You are on page 1of 213

Guidance Software SAFE

USER GUIDE
Version a.05
Copyright 2017 Guidance Software, Inc. All rights reserved.

EnCase, EnScript, Tableau, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by
Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other
marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this
work may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification
or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of
the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or
outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information
contained in this work is furnished for informational use only, and is subject to change at any time without notice.

OpenStreetMap contributors. The Open Street data is available under the Open Database License. The cartography is licensed
under the Creative Commons Attribution-ShareAlike 2.0 license (CC BY-SA). Please refer to this page for more information:
https://www.openstreetmap.org/copyright.
CONTENTS

Preface 11
About this Book 11

CHAPTER 1 Overview 13
SAFE and License Manager Overview 15
The SAFE Server 15
The License Manager 16
The Desktop Client 16
System Requirements 17

CHAPTER 2 Installing the SAFE and License Man-


ager 19
Preparing to Install the SAFE and License Manager 21
GuidanceSoftware SAFE and License Manager Install-
ation Overview 22
Installing the Guidance Software SAFEand License Man-
ager 23
Installing the SAFE 25
Activating the Software License for the SAFE 32
Running the SAFE under a Non-Local Service Account 38
VMware Support 39

- iii -
Performing a Quick Update of the SAFE 39
Installing License Manager 40
Activating a License for License Manager 40
Installing License Manager 42

CHAPTER 3 Configuring the SAFE 49


Generating Encryption Keys 51
Changing the Keys Folder Location 54
Validating the SAFE Configuration 54
Configuring SAFE Settings for Desktop Clients 54
Logging On to the SAFE 56
Setting up the Network Tree 59
Configuring the SAFE 60
Integration with Active Directory 61
SAFE Account Types 62
Configuring Active Directory Groups 62
Securing a Keymaster Account 62
Securing Regular User SAFE Accounts 64
SAFE Configuration Package 64
Creating a SAFE Configuration Package 65
Installing a SAFE using a SAFEConfiguration Package 66
Backing Up the SAFE 66
Enabling Enhanced Agent Functionality 68

CHAPTER 4 Using the SAFE Configuration Tool 71


Overview 72
Logging On to the SAFE 72
Logoff 76
Setting up the Network Tree 77
Setting up Roles 78
Setting up User Accounts 83
Accessing Event Logs 86

- iv -
Network Plugin Repository 89
Generate Encryption Keys 92

CHAPTER 5 Managing SAFEUser Accounts and Roles 97


Overview 99
Setting up User Accounts 100
Setting up Roles 104
Assigning User Permissions and Roles 110
SAFE User Management Role 112
Ability to Lock Require Case Information Setting 113
Resetting a User Password 114
Integration with Active Directory 115
SAFE Account Types 116
Configuring Active Directory Groups 116
Securing a Keymaster Account 116
Securing Regular User SAFE Accounts 118
Managing Encryption Keys 118
Encryption Keys Tab Functions 118
Opening the Encryption Keys Tab 118
Creating Encryption Keys 119
Changing Passwords 120
Deleting Encryption Keys 121

CHAPTER 6 Configuring License Manager 123


Configuring Desktop Clients to use License Manager 125
Copying License and License Manager Public Key Files 126
Verifying License Manager Connectivity 127

CHAPTER 7 Deploying and Managing Agents 129


Overview 131
Port Configuration 131

-v -
Variables 132
Deploying Agents 132
Automatically Deploying Agents 133
Modifying Control Scripts for Automatic Deployment of Agents 134
Deploying Check In Agents 136
Deploying Windows Agents 136
Running Windows Agents as a Service or as a Process 139
Deploying Windows Agents with Active Directory 141
Deploying Windows Agents Using a Domain Push 141
Deploying Windows Agents Using PsTools 142
Creating a Text File of Nodes 143
Deploying Windows Agents Using IPC$and PSExec 145
Deploying Windows Agents Using Removable Media and PsExec 147
Copying *NIX Agents 148
Copying *NIX Agents Using Removable Media 149
Copying *NIX Agents Using SSH and SCP 149
Copying *NIX Agents Using Telnet and FTP 150
Deploying Linux Agents 150
Running a Linux Agent as a Process 151
Deploying the Linux Agent Using inittab 151
Deploying the Linux Agent using inetd 152
Deploying Solaris Agents 153
Solaris Agent Files 153
Solaris Version 153
Identifying the Solaris Kernel 153
Before Deploying Solaris Agents 154
Installing the Solaris 11 Agent 154
Installing the Tar Package 154
Running a Solaris Agent as a Process 155
Deploying in Solaris Using inittab 155
Deploying AIX Agents 156
Deploying OS X Agents 157
Deploying Agents on OS X 10.6 and Newer Versions 158

- vi -
Deploying Agents on OS X 10.4/5 158
Deploying Agents on OS X 10.3 or Older 160
Running in OS X Using xinetd 161
Running in OS X Using launchd 162
Configuring the OS X Agent to Work with Check In Functionality 164
Using Code-Signed Mac Agents 165
HP-UX VxFS and Agent Support 166
Supported Hardware 166
Supported Operating Systems 166
Additional Resources 166
Installing the HP-UX Agent 166
Running the HP-UX Agent 167
McAfee ePolicy Orchestrator (ePO) Integration 167
Checking In the ePO Agent Package 168
Installing the Optional Guidance Software Agent Extension 168
Creating an Agent Deployment Task 168
Verifying Agent Deployment 170
Verifying Agent Deployment with Net Start Command 170
Verifying Agent Deployment with Netstat Command 170
Verifying Agent Deployment Using Telnet 171
Verifying AIX Agent Deployment 171
Stopping and Removing Agents 172
Stopping an Agent Using PsTools 172
Removing Check In Functionality 172
Removing the Agent in Windows 173
Removing the Agent from Linux or OS X 175
Removing the Solaris Package 176
Removing the AIX Package 177
Stopping the SAFE 177

CHAPTER 8 Troubleshooting 179


Troubleshooting the SAFE 181

- vii -
Checking the SAFE Status 181
Checking the Agent Status 182
Checking the Desktop Client Status 182
Viewing and Exporting Event Log Files 184
Logon Events 184
System Events 184
Role Events 185
Administration Events 185
Windows Authentication Events 186
Job Events 186
Accessing Event Logs 186
Printing or Exporting Event Logs 189
Troubleshooting License Manager 191

CHAPTER 9 Support 193


Overview 195
Find Support Online 195
Access the Customer Community 196
View Customer Forums 197
Browse the Knowledge Base 197
Log and Track Issues 197
Register your Product 197
Register your Account 197
Contact Guidance Software 198
Contact Sales 198
Contact Customer Service 198
Contact Technical Support 199
Chat with a Technical Services Engineer 200
Contact EnCase eDiscovery Review Technical Support 200

- viii -
Glossary 201

Index 209

- ix -
-x-
PREFACE
About this Book
This book is written for Guidance Software SAFE (Secure Authentication for Enterprise) and
License Manager users responsible for a variety of installation and configuration tasks,
including:

l Installation and configuration of the SAFE


l Management of user accounts for all Guidance Software products
l Deployment of agents to nodes
l Troubleshooting network, SAFE, agent, and other issues
l Installation and configuration of the License Manager, a software license server used to
manage and serve licenses to most Guidance Software products
l Configuring investigator desktop and web clients to work with the SAFE and License Man-
ager

For information about installation and use of Guidance Software products, see the user guide
for the corresponding product.

