EnCase Direct Network Preview

EnCase v7.06 and higher

Direct Network Preview

• Direct Network Preview and Acquisition process was introduced in EnCase 7.06 as an option for powered on computers

• It allows the examiner to view the target computer through the EnCase for Windows interface and conduct an examination just as if working from an image.

• Direct Network Preview allows access of data on a target computer system while it is powered on, including • the contents of hard drives connected externally or internally,• removable media,• electronic memory.

• If there is disk encryption on the target system the mounted volumes may be imaged without having to obtain the authentication files or passphrase(s).

Direct Network Preview

EnCase ExaminerTarget machines with direct servlet

Preparation of the Examiner’s Computer

• A small command-line program must be run on the target computer to enable a connection from the examiner’s computer an servlet.

• Servlet contains an authentication key and authenticate access from the Encase computer system that created the servlet

Steps

• Generation encryption key pairs• two files public and private keys are generate

• Creating direct servelet with encryption keys

• Deploying servlets• as service or

• for one go as application

• Accesing remote machine

• Optional removing servlets

Generate Encryption Key – 1 step

• Generate Encryption Key – tools dropdown entry

Generate Encryption Key - 2 step

• Generation of the keypair

Generate Encryption Key – 3 step

• Provide user name and password for keypair• traditionaly user is Examiner

• Don’t forget username and password

Generate Encryption Key – 4 step

• Save public key • it is

<username>.PublicKey

Creation of the Direct Servlet

• Creation of the Direct Servlet requires encryption keys• In communication

• servlet takes public key,

• private key is used by EnCase

• Each OS needs different servlet code • for some OS there can be more than one servlet file

Creation of the Direct Servlet – step 1

• tools dropdown entry -> Create Direct Servlet

Creation of the Direct Servlet – step 2

• Choose encryption key• It is essential that public

keyfile is in default position in filesystem so EnCase can use it

• Keypair is defined by username used during key pair creation, • username passoword will

decrypt key files

Creation of the Direct Servlet – step 3

• Choose for wich platform you like to have servlets

• Choose in which folder to store servlets

Creation of the Direct Servlet – step 4

• Pressing on Finish will create servlets • Windows platform

• „G:\cases\DirectNWPriview\Servlets” folder

Windows servlets

• 32 i 64bit version of servlets

• can be in two forms• enstart.exe standalone program

• better for running from USB

• setup.msi as instaler• as a service on target machine

Configure the Target Computer System

• One servlet can be installed on many target machines • you can talk only with one servlet in one moment

• Start the servlet• you have to be local administrator

• from usb media - enstart.exe or

• install service setup.exe• option -h option for help

• record IP adress and chek if servlet is running and accessible

• For conecting from EnCase workstation • password, IP address, TCP port info is needed

Conneting to servlet – step 1

• Best to open new case for each direct servlet access

• In case select • Add Evidence -> Add Network Preview -> Add Direct Network Preview

Choose encryption key - step 2

Connect to the servlet – step 3• IP address or machine name with TCP port is needed

machine: COMPUTER19,

port: 4445

Choose devices to access on the remote machine

• It is same as other „add device” wizard menu

Do forensics

• It is on live remote machine

• At the end do not forget to stop/remove servlet from target machine