Abstract image of a woman sitting on books and studying on a laptop

Ecase direct servlet acess v1

Damir Delija, profile picture
Damir Delija

The document discusses EnCase Direct Network Preview, which allows an examiner to access and examine data on a powered-on computer remotely. It involves generating encryption key pairs, creating a direct servlet file using the public key, deploying the servlet on the target computer, and then connecting from the examiner's EnCase interface by providing the IP address and port. This enables viewing and analyzing the contents of drives, removable media, and memory on the live remote system without needing authentication files or passphrases if disks are encrypted.

Education
1 of 21
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
EnCase Direct Network Preview EnCase v7.06 and higher
Direct Network Preview • Direct Network Preview and Acquisition process was introduced in EnCase 7.06 as an option for powered on computers • It allows the examiner to view the target computer through the EnCase for Windows interface and conduct an examination just as if working from an image. • Direct Network Preview allows access of data on a target computer system while it is powered on, including • the contents of hard drives connected externally or internally, • removable media, • electronic memory. • If there is disk encryption on the target system the mounted volumes may be imaged without having to obtain the authentication files or passphrase(s).
Direct Network Preview EnCase Examiner Target machines with direct servlet
Preparation of the Examiner’s Computer • A small command-line program must be run on the target computer to enable a connection from the examiner’s computer an servlet. • Servlet contains an authentication key and authenticate access from the Encase computer system that created the servlet
Steps • Generation encryption key pairs • two files public and private keys are generate • Creating direct servelet with encryption keys • Deploying servlets • as service or • for one go as application • Accesing remote machine • Optional removing servlets
Generate Encryption Key – 1 step • Generate Encryption Key – tools dropdown entry
Generate Encryption Key - 2 step • Generation of the keypair
Generate Encryption Key – 3 step • Provide user name and password for keypair • traditionaly user is Examiner • Don’t forget username and password
Generate Encryption Key – 4 step • Save public key • it is <username>.PublicKey
Creation of the Direct Servlet • Creation of the Direct Servlet requires encryption keys • In communication • servlet takes public key, • private key is used by EnCase • Each OS needs different servlet code • for some OS there can be more than one servlet file
Creation of the Direct Servlet – step 1 • tools dropdown entry -> Create Direct Servlet
Creation of the Direct Servlet – step 2 • Choose encryption key • It is essential that public keyfile is in default position in filesystem so EnCase can use it • Keypair is defined by username used during key pair creation, • username passoword will decrypt key files
Creation of the Direct Servlet – step 3 • Choose for wich platform you like to have servlets • Choose in which folder to store servlets
Creation of the Direct Servlet – step 4 • Pressing on Finish will create servlets • Windows platform • „G:casesDirectNWPriviewServlets” folder
Windows servlets • 32 i 64bit version of servlets • can be in two forms • enstart.exe standalone program • better for running from USB • setup.msi as instaler • as a service on target machine
Configure the Target Computer System • One servlet can be installed on many target machines • you can talk only with one servlet in one moment • Start the servlet • you have to be local administrator • from usb media - enstart.exe or • install service setup.exe • option -h option for help • record IP adress and chek if servlet is running and accessible • For conecting from EnCase workstation • password, IP address, TCP port info is needed
Conneting to servlet – step 1 • Best to open new case for each direct servlet access • In case select • Add Evidence -> Add Network Preview -> Add Direct Network Preview
Choose encryption key - step 2
Connect to the servlet – step 3 • IP address or machine name with TCP port is needed machine: COMPUTER19, port: 4445
Choose devices to access on the remote machine • It is same as other „add device” wizard menu
Do forensics • It is on live remote machine • At the end do not forget to stop/remove servlet from target machine

More Related Content

PDF
Usage aspects techniques for enterprise forensics data analytics tools
Damir Delija
 
PDF
Datafoucs 2014 on line digital forensic investigations damir delija 2
Damir Delija
 
PDF
EnCase Enterprise Basic File Collection
Damir Delija
 
PDF
Ocr and EnCase
Damir Delija
 
PDF
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
PDF
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
Usage aspects techniques for enterprise forensics data analytics tools
Damir Delija
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Damir Delija
 
EnCase Enterprise Basic File Collection
Damir Delija
 
Ocr and EnCase
Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 152: 9 Network Evidence
Sam Bowne
 

What's hot (20)

PDF
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 
PDF
CNIT 152: 10 Enterprise Services
Sam Bowne
 
PDF
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
PDF
CNIT 121: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PDF
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
PDF
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne
 
PDF
CNIT 121: 13 Investigating Mac OS X Systems
Sam Bowne
 
PDF
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
PDF
CNIT 152: 12b Windows Registry
Sam Bowne
 
PDF
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
PDF
CNIT 121: Computer Forensics Ch 1
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
PDF
CNIT 152: 6 Scoping & 7 Live Data Collection
Sam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
Sam Bowne
 