Refer to the release notes for specific compatibility details, especially with regard to supported
versions of operating systems and third party software.
12 Guidance Software SAFEUser Guide Version a.05
CHAPTER 1
OVERVIEW

SAFE and License Manager Overview 15

The SAFE Server 15

The License Manager 16

The Desktop Client 16

System Requirements 17
14 Guidance Software SAFEUser Guide Version a.05
CHAPTER 1 Overview 15

SAFE and License Manager Overview


The GuidanceSoftware SAFE(Secure Authentication for Enterprise)is a central component for
users of Guidance Software products. The SAFEis used in conjunction with desktop and web-
based clients and enables investigations across the network. The SAFEserver administers
access rights, provides for secure data transmission, and brokers communications between
the network and authorized users of Guidance Software products. The SAFEis required for
network-based collection, analysis, and investigation. The Guidance Software SAFEis
compatible with all GuidanceSoftware products that collect and analyze information across
the network.

The License Manager is a separate component from the Guidance Software SAFE. It is used
with most Guidance Software products when customers own multiple product licenses. The
License Manager permits administrators to manage and serve licenses to authorized users of
Guidance Software investigative applications. Guidance Software products require valid
licenses to enable all features. Software licenses can be associated with an investigator
workstation in a number of ways:physical security key (dongle), a software license attached to
a specific workstation, or served from the License Manager as needed by investigators. The
License Manager is not used with EnForce Risk Manager, and optionally may be used with
EnCase Forensic.

The SAFE Server


The Guidance Software SAFE (Secure Authentication For Enterprise) server administers access
rights, provides for secure data transmission, and brokers communications between the
network and Guidance Software users.

See Installing the SAFE and License Manager for information on how to install and configure
the SAFE.

The SAFE provides these core functions:

l Authentication is implemented using public key cryptology. Investigators are authen-


ticated with the Guidance Software desktop client PKI private key and the SAFE server PKI
public key (on the investigator workstation), and with the Examiner PKI public key and
the SAFE server PKI private key (on the SAFE server). The SAFE communicates with Guid-
ance Software desktop clients and target nodes using 128 bit AES encrypted data streams
to protect inter-component communication. See Generating Encryption Keys.
l The SAFE server uses role-based permissions to control access and ensure proper enforce-
ment of policies. Role-based permissions control investigative functions, such as
16 Guidance Software SAFEUser Guide Version a.05

acquisitions and image viewing. User-based permissions apply to administrative func-


tions, such as the ability to add other users and modify the network. The SAFE admin-
istrator can view all rights for each user, their assigned roles, and all network devices the
user can access. See Managing SAFE User Accounts and Roles.
l Logs are generated for many transactions conducted by a specific user on a particular
SAFE server. These logs can be used to establish an initial chain of custody by indicating
the date and time that a certain network device was previewed or acquired. The logging
also provides security auditing to allow the administrators of each SAFE server to easily
determine if a particular investigator has misused the system. SeeViewing and Exporting
Event Log Files.

The License Manager


The License Manager acts as a software license repository and server. The License Manager
(previously referred to as "NAS") provides license management services for most Guidance
Software products. In addition to being delivered by License Manager, licenses can also be
delivered by physical security key (dongle) or as a software license tied directly to the
workstation. The License Manager is a standalone application that can be installed at the same
time as the SAFEor independently depending on your preference.

See The Guidance Software SAFE and License Manager Combined Installer for information on
how to install and configure your License Manager.

The Desktop Client


The Guidance Software desktop client is installed on your primary workstation. It uses a secure
virtual connection to communicate with the target machines across the network. The number
of concurrent connections controls the number of machines that can be analyzed
simultaneously.

When paired with a SAFE, the desktop client enables you to:

l Add and list the SAFE nodes available on the network


l Provide logon access to the SAFE for those nodes
l Add and list network devices connected to each of the SAFE nodes

The desktop client uses agents installed on a specific node to remotely discover, preview, and
acquire data.
CHAPTER 1 Overview 17

See Configuring SAFE Settings for Desktop Clientsto configure the desktop client to perform
investigations across the network and to enable access to the GuidanceSoftware SAFE.

A valid license from GuidanceSoftware is required to use the Desktop Client. License Manager
can be used to simplify license distribution and management. See Configuring Desktop Clients
to Use License Managerto configure the Desktop Client for use with License Manager.

System Requirements
Guidance Software SAFEand License Manager have the same software and hardware
requirements.

System Requirements
Class Desktop or server class hardware (64-bit)

l Windows 7
l Windows 8.1
Operating l Windows 2008 (64-bit)
System l Windows 2008 R2 (64-bit)
l Windows Server 2012 64-bit Enterprise
l Windows Server 2012 R2 64-bit Enterprise

Processor l Intel Dual-Core (e.g., Intel Core 2 Duo)


(CPU) l AMD Phenom

Memory
2 GB or more
(RAM)

Hard Drive 2 GB free space on system volume required for installation


Capacity 40 GB minimum storage required

Hard Drive
5,400 RPM or faster (7,200 RPM or faster preferred)
Speed

Network Con-
Gigabit Ethernet (GbE)
figuration
18 Guidance Software SAFEUser Guide Version a.05

System Requirements
SAFElicensing can be provided via electronic or physical
license key(dongle). License Manager can only be licensed
electronically.

License Manager can be installed on a virtual machine.

Support is provided for running the desktop client and


License Manager on VMware and Boot Camp as follows.
VMware VMware is only supported with electronic licensing.

l VMware Workstation 6.5


l VMware Workstation 7.0
l VMware Server 1.1 (GSX)
l VMware vSphere 4.0 ESXi
l VMware vSphere 5.5 ESXi
l Boot Camp v2.0
l Boot Camp v3.0
CHAPTER 2
INSTALLING THE SAFE AND LICENSE
MANAGER

Preparing to Install the SAFE and License Manager 21

GuidanceSoftware SAFE and License Manager Installation


Overview 22

Installing the Guidance Software SAFEand License Man-


ager 23

Installing the SAFE 25

Installing License Manager 40


20 Guidance Software SAFEUser Guide Version a.05
CHAPTER 2 Installing the SAFE and License Manager 21

Preparing to Install the SAFE and License Manager


Check the current Release Notes for your product to determine the compatible version
number of the Guidance Software SAFE.

The Guidance Software SAFEand License Manager can be installed on the same dedicated
machine as long as a different port is used by each service. Each component requires a
separate license.

Use the Guidance SAFE combined installer to install both components in one process. The
installation procedure is similar for Guidance Software SAFEand License Manager. Because
settings are different for each application, you should follow the corresponding instructions for
each application.

EnCase Forensic only users do not need to install the SAFE. They can use the stand-alone
EnCase LicenseManager installer to manage and distribute software licenses for investigators.

PRE-INSTALLATION CHECKLIST
Before you begin installing the Guidance Software SAFE and LicenseManager, confirm the
following:

l You have a registered customer account at https://www.guid-


ancesoftware.com/support/product-registration.
l You have the latest combined Guidance SAFEinstaller package.
l You have local admin rights to the destination computer.
l You have contacted Guidance Software Customer Service at (626) 229-9191, M-F 7:00 AM
to 5:00 PM PST to request the following emails, which contain necessary links for activ-
ating and setting up your software:
o New Order:Guidance Software Electronic Software Delivery for Your Order
o SAFE:Guidance Software SAFE Setup Web Process
o License Manager: Guidance Software License Manager Web Process

l You have a keymaster encryption key set generated from within your Guidance Software
investigative application.See Generating Encryption Keys.
l Determine if you want the Guidance Software SAFE and License Manager installed on the
same machine. Installation on the same machine requires the use of two ports. If
SAFEand License Manager are installed on different machines, the same port can be
used. Guidance Software recommends installing both applications on one machine.
l Host-based firewall is off or set to allow TCP connections to the SAFE and License Man-
ager processes.
22 Guidance Software SAFEUser Guide Version a.05

o For the Guidance Software SAFE, the default value for the TCP port is 4445.
o For the License Manager, the default value for the TCP port is 4446.

