Short info on using direvt servlet in Encase

1. EnCase Direct Network
Preview
EnCase v7.06 and higher

2. Direct Network Preview
• Direct Network Preview and Acquisition process was introduced in EnCase
7.06 as an option for powered on computers
• It allows the examiner to view the target computer through the EnCase for
Windows interface and conduct an examination just as if working from an
image.
• Direct Network Preview allows access of data on a target computer system
while it is powered on, including
• the contents of hard drives connected externally or internally,
• removable media,
• electronic memory.
• If there is disk encryption on the target system the mounted volumes may
be imaged without having to obtain the authentication files or
passphrase(s).

3. Direct Network Preview
EnCase Examiner
Target machines with direct servlet

4. Preparation of the Examiner’s Computer
• A small command-line program must be run on the target computer to
enable a connection from the examiner’s computer an servlet.
• Servlet contains an authentication key and authenticate access from
the Encase computer system that created the servlet

5. Steps
• Generation encryption key pairs
• two files public and private keys are generate
• Creating direct servelet with encryption keys
• Deploying servlets
• as service or
• for one go as application
• Accesing remote machine
• Optional removing servlets

6. Generate Encryption Key – 1 step
• Generate Encryption Key – tools dropdown entry

7. Generate Encryption Key - 2 step
• Generation of the keypair

8. Generate Encryption Key – 3 step
• Provide user name and password for keypair
• traditionaly user is Examiner
• Don’t forget username and password

9. Generate Encryption Key – 4 step
• Save public key
• it is
<username>.PublicKey

10. Creation of the Direct Servlet
• Creation of the Direct Servlet requires encryption keys
• In communication
• servlet takes public key,
• private key is used by EnCase
• Each OS needs different servlet code
• for some OS there can be more than one servlet file

11. Creation of the Direct Servlet – step 1
• tools dropdown entry -> Create Direct Servlet

12. Creation of the Direct Servlet – step 2
• Choose encryption key
• It is essential that public
keyfile is in default position
in filesystem so EnCase can
use it
• Keypair is defined by
username used during key
pair creation,
• username passoword will
decrypt key files

13. Creation of the Direct Servlet – step 3
• Choose for wich
platform you like to
have servlets
• Choose in which
folder to store
servlets

14. Creation of the Direct Servlet – step 4
• Pressing on Finish will create servlets
• Windows platform
• „G:casesDirectNWPriviewServlets” folder

15. Windows servlets
• 32 i 64bit version of servlets
• can be in two forms
• enstart.exe standalone program
• better for running from USB
• setup.msi as instaler
• as a service on target machine

16. Configure the Target Computer System
• One servlet can be installed on many target machines
• you can talk only with one servlet in one moment
• Start the servlet
• you have to be local administrator
• from usb media - enstart.exe or
• install service setup.exe
• option -h option for help
• record IP adress and chek if servlet is running and accessible
• For conecting from EnCase workstation
• password, IP address, TCP port info is needed

17. Conneting to servlet – step 1
• Best to open new case for each
direct servlet access
• In case select
• Add Evidence -> Add Network Preview -> Add Direct Network Preview

18. Choose encryption key - step 2

19. Connect to the servlet – step 3
• IP address or machine name with TCP port is needed
machine: COMPUTER19,
port: 4445

20. Choose devices to access on the remote machine
• It is same as other „add device” wizard menu

21. Do forensics
• It is on live remote machine
• At the end do not forget to stop/remove servlet from target machine