CNIT 152: 10 Enterprise Services
Sam Bowne
 
CNIT 152: 6. Scope & 7. Live Data Collection
Sam Bowne
 
CNIT 121: 9 Network Evidence
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
CNIT 152: 3 Pre-Incident Preparation
Sam Bowne
 
CNIT 121: 13 Investigating Mac OS X Systems
Sam Bowne
 
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
CNIT 152: 12b Windows Registry
Sam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
CNIT 121: Computer Forensics Ch 1
Sam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
CNIT 152: 6 Scoping & 7 Live Data Collection
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
Ad

Similar to Ecase direct servlet acess v1 (20)

PPTX
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Microsoft TechNet - Belgium and Luxembourg
 
PDF
Philly Tech Fest Upgrade To Windows Server 2008 R2
Springhouse Education and Consulting Services
 
PPTX
Windows 7 For Itpro
Eduardo Castro
 
PPTX
01 overview-servlets-and-environment-setup
dhrubo kayal
 
PDF
Hacking intranet websites
shehab najjar
 
PDF
Microsoft Forefront - Unified Access Gateway 2010 Datasheet
Microsoft Private Cloud
 
PPSX
Bo sa nova enterprise_pres_8
home
 
PPTX
JAVA
rithika858339
 
PPT
presentation
Peter Oswald
 
PDF
Microsoft Windows Nt
isma ishak
 
PDF
Encase V7 Presented by Guidance Software august 2011
CTIN
 
PPTX
Configuring and Implementing DirectAccess with Windows Server 2012
Microsoft TechNet - Belgium and Luxembourg
 
PPT
Windows 7 Seminar - Acend Corporate Learning
Acend Corporate Learning
 
PDF
Implementing High Availability Caching with Memcached
Gear6
 
DOC
Unit5 servlets
Praveen Yadav
 
PDF
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
PPT
Web servers – features, installation and configuration
webhostingguy
 
PPTX
Systems Administration
Mark John Lado, MIT
 
PPTX
Remote forensics fsec2016 delija draft
Damir Delija
 
PDF
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Microsoft TechNet - Belgium and Luxembourg
 
Philly Tech Fest Upgrade To Windows Server 2008 R2
Springhouse Education and Consulting Services
 
Windows 7 For Itpro
Eduardo Castro
 
01 overview-servlets-and-environment-setup
dhrubo kayal
 
Hacking intranet websites
shehab najjar
 
Microsoft Forefront - Unified Access Gateway 2010 Datasheet
Microsoft Private Cloud
 
Bo sa nova enterprise_pres_8
home
 
JAVA
rithika858339
 
presentation
Peter Oswald
 
Microsoft Windows Nt
isma ishak
 
Encase V7 Presented by Guidance Software august 2011
CTIN
 
Configuring and Implementing DirectAccess with Windows Server 2012
Microsoft TechNet - Belgium and Luxembourg
 
Windows 7 Seminar - Acend Corporate Learning
Acend Corporate Learning
 
Implementing High Availability Caching with Memcached
Gear6
 
Unit5 servlets
Praveen Yadav
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
Web servers – features, installation and configuration
webhostingguy
 
Systems Administration
Mark John Lado, MIT
 
Remote forensics fsec2016 delija draft
Damir Delija
 
Dssh @ Confidence, Prague 2010
Juraj Bednar
 
Ad

More from Damir Delija (20)

PDF
6414 preparation and planning of the development of a proficiency test in the...
Damir Delija
 
PDF
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
PDF
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Damir Delija
 
PPTX
Cis 2016 moč forenzičikih alata 1.1
Damir Delija
 
PPTX
Draft current state of digital forensic and data science
Damir Delija
 
PDF
Why i hate digital forensics - draft
Damir Delija
 
DOCX
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
PPTX
Deep Web and Digital Investigations
Damir Delija
 
PDF
Olaf extension td3 inisg2 2
Damir Delija
 
PDF
Moguće tehnike pristupa forenzckim podacima 09.2013
Damir Delija
 
PPT
Cis 2013 digitalna forenzika osvrt
Damir Delija
 
PPT
Ibm aix wlm idea
Damir Delija
 
PDF
Aix workload manager
Damir Delija
 
PDF
2013 obrada digitalnih dokaza
Damir Delija
 
PDF
Tip zlocina digitalni dokazi
Damir Delija
 
PDF
Sigurnost i upravljanje distribuiranim sustavima
Damir Delija
 
PDF
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 
PDF
Communication network simulation on the unix system trough use of the remote ...
Damir Delija
 
PDF
Mehanizmi razmjene poruka ostvareni preko RPCa
Damir Delija
 
PDF
Tip zlocina digitalni dokazi
Damir Delija
 
6414 preparation and planning of the development of a proficiency test in the...
Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
Damir Delija
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Damir Delija
 