GuidanceSoftware SAFE and License Manager


Installation Overview
Guidance Software SAFE
The following steps must be completed to set up the SAFE server and desktop client machines:

l Install the latest version of the Guidance Software desktop client. See the user guide that
corresponds with your Guidance Software product.
l Generate the keymaster encryption key and any user keys and save in the correct loc-
ation. See Generating Encryption Keys.
l Install the SAFE. Installing the SAFE includes:
o Run the SAFE installer.
o If needed, configure the check in agent options.
o Create the .machine machine token.
o Use the SAFEsetup link in the SAFE: Guidance Software SAFE Setup Web Process email
received from GuidanceSoftware to submit the keymaster public key and machine
token.
o Retrieve the .setup file from Guidance Software.
o Complete the installation process.
o Activate your SAFEsoftware license after you have completed the installation process.
See Activating the Software License for the SAFE.

l Validate the SAFE configuration. See Validating the SAFE Configuration.


l Configure the Guidance Software desktop client machines. See Configuring SAFE Settings
for Desktop Clients.
l Log on to the SAFE. See Logging On to the SAFE.
l Set up the network tree. See Setting Up the Network Tree.
l Set up roles and associate the network tree with the role as needed. See Setting Up Roles.
l Set up users and associate roles with users as needed. See Setting Up User Accounts.

License Manager
The Guidance Software License Manager can be used across Guidance Software products.
License Manager is an application that stores and distributes Guidance Software licenses to
one or more users, eliminating the need for physical security keys. Whereas physical security
CHAPTER 2 Installing the SAFE and License Manager 23

keys each have their own licenses, License Manager licenses are pooled and are available to
anyone with the License Manager option enabled on their desktop client.

Follow these steps to set up the License Manager and desktop client machines:

l Install the latest version of the Guidance Software desktop client. See the user guide that
corresponds with your Guidance Software product.
l Generate an encryption key or use an existing key and save it in the correct location.
l If you have an electronic license for the License Manager, activate it before you install
License Manager. See Activating a License for License Manager in Installing License Man-
ager on page40. If you have a security key(dongle) for your License Manager, have it
ready to use during installation.
l Install the License Manager. Installing the License Manager includes:
o Run the License Manager installer.
o Create the .machine machine token.
o Use the License Manager setup link in the License Manager: Guidance Software License
Manager Web Process email received from GuidanceSoftware to submit the public key
and machine token.
o Retrieve the .setup file from Guidance Software.
o Complete the installation process.

l Configure the Guidance Software desktop client machines. See Configuring Desktop Cli-
ents to Use License Manager.

The desktop client can be configured to query the Guidance Software License Manager for a
license when the Use License Manager option is enabled on the client machine. If no license is
found, the product opens in Acquisition mode. With the Use License Manager option enabled,
the Guidance Software workstation does not use the physical security key. All licensing is
authorized through the Guidance Software License Manager.

Installing the Guidance Software SAFEand


License Manager
Use the combined GuidanceSAFEinstaller to install the Guidance Software SAFEand License
Manager in one workflow. The combined installer permits you to install one component or
both components depending on your preference.

To install the Guidance Software SAFE, the License Manager, or both components:

1. Double click theGuidance SAFE installation file to open it.


2. The SAFEand License Manager Setup dialog displays an end user license agreement.
3. Check the checkbox to accept the end user license agreement and click Install.
24 Guidance Software SAFEUser Guide Version a.05

4. The Guidance SAFESetup Wizard Welcome dialog displays. Click Next.


5. The product installation selection dialog displays. Select the component or components
you want to install. Click Next.
Note: If you are running both the SAFEand License Manager on the same machine,
Guidance Software recommends choosing the Both option.

6. The SAFEand License Manager Setup prepares the files required to install the product or
products selected.
7. The SAFEand License Manager Setup wizard dialog displays. Click Finish.
CHAPTER 2 Installing the SAFE and License Manager 25

8. The Setup Successful dialog displays. Click Close.


9. The installers for the components you selected begin automatically.

For installation instructions for the Guidance Software SAFE, see Installing the SAFE.

For installation instructions for the License Manager, see Installing License Manager.

Installing the SAFE


The GuidanceSoftware SAFEinstaller is a component of the SAFEand License Manager
installer. When you run the combined SAFEand License Manager installer, you can choose to
install the Guidance Software SAFE. When you run and complete setup of the combined
SAFEand License Manager installer, the Guidance SAFEsetup begins automatically.

Follow the instructions below to install the GuidanceSoftware SAFEon a computer on your
network. Setting up the SAFEfor the first time involves both software installation and
obtaining a SAFESetup file from Guidance Software. Once you complete the SAFEinstallation,
you must activate a license for the SAFE. Complete the following SAFEinstallation procedure,
then see Activating the Software License for the SAFEto activate your SAFE.
26 Guidance Software SAFEUser Guide Version a.05

Note: If you are upgrading your existing SAFE, refer to the Guidance Software SAFE
Upgrade Instructions section found in the current release notes for your
GuidanceSoftware product.

Note: If you are updating the SAFE and have already followed the upgrade
procedure described above, the Quick Update option is available. See Performing a
Quick Update of the SAFE on page39.

To install the SAFE:

1. Open the combined SAFEand LicenseManager installer. If you have selected


GuidanceSoftware SAFE, its installer begins after you have made your selections.
2. The Install Path dialog displays. Accept the default installation path or change it according
to your needs.
Note: The default upgrade path for a new installation is C:\Program
Files\GuidanceSoftware\SAFE. If you are upgrading your SAFE, your
existing path displays.

3. Click Next. The End User License dialog displays.


4. Check the I agree and accept checkbox to accept the end user license agreement.
5. Click Next. The SAFE Private Key dialog displays.

o Create a new key creates a new set of SAFE encryption keys. This is typically used
CHAPTER 2 Installing the SAFE and License Manager 27

when installing a SAFE for the first time, in an environment using only one SAFE.
o Import existing private key allows you to select an existing private key for use with the
agents. This is typically used when multiple SAFEs are used in the enterprise envir-
onment and matching agents are desired for each SAFE. Accept the suggested path for
the SAFE.PrivateKey or browse to another location. Enter the password associated
with this private key.
o Use key from existing location updates your current SAFE after you have opted not
to use the quick update feature.
o Read key from SAFE backup token enables you use a key from your backup file. To
install the same SAFE on a new computer, you must have a backup copy of your SAFE
folder, including the SAFE Backup.spvk and the keymaster.PrivateKey files.
You must also know the keymaster password.
o Uninstall and remove the SAFE removes the SAFE from the computer.
o Read from Backup lets you restore the SAFE settings from the .sbk backup file. This
file is generated when the keymaster performs a manual backup of the SAFE con-
figuration.
o Use Port to specify the port the SAFE uses to communicate across the network. Guid-
ance Software strongly recommends keeping the 4445 default value.

Note: The Guidance Software SAFEcannot share the port with another application,
such as License Manager. The installer for each application preselects a unique
default port. If you change the default, be sure the port is unique to each application
and not shared with any other application.

6. When you finish, click Next. The Check In Information dialog displays. This dialog has two
sections:Check In Options and Volatile Artifacts Storage. Check In Options enables you
to configure agents that check on nodes, such as laptops, that are not connected con-
tinuously to the network. This functionality is available in certain modules (such as Sweep
Enterprise). By default, check in functionality is off. Volatile Artifacts Storage is a feature
used by Guidance Software products, such as EnCase Endpoint Security, that take auto-
matic snapshots.

