160
EnCase Forensic Version 6.11 Userʹs Guide
The Update command updates the Users tree display. When a userʹs private key is added to
the default
C:/Program Files/EnCase6/Keys
folder or any other folder specified by the
current root path, the tree does not immediately display the new user. The new user appears
when the wizard is opened again, or when the User tree is updated.
Use the Change Root Path command to specify a folder that contains the private keys of
users other than the default folder. Specify the root path in the Browse for Folder dialog. The
Users tree contains only those users in the folder specified as the new root path.
Browse for Folder Dialog
Use this dialog to change the root path in the Users tree and the SAFE tree to specify the path to
folders containing keys for users or SAFEs. The default path is
C:/Program
Files/EnCase6/Keys
.
The Users tree is based on the private keys contained in the folder defined by the root path. The
SAFE tree is based on .SAFE files contained in the folder defined by the root path. Both types of
files are in the
C:/Program Files/EnCase6/Keys
folder.
Moving these key files while the trees are displayed requires a refresh to update the trees.
Path displays a tree to navigate to the folder containing the keys.
Case Management
161
SAFE Page of the Logon Wizard
The SAFE page of the Logon wizard determines if SAFE is associated with and used by the
current user.
SAFE contains the SAFEs tree that organizes all the SAFEs that are installed. The user selects
a SAFE to complete the logon.
SAFEs Root Object provides additional functionality through a right‐click menu such as
editing the settings of the SAFE
changing the root directory
logging on to a remote SAFE
additional commands that expand or collapse the SAFEs tree
SAFE Objects provides additional functionality through a right‐click menu such as
editing the settings of the SAFE
changing the root directory
logging on to a remote SAFE
SAFE Right-Click Menu
The SAFE right‐click menu provides additional functionality.
162
EnCase Forensic Version 6.11 Userʹs Guide
Edit opens the Edit SAFE Dialog where SAFE settings are defined and remote logons are
enabled.
Update updates the Users tree display. When a userʹs private key is added to the default
C:/Program Files/EnCase6/Keys
folder or any other folder specified by the current
root path, the tree does not immediately display the new user. The new user appears when
the wizard is opened again, or when the User tree is updated.
Use the Change Root Path command to specify a folder that contains the private keys of
users other than the default folder. Specify the root path in the Browse for Folder dialog. The
Users tree contains only those users in the folder specified as the new root path.
Browse for Folder Dialog
Use this dialog to change the root path used in the Users tree and the SAFE tree to specify the
path to folders containing keys for users or SAFEs. The default path is
C:/Program
Files/EnCase6/Keys
.
The Userʹs tree is based on the private keys contained in the folder defined by the root path. The
SAFE tree is based on .SAFE files contained in the folder defined by the root path. Both types of
files are found in the
C:/Program Files/EnCase6/Keys
folder.
Moving these key files while the trees are displayed requires a refresh to update the trees.
Path displays a tree to navigate to the folder containing the keys.
Case Management
163
Edit SAFE Dialog
The Edit SAFE dialog contains settings that define connections to the SAFE and enable remote
login.
164
EnCase Forensic Version 6.11 Userʹs Guide
Machine Name contains the IP address to the machine or subnet that constitutes the SAFE or
SAFEs accessed using the named SAFE.
Remote SAFE determines if communications with the node will be routed through the SAFE,
so the SAFE stands between the client and the node. Enabling this setting allows you to
provide a value for Inbound Port and to use its value communicating with the remote SAFE.
Inbound Port determines which port is used when communicating with the remote SAFE at
the IP address specified in Machine Name.
Attempt Direct Connection contains settings that determine what kind of connection is
made to the specified SAFE.
None should be enabled when the target system cannot establish a connection with an EE
client. Then all traffic is redirected through the SAFE server. This can increase
communication times; however, it provides the investigator with the ability to obtain data
that is otherwise not available.
Client to Node (Local) should be enabled when the client (Examiner) and the node (servlet)
reside on the same network, and the SAFE resides on a different network. This allows data to
transfer directly from the node to the client, after the client successfully authenticates
through the SAFE. Also the client will use the IP address that the node believes it has, rather
then the IP address the SAFE has for the node. In this configuration, the network should be
designed so that all the company’s employees are located on the Corporate Desktop
Network, and should employ routing/NATing.
Client to Node (SAFE) enables NAT, where a private IP address is mapped to a public IP
address. Typically, the SAFE and node reside on the same subnet, and the client on another.
This allows data to transfer directly from the node to the client, after the client successfully
authenticates through the SAFE. The client also uses the IP address that the SAFE believes
the node has, rather then the IP address the node reports it has to allow a direct connection
between the client and node machine. This option is enabled by default.
Node to Client operates similarly to the Client to Node (SAFE) mode, except that the node
attempts the direct connection to the client. It is used when you desire direct data transfer
between the node and the client, and there is NATing or a firewall prohibiting the node from
sending data directly to the local IP/default port of the client. Once you check this option, the
Client return address configuration box becomes available to enter the NATed IP address
and custom port (e.g., 192.168.4.1:1545). The Client return address box is disabled unless this
option is selected.