Cis 2016 moč forenzičikih alata 1.1
Damir Delija
 
Draft current state of digital forensic and data science
Damir Delija
 
Why i hate digital forensics - draft
Damir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
Deep Web and Digital Investigations
Damir Delija
 
Olaf extension td3 inisg2 2
Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Damir Delija
 
Cis 2013 digitalna forenzika osvrt
Damir Delija
 
Ibm aix wlm idea
Damir Delija
 
Aix workload manager
Damir Delija
 
2013 obrada digitalnih dokaza
Damir Delija
 
Tip zlocina digitalni dokazi
Damir Delija
 
Sigurnost i upravljanje distribuiranim sustavima
Damir Delija
 
Improving data confidentiality in personal computer environment using on line...
Damir Delija
 
Communication network simulation on the unix system trough use of the remote ...
Damir Delija
 
Mehanizmi razmjene poruka ostvareni preko RPCa
Damir Delija
 
Tip zlocina digitalni dokazi
Damir Delija
 

Recently uploaded (20)

DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PPTX
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PDF
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PDF
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
PDF
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
PDF
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PDF
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
PDF
advance database management system book.pdf
hinamannan364
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
Trump Administration's workforce development strategy
Mebane Rash
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
Share_Module_2_Power_conflict_and_negotiation.pptx
Lavanyaj33
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
Complications of Minimal Access-Surgery.pdf
Laparoscopy Hospital
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
Paper A Mock Exam 9_ Attempt review.pdf.
SameeraNaveed2
 
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
My India Quiz Book_20210205121199924.pdf
AtandraDey2
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
FOISHS ANNUAL IMPLEMENTATION PLAN 2025.pdf
EllenJoyCaniya2
 
advance database management system book.pdf
hinamannan364
 

Ecase direct servlet acess v1

  • 2. Direct Network Preview • Direct Network Preview and Acquisition process was introduced in EnCase 7.06 as an option for powered on computers • It allows the examiner to view the target computer through the EnCase for Windows interface and conduct an examination just as if working from an image. • Direct Network Preview allows access of data on a target computer system while it is powered on, including • the contents of hard drives connected externally or internally, • removable media, • electronic memory. • If there is disk encryption on the target system the mounted volumes may be imaged without having to obtain the authentication files or passphrase(s).
  • 3. Direct Network Preview EnCase Examiner Target machines with direct servlet
  • 4. Preparation of the Examiner’s Computer • A small command-line program must be run on the target computer to enable a connection from the examiner’s computer an servlet. • Servlet contains an authentication key and authenticate access from the Encase computer system that created the servlet
  • 5. Steps • Generation encryption key pairs • two files public and private keys are generate • Creating direct servelet with encryption keys • Deploying servlets • as service or • for one go as application • Accesing remote machine • Optional removing servlets
  • 6. Generate Encryption Key – 1 step • Generate Encryption Key – tools dropdown entry
  • 7. Generate Encryption Key - 2 step • Generation of the keypair
  • 8. Generate Encryption Key – 3 step • Provide user name and password for keypair • traditionaly user is Examiner • Don’t forget username and password
  • 9. Generate Encryption Key – 4 step • Save public key • it is <username>.PublicKey
  • 10. Creation of the Direct Servlet • Creation of the Direct Servlet requires encryption keys • In communication • servlet takes public key, • private key is used by EnCase • Each OS needs different servlet code • for some OS there can be more than one servlet file
  • 11. Creation of the Direct Servlet – step 1 • tools dropdown entry -> Create Direct Servlet
  • 12. Creation of the Direct Servlet – step 2 • Choose encryption key • It is essential that public keyfile is in default position in filesystem so EnCase can use it • Keypair is defined by username used during key pair creation, • username passoword will decrypt key files
  • 13. Creation of the Direct Servlet – step 3 • Choose for wich platform you like to have servlets • Choose in which folder to store servlets
  • 14. Creation of the Direct Servlet – step 4 • Pressing on Finish will create servlets • Windows platform • „G:casesDirectNWPriviewServlets” folder
  • 15. Windows servlets • 32 i 64bit version of servlets • can be in two forms • enstart.exe standalone program • better for running from USB • setup.msi as instaler • as a service on target machine
  • 16. Configure the Target Computer System • One servlet can be installed on many target machines • you can talk only with one servlet in one moment • Start the servlet • you have to be local administrator • from usb media - enstart.exe or • install service setup.exe • option -h option for help • record IP adress and chek if servlet is running and accessible • For conecting from EnCase workstation • password, IP address, TCP port info is needed
  • 17. Conneting to servlet – step 1 • Best to open new case for each direct servlet access • In case select • Add Evidence -> Add Network Preview -> Add Direct Network Preview
  • 19. Connect to the servlet – step 3 • IP address or machine name with TCP port is needed machine: COMPUTER19, port: 4445
  • 20. Choose devices to access on the remote machine • It is same as other „add device” wizard menu
  • 21. Do forensics • It is on live remote machine • At the end do not forget to stop/remove servlet from target machine