Entering information in this dialog is optional. If you do not plan to use the check in or
volatile artifacts storage functionality, keep the default settings. You can reconfigure
these and other SAFE options by running the installer later.
28 Guidance Software SAFEUser Guide Version a.05

o Check In Options include the following:


In the IPs or Machine names box, identify the SAFE by the fully-qualified domain
machine name or IP address and port number that the node machines will use to loc-
ate it across the network. There can be more than one machine name or IP address
for the SAFE machine, depending on the setup of the network.
Interval (seconds) is the interval between check in attempts, in seconds.
Tries (without connection) is the number of times the check in agent should try to
connect after an unsuccessful attempt. Enter -1 to specify an unlimited number.
SAFE Denies is the number of times the check in agent should attempt to connect
when an attempt is successful but the SAFE does not have a task. Enter -1 to specify
an unlimited number.
Examiner Connections is the number of successful connections the check in agent
should make with the desktop clients before it stops connecting to the SAFE. For
example, if you accept the default, after three desktop clients have connected to the
node, the check in agent no longer attempts to contact the SAFE.
Reset Time (Hours) is the time of day that the connection process will start over.
Time Window (Minutes) is the number of minutes used to connect. Connections
are attempted randomly within this window, allowing time for multiple machines to
spread out the connections to the SAFE.
CHAPTER 2 Installing the SAFE and License Manager 29

o Volatile Artifacts Storage Settings include the following:


Click the Enabled checkbox to enable automatic snapshot settings when manually
deploying agents. This feature will only function if your GuidanceSoftware applic-
ation supports automatic snapshot functionality.
Interval(Minutes) is the interval between snapshots, in minutes.
Number of snapshots to retain is the maximum number of snapshots stored.

7. When you finish, click Next. The Options dialog displays.

o Enter a SAFE name.


o Guidance Software suggests naming the SAFE to reflect the location of the SAFE within
the organization or by number (if there are multiple SAFEs).
o If you are upgrading your SAFE, do not change the existing name. If you must change
the existing name, you will need to submit your machine token and the key-
master.PublicKey to Guidance Software again.
o Enter a Service Name. This can be the same name as the SAFE.
o Select Enable Event Logging to turn on Windows event logging. This logs SAFE events
to the Windows Event Log.
Logged events include logons, logoffs, user creation, user modification, etc.
Log messages are written into the non-encrypted Windows Event Log.
You can only enable event logging during the installation process.
SAFE events are always logged internally in an encrypted, proprietary format.
This setting only affects the Windows Event Log.
30 Guidance Software SAFEUser Guide Version a.05

8. Click Next. The Generate SAFE Token dialog displays.

o Enter or navigate to the local path where the SAFE .machine token file should be
saved.

9. Click Next. A message displays, informing you to click Finish on the following screen after
you have successfully submitted the keymaster.PublicKey and machine token files to
Guidance Software and received a <SAFEname>.Setup file back.
10. Click Next to save the SAFEToken. A message displays stating that you must first obtain
the <SAFEname>.Setup file before you can finish the installation process.
CHAPTER 2 Installing the SAFE and License Manager 31

11. To obtain the SAFE.Setup file, locate the SAFEsetup email from GuidanceSoftware, and
click on the "Safe Setup File Uploads" link to open the Guidance Software SAFESetup File
Uploads webpage. Submit the <SAFEname>.machine file, keymaster.PublicKey file,
and Security Key(Dongle ID or Electronic License Number)on this web form.
12. Guidance Software will send you an email containing a SAFEsetup link to download the
SAFE.setup file from Guidance Software after a few minutes. Download the file, save it
in the SAFEfolder (default location: <root>\Program
Files\GuidanceSoftware\SAFE), and return to the installer.
13. Click OK. The Complete Installation dialog displays.

o Make sure the Guidance Software desktop investigative application is not running.
o Enter the certificate path for the SAFE.Setup file.
o A keymaster account is built in, and automatically created during SAFEinstallation.
This account cannot be modified.
To either disassociate the keymaster account from the Windows account, or asso-
ciate the keymaster account with another Windows account, you must run the SAFE
installer again.

o To use Active Directory integration for a keymaster, you must configure it during the
installation of the SAFE.
Select Windows Authentication to use Windows authentication.
Under Domain Trustee, click the browse button to select a user or group.
32 Guidance Software SAFEUser Guide Version a.05

In the dialog that pops up, enter the required information for the user or group.
When done, click OK.

o If you need to update your CodeMeter security key driver(s), check the appropriate
box.
o If you have a security key (dongle),make sure it is removed.
o Do not insert the security key until after you click Finish; otherwise, the drivers do not
install correctly.

14. Click Finish. The SAFE Setup Complete dialog displays.


15. Click Yes to create a copy of the public key certificate for distribution.
16. After selecting the location for the public key, a confirmation dialog displays.
17. Click OK to complete the installation. A SAFE installation popup displays if your install-
ation has been successful.
18. If you have one, insert your security key and wait for it to be recognized by Windows.
19. Click OK to close the popup.

Your SAFEis now running and is ready to be activated. See Activating the Software License for the
SAFE.

Activating the Software License for the SAFE


The Guidance Software SAFErequires an active CodeMeter license. Before you begin activation
of the software license for the SAFE, you must complete the installation procedure for the
Guidance Software SAFE. See Installing the SAFE on page25. If you have completed installation
of the SAFE, it should be running on your machine and listening on the port for connections.
As part of the software licensing process, the installer imported an empty CodeMeter license
container that will hold your active license.

To activate the software license for the SAFE:

1. Launch the CodeMeter Control Center. From the Windows desktop, click the Windows
Start button. Find and select the CodeMeter Control Center application or search for it in
the search bar. The Code Meter Control Center panel displays.
CHAPTER 2 Installing the SAFE and License Manager 33

2. The License box shows an empty license container entry for electronic licenses or a phys-
ical security key (dongle) entry.
3. Select the license you want to activate and click the Activate License button.
4. The CmFASAssistant dialog displays. Click Next.
34 Guidance Software SAFEUser Guide Version a.05

5. Select the Create license request radio button, and click Next.

6. The CmFAS Assistant displays a filename and path for the license request. Make note of
the filename location and click Commit.
CHAPTER 2 Installing the SAFE and License Manager 35

7. The dialog indicates that the license request file has been successfully created. Click Fin-
ish.
8. Locate the [license-container-number].WibuCmRaC file and go to
https://www.guidancesoftware.com/support/safe-key-activation. Enter your email
address, the license key from your New Order email and upload the .RaC file.
9. Guidance Software will send you a [license-container-number].WibuCmRaU file.
When you receive the file, drag it to the CodeMeter Control Center License field to activ-
ate your SAFE.
36 Guidance Software SAFEUser Guide Version a.05

To view the status of the SAFElicense:

1. Launch the CodeMeter Control Center. From the Windows desktop, click the Windows
Start button. Find and select the CodeMeter Control Center application or search for it in
the search bar. The Code Meter Control Center panel displays.
CHAPTER 2 Installing the SAFE and License Manager 37

2. Confirm the license is activated by clicking on the corresponding license. The Status indic-
ates the license has been activated.
3. Click WebAdmin to open the CodeMeter WebAdmin tool. Click on Content >Licenses to
view the license in a web browser.
38 Guidance Software SAFEUser Guide Version a.05

Running the SAFE under a Non-Local Service Account


With certain restrictions, you can run the SAFE under a custom service account.

