New Features
19
Snapshot to DB Module Set
This script takes snapshots of nodes across a network and stores the snapshots in a SQL
database. It also reads from the database to create reports on the snapshots taken. It allows for
minimal maintenance on the database so that you can control the amount of data stored.
Three EnScripts work with the database to perform their tasks:
Initialize Database.EnScript
Snapshot to DB.EnScript
Snapshot DB Reports.EnScript
Lotus Notes Local Database Encryption
EnCase can now decrypt a local Lotus Notes user mailbox (NSF file suffix). The local mailbox is a
replica of the corresponding encrypted mailbox on the Domino server.
EnCase Examiner Support for Microsoft Vista
EnCase Examiner now supports the Windows Vista operating system.
EnCase must run as an administrator to access the local Vista computer.
64-Bit EnCase Servlet
EnCase now includes a servlet for the 64‐bit versions of Windows XP, 2003, and Vista operating
systems.
If not installed as a service, you must Run as Administrator.
20
EnCase Forensic Version 6.11 Userʹs Guide
Send to HBGary Responder EnScript
This EnScript passes a memory object gathered by EnCase to HBGaryʹs Responder software.
EnScript drops the physical evidence device information, byte for byte, into a flat file and sends
it to Responder.
In This Chapter
The EnCase Installer 21
Installing Security Keys
29
Troubleshooting Security Keys
29
Obtaining
Updates
30
Configuring Your EnCase Application
30
Sharing Configuration Files 40
Vista Examiner Support
40
Running a 32-bit Application on a 64-bit Platform
43
CHAPTER 3
Installing EnCase
Forensic
22
EnCase Forensic Version 6.11 Userʹs Guide
The EnCase Installer
The EnCase installer copies the program and its drivers to the end userʹs computer or client and
initializes drivers and services with the operating system.
The investigator can select where to install the EnCase Examiner. The default is the Program
Files folder. If a selected directory exists, the installer overwrites any existing program files, logs,
and drivers.
Minimum Requirements
For best performance, examination computers should be configured with at least the following
hardware and software:
An EnCase security key (also known as a dongle)
Certificates for all purchased modules (known as certs)
A current version of EnCase Examiner
Pentium IV 1.4 GHz or faster processor
One GB of RAM
Windows 2000, XP Professional, or 2003 Server
55 MB of free hard drive space
The program also supports the 64‐bit version of Windows.
Note: Intel Itanium processors are not supported.
Note: FastBloc SE supports only the USB interface with the 64-bit version.
Installing EnCase Forensic
23
Installing the Examiner
If you are using Local Processing, install the program by inserting the CD into a player and
waiting for autostart. Do this for each client. If are using Terminal Services, install the program
using the Add/Remove programs wizard on the application server.
Once installation begins, a wizard displays:
Note:
C:\Program Files\EnCase6
is the install path default.
1.
Enter an installation path or accept the default and click Next.
2.
Read and agree with the EnCase License Agreement and click Next.
3.
Click Next
24
EnCase Forensic Version 6.11 Userʹs Guide
4.
Select Reboot Later or Reboot Now and click Finish.
Installing EnCase Forensic
25
Installed Files
During installation, the program copies itself and a collection of associated files to the target
directory.
The installer places a startup icon on the desktop. In addition, a number of folders and files are
installed in the target folder during installation.
Certs Folder
EnCase.pcert
Config Folder
AppDescriptors.ini
FileSignatures.ini
FileTypes.ini
Filters.ini
Keywords.ini
Profiles.ini
TextStyles.ini
Storage Folder
CaseReport.ini
Compromise Assessment Module.ini
DifferentialReport.ini
SweepEnterpriseWEbReport.ini
Forensic EnScript Component Folder
Case Processor.EnScript
File Mounter.EnScript
Index Case.EnScript
Scan Local Machine.EnScript
Webmail Parser.EnScript
Dostları ilə paylaş: |