Recovering Check Point Endpoint FDE Encrypted Hard Drives

We have been involved in recovering files from several hard drive’s encrypted using the Endpoint Full Disk Encryption product by Check Point. This is a strong encryption product that is turning up on more and more systems.

We are proficient at recovering the data from such systems and the following is a case study about a recent recovery we completed.

We received a HGST (HTS725050A7E635) 500GB 2.5 inch drive which had come out of a Lenovo ThinkPad laptop. The hard drive was completely encrypted using Check Point Software’s Endpoint Full Disk Encryption (FDE), and would not boot.

FDE securely encrypts all the data on a hard drive, including the operating system making the hard drive’s data extremely secure. For further information, read Check Point’s PDF about FDE here: https://www.checkpoint.com/downloads/product-related/datasheets/ds-endpoint-full-disk-encryption.pdf

Our examination showed that the hard drive powered up successfully but had additional protection layer in the form of a BIOS lock. Once this was bypassed we used Ubuntu to clone the hard drive which completed without error. We now had an exact clone of the encrypted hard drive. The next step was to decrypt it. A force decrypt operation was tried which resulted in 0% progress, even when left to run overnight.
The Endpoint Dynamic Mount Utility was used to attempt to access the data. This resulted in an error where no partitions could be found. When the .rec file was tried the whole system crashed.
We then tried to use the Dynamic Mount Utility (DMU) again using BartPE, a Pre-Boot application with the Endpoint Plugin introduced, this again resulted in the same annoying crash.
We then obtained the recovery media on a USB stick which requires an admin username and password to execute a decryption. This information allowed us to decrypt the data on the hard drive to a second hard disk.

Other Hard Disk Encryption Programs

Checkpoint’s FDE is not the only hard drive encryption program on the market, other popular products include Symantec Endpoint, Sophos Safeguard, McAfee Complete Data Protection and Dell’s Data Protection / Encryption. Both Microsoft and Apple also have their own products, namely File Vault and Bitlocker. An interesting article that explores the fundamentals of full disk encryption and compares the various products available can be found on the SearchSecurity web site at http://searchsecurity.techtarget.com/feature/The-fundamentals-of-FDE-Comparing-the-top-full-disk-encryption-products.

If you are having problems recovering the data from a hard drive encrypted with Check Point FDE or similar, please contact us, we should be able to rescue your data.

checkpoint, encryption, HDD

jack stockdale

16:43 11 Jul 22

Fantastic service; plenty of communication, quick turnaround and perfect end result. A very smooth, pleasant and personable experience, that achieved the exact results I was after. Would absolutely recommend

Stewart Whitworth

12:42 28 Jun 22

Whilst Data Clinic were not able to retrieve the data from 1 of the 3 drives I sent to them - they were very easy to work with, accomodated my requests allowing for a very flexible recovery process (I dropped off the drives in person and provided an obscure drive type for the recovered data which they were perfectly happy with). When I asked why the last drive was unrecoverable, they explained with lots of detail, and of course I was not charged for said drive.I've learnt my lesson and hopefully won't ever need a recovery service again, but if I do I know who to go to!

Salutation
First Name *
Last Name *
Phone *
Email *
Device Type *
Description *
GDPR Opt-in *


User Type *