When the SAFE is installed, the service is configured to use the Microsoft Windows Local
System account. The SAFE also acts as an agent, and agents must have local administrative
access. In the Windows Administration Tools Service Control Manager, in the Log On tab, you
can change the account the SAFE service uses. This works as long as this account has local
administrative access.

If you change it to an account that has limited rights, then you cannot Snapshot or Preview
the machine where the SAFE is running. If this is not a problem for you, then you can use an
account that does not have administrative rights. The SAFE must be able to write to the file
system to create user files and logs, and open sockets and ports for network communications.
CHAPTER 2 Installing the SAFE and License Manager 39

Due to the number of possible configurations, Guidance Software cannot predict that all of
them will work. Guidance recommends that the SAFE run as a Local System. If you change
that, Guidance encourages you to thoroughly test the functionality of the SAFE in your
environment.

VMware Support
Support is provided for running secondary SAFEs on VMware and Boot Camp as follows.
VMware is only supported with electronic licensing.

l VMware Workstation 6.5


l VMware Workstation 7.0
l VMware Server 1.1 (GSX)
l VMware vSphere 4.0 ESXi
l VMware vSphere 5.5 ESXi
l Boot Camp v2.0
l Boot Camp v3.0

Performing a Quick Update of the SAFE


The Quick Update feature of the SAFEinstaller package allows you to quickly update your
SAFE. If you have previously installed Guidance Software SAFE version a.01 or later, you should
also have a version of License Manager installed, and you can perform a quick update
according to the directions below. If you are upgrading from an earlier version (EnCase
SAFE7m12 or earlier), follow the upgrade instructions in the Release Notes for your product.

Guidance Software recommends you follow an upgrade procedure appropriate for the suite of
Guidance Software applications you have. Contact Guidance Software customer services if you
have questions about the upgrade path to follow.

Note: If the SAFEhas a name other than "SAFE" you can still use the quick update
feature, but you must run the SAFEinstaller from the command line and explicitly
identify the SAFEname using the following command: <installer-
filename>.exe -update "SAFEName".

To perform a quick update:

1. Double click the installation file.


2. If you have installed a SAFE with the name, "SAFE", a dialog displays asking if you want to
perform a quick update.
o Click Yes to perform a quick update.
o Click No to launch the SAFEInstaller instead of performing a quick update.
40 Guidance Software SAFEUser Guide Version a.05

3. When the process finishes, a dialog displays indicating whether the update completed or
failed.

Installing License Manager


License Manager is a standalone server application released concurrently with the Guidance
Software SAFE. With versions prior to SAFEa.01, license management functions were
integrated into the SAFE. With the current release of Guidance Software SAFE, License
Manager is a separate application.

Activation and setup of License Manager for new customers involves both software installation
and obtaining a License Manager Setup file from Guidance Software. Existing customers with a
SAFEwith NAS(the built-in license management module), should install the new License
Manager but do not need to get a new setup file from Guidance Software if they install License
Manager on the same machine and follow the upgrade procedure in the release notes for their
product.

Activating a License for License Manager


License Manager must have a valid license to serve licenses. License Manager can be activated
with either a security key (dongle) or electronic license. If you have a security key(dongle) with
a license for your License Manager, you have what you need to use the product. If you have an
electronic license for your License Manager, you must activate it according to the directions
below.

To activate License Manager with a security key:

Plug in the security key after installation of License Manager is complete.

To activate License Manager for use with an electronic license:

1. On the EnCase Home page, click the down arrow in the upper right corner, then click
Activate Electronic License in the dropdown menu.
CHAPTER 2 Installing the SAFE and License Manager 41

2. The Activate Electronic License dialog displays.

3. Enter the license key number you obtained via email from Guidance Software and your
email address in the boxes provided.
4. Click Next. A second Activate Electronic License dialog displays.

5. Return to your MyAccount email and click the Submit your file link.
6. In the web page that displays, browse to the location of the License Request file, then
click Submit.
42 Guidance Software SAFEUser Guide Version a.05

7. Wait to receive an email response from Guidance Software. In the License Activation por-
tion of the email, click the link to save your License Activation file, then copy this file into
the same folder as the License Request file.
8. Click Next. A third Activate Electronic License dialog displays.

9. Click Finish to complete the activation process.

Installing License Manager


To install License Manager:

1. Open the LicenseManager installer.


2. The Install Path dialog displays. Accept the default installation path or change it according
to your needs.
o The default upgrade path for a new installation is C:\Program Files\EnCase LM. If
you are upgrading License Manager from a SAFEprior to SAFE a.01

3. Click Next. The End User License dialog displays.


4. Check the I agree and accept checkbox to accept the End User LicenseAgreement.
5. Click Next. The SAFE Private Key dialog displays.
CHAPTER 2 Installing the SAFE and License Manager 43

o Create a new key creates a new pair of encryption keys.


o Import existing private key allows you to select an existing private key. Accept the sug-
gested path for the LicenseManager.PrivateKey or browse to another location.
Enter the password associated with this private key.
o Use key from existing installation updates your current license to the latest version if
you have opted not to use the quick update feature when first running the installer.
o Read key from License Manager backup token allows you to read from a License Man-
ager backup file.
o Uninstall and remove the License Manager removes the License Manager from the
computer.
o Use Port to specify the port on which the License Manager authentication occurs. The
default value of the port is 4446.

Note: The License Manager cannot share the port with another application, such as
the GuidanceSoftware SAFE.

6. When you finish, click Next. The Check In Information dialog displays. Settings on this dia-
log are not used by the License Manager.

7. Click Next. The Options dialog displays.


44 Guidance Software SAFEUser Guide Version a.05

o Enter a License Manager name in the ServiceName text box. This name must be
unique and cannot share the name with an existing SAFE.
Guidance Software suggests a name to indicate the application is functioning as a
License Manager.
If you are upgrading your License Manager, do not change the existing name. If you
must change the existing name, you will need to submit your machine token and the
<keyname>.PublicKey to Guidance Software again.

o Select a licensing option for LicenseManager:


Use Dongle uses a physical security key to authorize License Manager for use.
Use Electronic License uses an electronic license to authorize License Manager for
use.

o Select Enable Event Logging to turn on Windows event logging. The event logger
provides license information and details on when users use Guidance Software applic-
ation licenses.
CHAPTER 2 Installing the SAFE and License Manager 45

8. Click Next. The Generate License Manager Token dialog displays.

o Enter or navigate to the local path where the <LicenseManagerName>.machine


token file should be saved.

9. Click Next. A License Manager machine token is generated.


10. The Machine Token Exported dialog displays, and states that you will submit the
<LicenseManagerName>.Machine file on the following page and click Finish to com-
plete the License Manager installation. You receive the <LicenseMan-
agerName>.Setup file upon submission of the machine token and
<keyname>.PublicKey files to Guidance Software Customer Service.
11. Click OK. The Complete Installation dialog displays.
46 Guidance Software SAFEUser Guide Version a.05

o Make sure the Guidance Software application is not running.


o Enter the certificate path to the License Manager that was just created.
o If you need to update your CodeMeter or HASPdrivers, check the appropriate box.
If the Reinstall CodeMeter Drivers checkbox is gray, it indicates the installed
CodeMeter drivers are current.

o If you have a security key (dongle), confirm that it is removed.


Do not insert the security key until after you click Finish; otherwise, the drivers do
not install correctly.

