encryption product by Check Point. This is a strong encryption product that is turning up on more and more systems.

We are proficient at recovering the data from such systems and the following is a case study about a recent recovery we completed.

We received a HGST (HTS725050A7E635) 500GB 2.5 inch drive which had come out of a Lenovo ThinkPad laptop. The hard drive was completely encrypted using Check Point Software’s Endpoint Full Disk Encryption (FDE), and would not boot.

FDE securely encrypts all the data on a hard drive, including the operating system making the hard drive’s data extremely secure. For further information, read Check Point’s PDF about FDE here: https://www.checkpoint.com/downloads/product-related/datasheets/ds-endpoint-full-disk-encryption.pdf

Our examination showed that the hard drive powered up successfully but had additional protection layer in the form of a BIOS lock. Once this was bypassed we used Ubuntu to clone the hard drive which completed without error. We now had an exact clone of the encrypted hard drive. The next step was to decrypt it. A force decrypt operation was tried which resulted in 0% progress, even when left to run overnight.
The Endpoint Dynamic Mount Utility was used to attempt to access the data. This resulted in an error where no partitions could be found. When the .rec file was tried the whole system crashed.
We then tried to use the Dynamic Mount Utility (DMU) again using BartPE, a Pre-Boot application with the Endpoint Plugin introduced, this again resulted in the same annoying crash.
We then obtained the recovery media on a USB stick which requires an admin username and password to execute a decryption. This information allowed us to decrypt the data on the hard drive to a second hard disk.

Other Hard Disk Encryption Programs

Checkpoint’s FDE is not the only hard drive encryption program on the market, other popular products include Symantec Endpoint, Sophos Safeguard, McAfee Complete Data Protection and Dell’s Data Protection / Encryption. Both Microsoft and Apple also have their own products, namely File Vault and Bitlocker. An interesting article that explores the fundamentals of full disk encryption and compares the various products available can be found on the SearchSecurity web site at http://searchsecurity.techtarget.com/feature/The-fundamentals-of-FDE-Comparing-the-top-full-disk-encryption-products.

If you are having problems recovering the data from a hard drive encrypted with Check Point FDE or similar, please contact us, we should be able to rescue your data.

checkpoint, encryption, HDD

Marc De-Haviland

06:54 13 May 20

Contacted Data clinic with my Hard drive Issue. Chris was FANTASTIC !!! Called me back at 10 pm at night !!!! Explained in detail the ins and outs of hardware issues in an easy to understand manner. Arranged for a courier to pick the hard drive up and get it fixed. Friendly, professional and Informative service. Went above and beyond all expectations. Can’t thank you enough. Great comms throughout.

Ken Sargeant

18:11 07 May 20

I approached two companies for help with a failed drive and data recovery. Data Clinic was the 2nd company to respond, one day later than the first but still quick in response. Helpful, supportive, calm and non 'pushey' response was a big plus for me, especially since it was going to cost some. I dont know the industry standard for speed of service but a couple of days between pre arranged pick up of my failed drive, getting back an email of drive recoverable contents and receiving back to my home a new drive with my information was a great relief and no hassle. Looks like pretty much all of my data was recovered. Being Joe Public I had some worries and questions, they got answered reassuringly. All in, pleased with the service and thank you DC.

Title
First Name
Last Name
Primary Phone*
Primary Email
Device Type*
Description
GDPR opt in