F-Response and OSX Check Point Endpoint Security

May 04, 2012

We were recently contacted by a potential client looking to test out the features of F-Response Enterprise, specifically with regards to accessing remote Apple OSX machines with Check Point Endpoint Security – Full Disk Encryption 3.3.2.

It appears Check Point Endpoint Security Full Disk Encryption creates a series of secondary raw disk (rdisk) devices on the target computer, once successfully authenticated the root filesystem is mounted via one of these non-standard devices. In this case it was a simple a matter to add the appropriate device to the custom options for F-Response Enterprise ( also covered as the "-a" command line option, more details here).

In the end F-Response Enterprise was able to provide direct, read only, forensically sound access to the remote Apple OSX un-encrypted disk with minimal effort.

Having issues with your own internal full disk encryption products? Contact us and see if F-Response Enterprise can solve your problem, we'll gladly setup a GoToMeeting demonstration and trial to help you find out!

Thanks and Enjoy!

Warmest Regards,

M. Shannon, Principal

F-Response

May 4, 2012