12. In the setup email you received from Guidance Software, click the link to open the License
Manager certificate request page.
13. Fill out the form, browsing to both the <keyname>.PublicKey and the <LicenseMan-
agerName>.machine files.
14. When you submit the form, Guidance Software Customer Service sends you a link to
download your <LicenseManagerName>.setup file.
CHAPTER 2 Installing the SAFE and License Manager 47

15. Download and save the .setup file to the folder where you are installing the License
Manager.
16. Once the .setup file is in the License Manager installation folder, return to the installer,
adjust the path if necessary, and click Finish. The License Manager Setup Complete dia-
log displays.
17. Click Yes to create a copy of the public key certificate for distribution.
18. After selecting the location for the public key, a confirmation dialog displays.
19. Click OK to complete the installation. A License Manager installation popup displays if
your installation has been successful.
20. If you have a security key, insert it. When the security key is recognized by Windows, click
OK to close the popup.
48 Guidance Software SAFEUser Guide Version a.05
CHAPTER 3
CONFIGURING THE SAFE

Generating Encryption Keys 51

Validating the SAFE Configuration 54

Configuring SAFE Settings for Desktop Clients 54

Logging On to the SAFE 56

Setting up the Network Tree 59

Configuring the SAFE 60

Integration with Active Directory 61

SAFE Configuration Package 64

Backing Up the SAFE 66

Enabling Enhanced Agent Functionality 68


50 Guidance Software SAFEUser Guide Version a.05
CHAPTER 3 Configuring the SAFE 51

Generating Encryption Keys


Guidance Software SAFE authentication is based on public and private key encryption. Public
keys are distributed widely and can be used to encrypt data. Private keys are held only by a
single user and are used to decrypt files encrypted with the corresponding public key.

To install a SAFE server, you must generate a keymaster public/private key pair for use as the
master key to the SAFE. Investigators who are added as users must also generate a key pair
before they can be given user accounts and permissions.

License Manager requires a key during setup, which can be generated during the setup
process.

GENERATING A KEYMASTER ENCRYPTION KEY PAIR


1. Launch the desktop application.
2. Click Tools >Generate Encryption Key from the menu bar. The Generate Encryption Key
dialog displays.

3. Click Next. The second Generate Encryption Key dialog displays, showing the progress of
generating the key.
52 Guidance Software SAFEUser Guide Version a.05

4. After the key is generated, the Password dialog displays.

o In the Name field, enter keymaster.


o Enter and confirm a password. The Password Quality bar turns green when you enter a
password with sufficient complexity.
CHAPTER 3 Configuring the SAFE 53

5. Click Finish to complete the key generation process. The Copy Public Key File dialog dis-
plays.

6. Accept the default location, or browse to another location where you want to save the
keys, then click Save.
7. The keymaster public and private keys are saved to the specified location.
8. Send the keymaster.PublicKey and [SAFEname].machine files to Guidance Soft-
ware using the SAFEsetup link email to generate the [SAFEname].machine token and
complete the setup process. For information on generating the [SAFEname].machine
token and sending both files to Guidance Software, see Installing the SAFE.

GENERATING A USER ENCRYPTION KEY PAIR


Follow the same steps followed when creating a keymaster encryption key pair.

l Enter the specific username. Guidance Software recommends using the user's real name,
as it makes administration more manageable.
l Keep the user's password in a secure location. You must provide it when you log on to
the SAFE, and when you set up the SAFE network and define users. No one except the key-
master can log on to the SAFE until the keymaster sets up users. If you lose the pass-
word, you must perform the installation again.
54 Guidance Software SAFEUser Guide Version a.05

Changing the Keys Folder Location


You may want to store public and private keys in a location other than the default
\EnCase\Keys in the installation folder (typically in your Documents and Settings or
Documents folder).

To change the location of the public and private keys:

1. Copy all keys to the new folder location.


2. When selecting the user for the SAFE, right click User and choose Change Root Path.
3. Browse to the new folder containing your public and private keys, then click OK.

Validating the SAFE Configuration


Once the SAFE installation is complete, you can validate the SAFE configuration.

1. Open a command prompt on the SAFE machine and change directories to the folder
where your SAFE is installed.
2. Enter the command safe diag and press Enter.

The details of your SAFE display, including your dongle ID, its expiration date, your SAFE
Certificate expiration date, the number of connections, and the number of License Manager
licenses (if included in your SAFE Certificate).

Configuring SAFE Settings for Desktop Clients


Before logging on to the SAFE for the first time, review the default configuration options for the
workstations that will log on to the SAFE.

1. Launch the Guidance Software desktop application.


2. Click Tools >Options and click the Endpoint Investigator tab.
CHAPTER 3 Configuring the SAFE 55

o Private Key Caching is the length of time the desktop client keeps the private key pass-
word in memory. This allows you to log in and out of the SAFE without having to re-
enter passwords for the specified time period.
Closing the Guidance Software product clears the cache, so you need to enter your
password again when you open the application.
The value is set in minutes.
A value of 0 denotes no caching.
A value of -1 allows for infinite key caching.
The value is set to 60 by default.

o Auto Reconnect Attempts is the number of times the desktop client tries to reconnect
to a agent node, if the connection between the two is lost, before giving an error
message. If you change the default setting:
A connection must be established before a device can be added to a case.
A connection must be maintained throughout a preview or acquisition. Otherwise,
the machine being added, previewed, or acquired is unavailable.

o Auto Reconnect Intervals is the time, in seconds, that the desktop client waits
between each reconnect attempt if the connection is lost to the agent node.
56 Guidance Software SAFEUser Guide Version a.05

3. When you finish, click OK.


4. Copy the [SAFEname].safe file from the SAFE machine to each of the machines that
will access the SAFE. The default location of the [SAFEname].safe file and all user keys
is \EnCase\Keys in the installation folder (typically in your documents and settings or
documents folder). You can also save to a network share drive, if desired. See Changing
the Keys Folder Locationfor details.

Logging On to the SAFE


To log on to your SAFE, you must have a valid license and have the SAFE and desktop client
installed correctly. If you do not have a correct Guidance Software product flagged on your
security key or License Manager license, the logon option does not display.

To perform initial administration functions, log on as the keymaster. You can create additional
administrator accounts for later use, but it is the keymaster account that has full access.

1. Select Endpoint Investigation >Logon in the menu bar.


o If you do not have a correct Guidance Software product flagged on your security key or
License Manager license, the logon option does not display.
o If no users display, right click Users and change the root path to point to the current
encryption key location for users and keymaster.
CHAPTER 3 Configuring the SAFE 57

2. Select the desired user and enter the password for that user. Click Next.
o If no SAFEs display, right click SAFEs and change the root path to point to the location
for the desired SAFE.

3. Double click the SAFE for which you want to set the options. The SAFE editing dialog dis-
plays.

o Machine Name is the machine name or IP address of the SAFE machine.


o The Port selector enables you to change ports from the default 4445.
58 Guidance Software SAFEUser Guide Version a.05

o If the SAFE resides outside your firewall, select Remote SAFE.


