2. Direct Network Preview
• Direct Network Preview and Acquisition process was introduced in EnCase
7.06 as an option for powered on computers
• It allows the examiner to view the target computer through the EnCase for
Windows interface and conduct an examination just as if working from an
image.
• Direct Network Preview allows access of data on a target computer system
while it is powered on, including
• the contents of hard drives connected externally or internally,
• removable media,
• electronic memory.
• If there is disk encryption on the target system the mounted volumes may
be imaged without having to obtain the authentication files or
passphrase(s).
4. Preparation of the Examiner’s Computer
• A small command-line program must be run on the target computer to
enable a connection from the examiner’s computer an servlet.
• Servlet contains an authentication key and authenticate access from
the Encase computer system that created the servlet
5. Steps
• Generation encryption key pairs
• two files public and private keys are generate
• Creating direct servelet with encryption keys
• Deploying servlets
• as service or
• for one go as application
• Accesing remote machine
• Optional removing servlets
10. Creation of the Direct Servlet
• Creation of the Direct Servlet requires encryption keys
• In communication
• servlet takes public key,
• private key is used by EnCase
• Each OS needs different servlet code
• for some OS there can be more than one servlet file
11. Creation of the Direct Servlet – step 1
• tools dropdown entry -> Create Direct Servlet
12. Creation of the Direct Servlet – step 2
• Choose encryption key
• It is essential that public
keyfile is in default position
in filesystem so EnCase can
use it
• Keypair is defined by
username used during key
pair creation,
• username passoword will
decrypt key files
13. Creation of the Direct Servlet – step 3
• Choose for wich
platform you like to
have servlets
• Choose in which
folder to store
servlets
14. Creation of the Direct Servlet – step 4
• Pressing on Finish will create servlets
• Windows platform
• „G:casesDirectNWPriviewServlets” folder
15. Windows servlets
• 32 i 64bit version of servlets
• can be in two forms
• enstart.exe standalone program
• better for running from USB
• setup.msi as instaler
• as a service on target machine
16. Configure the Target Computer System
• One servlet can be installed on many target machines
• you can talk only with one servlet in one moment
• Start the servlet
• you have to be local administrator
• from usb media - enstart.exe or
• install service setup.exe
• option -h option for help
• record IP adress and chek if servlet is running and accessible
• For conecting from EnCase workstation
• password, IP address, TCP port info is needed
17. Conneting to servlet – step 1
• Best to open new case for each
direct servlet access
• In case select
• Add Evidence -> Add Network Preview -> Add Direct Network Preview