Remote SAFE determines if communications with the node are routed through the
SAFE, so the SAFE stands between the client and the node.
When using a remote SAFE, select the Inbound Port that should be used when com-
municating with the remote SAFE.

o Select Enable Nagle if you have a slow or bad connection and have problems updating
the agent. The Nagle algorithm improves the efficiency of TCP/IP networks, although it
increases latency. This selection applies to all connections to nodes through this con-
nection to the SAFE.
o Window Size refers to TCP window size for buffer control, and also applies to all con-
nections to nodes through this connection to the SAFE.
o Attempt Direct Connection options determine what kind of connection is made to the
specified SAFE.
Select None when the target system cannot establish a connection with a client. All
traffic is redirected through the SAFE server to increase communication times. It also
provides the investigator the ability to obtain data otherwise not available.
Enable Client to Node (Local) when the client (desktop application) and the node
(agent) reside on the same network, and the SAFE resides on a different network.
This allows data to transfer directly from the node to the client, after the client suc-
cessfully authenticates through the SAFE. Note that the client uses the IP address
that the node believes it has, rather than the IP address the SAFE has for the node. In
this configuration, design the network so that all the companys employees are loc-
ated on the corporate desktop network, and employ routing and Network Address
Translation (NAT).
Client to Node (SAFE) enables Network Address Translation (NAT), where a private
IP address is mapped to a public IP address. Typically, the SAFE and node reside on
the same subnet, and the client on another. This allows data to transfer directly from
the node to the client, after the client successfully authenticates through the SAFE.
The client also uses the IP address that the SAFE believes the node has, rather than
the IP address the node reports it has to allow a direct connection between the client
and node machine. This option is enabled by default.
Node to Client is similar to the Client to Node (SAFE), except that the node
attempts the direct connection to the client. Use this option when you want direct
data transfer between the node and the client, and where NAT or a firewall prohibits
the node from sending data directly to the local IP or default port of the client. Once
you check this option, the client return address configuration box and port selector
become available to enter the NAT IP address and custom port.
CHAPTER 3 Configuring the SAFE 59

o Priority raises or lowers an agent's resource usage for the thread that controls the con-
nection conducting a preview, acquisition, or sweep. Note that this does not affect the
agent process itself. This feature is useful for investigating machines when the exam-
ination is very sensitive, or with production servers constantly running CPU-intensive
processes.

4. Click Finish to log on to the SAFE.

Setting up the Network Tree


The network tree is the organization of machines that have agents deployed on them. You can
organize it by physical location, company department, IP address ranges, or operating
systems.

Setting up the network tree involves creating a tree structure that contains information about
each of these machines. Investigators access this tree when looking for a machine to
investigate. Because of its importance, it is wise to develop a tree that scales according to the
anticipated growth of your organization.

Before you set up your network tree, compile a list of the IP addresses or machine names of all
nodes where agents have been or will be deployed.

1. Open the desktop application and log into the SAFE.


2. Navigate to View >Network.
3. Create parent folders: right click Network in the Tree pane, then select New Folder.
4. Position and name the folder.
5. Right click a parent folder and click New to add machines or IP ranges to child folders. The
New Machine dialog displays.
60 Guidance Software SAFEUser Guide Version a.05

o Machine Name can be an IP address, host name, IPrange expressed in CIDR notation,
or DNS name. IPv4 and IPv6 formats are supported.
o Comment helps distinguish machines and ranges when viewing the network tree.
o Select Default if you used the default port number. Otherwise, manually select another
port number.
o To manually enter an IPrange with start and stop IPaddresses. Click the IP Range
checkbox and specify the start and stop IP addresses. IPv4 and IPv6 format are sup-
ported.

6. Click OK.

Configuring the SAFE


SAFE options can be configured by the keymaster, using the SAFE Configuration page.

To access SAFE configuration options:

1. Logon to a SAFE as the keymaster.


2. From the Endpoint Investigation menu, select SAFE Configuration. The SAFE Con-
figuration page displays.
CHAPTER 3 Configuring the SAFE 61

Integration with Active Directory


Guidance Software SAFEsupports Active Directory integration. This option secures SAFE user
accounts by allowing SAFE administrators to associate a SAFE account with a Windows domain
account (user or group) from Active Directory. If a Windows user running a Guidance Software
product is associated with a SAFE account, or is a member of a Windows domain group
associated with a SAFE account, access to SAFE is granted. Otherwise, access is denied.

This option implements the following Windows built-in account management features:

l Password strength and expiration policies are enforced at the Windows domain level.
l Windows user accounts can be disabled upon employment termination.
l Users can be included or excluded from Windows groups using standard Windows man-
agement tools.

Guidance Software recommends Active Directory integration in favor of using the Additional
Password function; however, the latter is still supported by Guidance Software SAFE for
backward compatibility.
62 Guidance Software SAFEUser Guide Version a.05

SAFE Account Types


The SAFE maintains two types of user accounts:

l Regular user accounts perform collection work, select data to be collected and the
machines from which to acquire evidence.
l The keymaster account manages permissions for regular users, but is unable to perform
collections.

Guidance Software recommends that keymaster and regular users have different associations
with Active Directory accounts.

Configuring Active Directory Groups


This section provides a sample configuration of Active Directory that can be used with SAFE
accounts. Here, two Windows Domain groups are created:

l SAFE Users: Includes Windows users who run Guidance Software products.
l SAFE Administrators: Includes all Windows users who are allowed to log on to a SAFE as
keymaster users and configure SAFE network, roles, and permissions. This group can
include users as well as other groups, such as built-in administrators and domain admin-
istrators.

Securing a Keymaster Account


A keymaster account is a built-in account created during SAFE installation. It cannot be
modified. Therefore, to use Active Directory Integration for a keymaster, you must configure it
during SAFE installation.

You can specify security for the keymaster account while installing a SAFE. When the dialog
below displays, select Windows Authentication to associate a keymaster account with a SAFE
administrators Windows group. This ensures that only members of that group can log on to
the SAFE as keymaster.

See Installing the SAFE on page25.


CHAPTER 3 Configuring the SAFE 63

o Select Windows Authentication to use Windows Authentication.


o Click the Domain Trustee browse button. The Select User or Group dialog displays.

o Enter the required information for the user or group.


o When you finish, click OK.

Note: To either disassociate the keymaster account from the Windows account, or
associate the keymaster with another Windows account, you must run the SAFE
Installer again.
64 Guidance Software SAFEUser Guide Version a.05

Securing Regular User SAFE Accounts


Use the EnCase user interface to create regular user accounts. To provide a way of associating
a SAFE user with an Active Directory user or group (in Windows terminology, a trustee), the
New/Modify User dialog includes an option to add a Windows trustee. This input control
invokes a standard Windows dialog to choose either a user or a group.

The following screenshot demonstrates how to associate a SAFE user account with a
previously created SAFE Users Windows group:

SAFE Configuration Package


You can create a file to transfer the configuration of one SAFE to another. This is useful for
establishing disaster recovery plans.

l The SAFE uses the same private key and works with all the agents used by the previous
implementations of the SAFE.
l A SAFE keymaster is the only user who can create this package.
l Machine specific information (specifically, SAFE setup) is not replicated.

PREREQUISITES
Installation of the SAFE must be done with the SAFE configuration file (using the .sdt
extension), the keymaster key file, and the keymaster password.
CHAPTER 3 Configuring the SAFE 65

SAFE CONFIGURATION ITEMS


SAFE configuration items include:

l Users
l Config
l Keymaster public
l Network tree
l Role tree
l SAFE Backup Key
l Licenses
l Certs
l Deployment scripts

Creating a SAFE Configuration Package


To create a SAFE configuration package:

1. Logon to a SAFE as the keymaster.


2. From the Endpoint Investigation menu, select SAFE Configuration. The SAFE Con-
figuration page displays.
66 Guidance Software SAFEUser Guide Version a.05

3. Select SAFEConfiguration Package under the Backup menu to open the File Save dialog.
4. Choose the location where you want the SAFE Configuration package file to be saved.

Installing a SAFE using a SAFEConfiguration Package


To install a SAFE using a SAFEConfiguration Package:

1. Initiate the SAFE Installation process. The SAFE Private Key dialog appears, as shown
below.

2. Select Install using existing SAFEConfiguration Package.


3. Select a SAFE Transfer File in the SAFETransfer File file path box.
4. Select a keymaster private key file in the Keymaster Private Key path box.
5. Enter your keymaster password in the Password text box.
6. Click Next to complete the installation.

Backing Up the SAFE


1. Logon to the SAFE as the keymaster.
2. From the Endpoint Investigation menu, select SAFE Configuration. The SAFE Con-
figuration page displays.
CHAPTER 3 Configuring the SAFE 67

3. To create a local backup of the SAFE, click Backup and select a location from the browse
dialog.
4. To set up automatic backups of the SAFE, click Auto Backup. The Backup Configuration
dialog displays:

o Select the number of backup files to maintain.


o Select the time the backup should occur.
o Select the days you want to backup.
o When you finish, click OK.
68 Guidance Software SAFEUser Guide Version a.05

Enabling Enhanced Agent Functionality


EnCase Endpoint Investigator and EnCase eDiscovery users can deploy and use the Enhanced
Agent for remote data acquisition. EnForce users can deploy and use the Enhanced Agent to
perform asynchronous collection and processing. To access this functionality, you must enable
it in the SAFE and assign the functionality to a role.

To enable the Enhanced Agent and assign it to a role:

1. Log into the Guidance Software SAFE as keymaster.


2. Navigate to the Network Plugin Repository (SAFEConfiguration > Network Plugin Res-
pository).

3. Click New in the Table pane to add a new plugin. The Enhanced Agent Plugin dialog dis-
plays.
4. Select the EnCase Enhanced Agent cab file from the current installation location or
browse to another location. The enhanced agent plugin information fields populate.
5. Select disk space quota, memory quota, timeout, and redistributable deployment
option, or accept the default settings. Click Next.
o Select Disk Space Quota (%) to allocate disk space as a percentage of total disk space
available, or enter zero (0) to activate Disk Space Quota (MB) and select disk space
CHAPTER 3 Configuring the SAFE 69

available to the enhanced agent by MB.


o Select Memory Quota (%) to allocate memory space as a percentage of total memory
available, or enter zero (0) to activate Memory Allocation Quota (MB) and select
memory allocation available to the enhanced agent by MB.
o Select Timeout (hours)to indicate how many hours a job will sit on the target machine.
If the job is not finished or if the results have not been retrieved, the job is deleted from
the target.
o Check the Deploy Redistributables checkbox to deploy required C++runtime libraries
to the target.

6. Click Next. The Network dialog displays.


7. Add agent machines or IP ranges to be allowed to run the Enhanced Agents (a green plus
sign displays over the machines).Click Finish.
70 Guidance Software SAFEUser Guide Version a.05

8. Go to SAFEConfiguration > Roles. Select the role you want to add Enhanced Agent func-
tionality to and click Edit. The Edit role window displays. Click the Enhanced Agent Plu-
gins tab. Select the Enhanced Agent plugin and click Allow.

9. Log off the keymaster user account.


CHAPTER 4
USING THE SAFE CONFIGURATION TOOL

Overview 72

Logging On to the SAFE 72

Logoff 76

Setting up the Network Tree 77

Setting up Roles 78

Setting up User Accounts 83

Accessing Event Logs 86

Network Plugin Repository 89

Generate Encryption Keys 92


72 Guidance Software SAFEUser Guide Version a.05

Overview
The GuidanceSoftware SAFEConfiguration Tool is an application that ships with the SAFE. The
SAFEConfiguration Tool is a lightweight tool that can be used to configure the
GuidanceSoftware SAFE. The Guidance Software SAFEConfiguration Tool has most of the
same SAFEconfiguration features found in full Guidance Software desktop investigative
applications. Use the SAFEConfiguration Tool to:

l define and manage your network topology for use by the GuidanceSoftware SAFE
l create, define, and manage roles
l create, define, and manage user accounts
l manage and view events and logs
l manage network plugins
l generate encryption keys

Full details about configuring the SAFEcan be found in the Guidance Software SAFEUser
Guide, which is part of online help for the product or available by PDF.

Logging On to the SAFE


To perform primary administration functions, log on as the keymaster. You can create
additional administrator accounts for later use, but it is the keymaster account that has the full
access needed to configure the SAFE.

When you first open the GuidanceSoftware SAFEConfiguration Tool, the home page displays
a single Logon option until you log on to the SAFE.
CHAPTER 4 Using the SAFE Configuration Tool 73

To log on to the SAFE:

1. Select Option >Enterprise >Logon from the menu bar, or click Logon from the home
page.
o If no users display, right click Users and change the root path to point to the current
encryption key location for users and keymaster.
74 Guidance Software SAFEUser Guide Version a.05

2. Select the desired user and enter the password for that user. Click Next.
o If no SAFEs display, right click SAFEs and change the root path to point to the location
for the desired SAFE.

3. Double click the SAFE for which you want to set the options. The SAFE options dialog dis-
plays.

o Machine Name is the machine name or IP address of the SAFE machine.


CHAPTER 4 Using the SAFE Configuration Tool 75

o The Port selector enables you to change ports from the default 4445.
o If the SAFE resides outside your firewall, select Remote SAFE.
Remote SAFE determines if communications with the node are routed through the
SAFE, so the SAFE stands between the client and the node.
When using a remote SAFE, select the Inbound Port that should be used when com-
municating with the remote SAFE.

o Select Enable Nagle if you have a slow or bad connection and have problems updating
the agent. The Nagle algorithm improves the efficiency of TCP/IP networks, although it
increases latency. This selection applies to all connections to nodes through this con-
nection to the SAFE.
o Window Size refers to TCP window size for buffer control, and also applies to all con-
nections to nodes through this connection to the SAFE.
o Attempt Direct Connection options determine what kind of connection is made to the
specified SAFE.
Select None when the target system cannot establish a connection with a client. All
traffic is redirected through the SAFE server to increase communication times. It also
provides the investigator the ability to obtain data otherwise not available.
Enable Client to Node (Local) when the client (desktop application) and the node
(agent) reside on the same network, and the SAFE resides on a different network.
This allows data to transfer directly from the node to the client, after the client suc-
cessfully authenticates through the SAFE. Note that the client uses the IP address
that the node believes it has, rather than the IP address the SAFE has for the node. In
this configuration, design the network so that all the companys employees are loc-
ated on the corporate desktop network, and employ routing and Network Address
Translation (NAT).
Client to Node (SAFE) enables Network Address Translation (NAT), where a private
IP address is mapped to a public IP address. Typically, the SAFE and node reside on
the same subnet, and the client on another. This allows data to transfer directly from
the node to the client, after the client successfully authenticates through the SAFE.
The client also uses the IP address that the SAFE believes the node has, rather than
the IP address the node reports it has to allow a direct connection between the client
and node machine. This option is enabled by default.
Node to Client is similar to the Client to Node (SAFE), except that the node
attempts the direct connection to the client. Use this option when you want direct
data transfer between the node and the client, and where NAT or a firewall prohibits
the node from sending data directly to the local IP or default port of the client. Once
you check this option, the client return address configuration box and port selector
become available to enter the NAT IP address and custom port.
76 Guidance Software SAFEUser Guide Version a.05

o Priority raises or lowers an agent's resource usage for the thread that controls the con-
nection conducting a preview, acquisition, or sweep. Note that this does not affect the
agent process itself. This feature is useful for investigating machines when the exam-
ination is very sensitive, or with production servers constantly running CPU-intensive
processes.

4. Click Finish to log on to the SAFE.

When you are successfully logged onto the SAFE, all SAFEConfiguration Tool options display
on the home page.

Logoff
To log off the current SAFE:

1. Select Option >Enterprise >Logoff from the menu bar or click Logoff from the home
page.
2. A dialog displays the SAFEname and role, and asks you to confirm logoff now. Click Yes.
CHAPTER 4 Using the SAFE Configuration Tool 77

Setting up the Network Tree


The network tree is the organization of machines that have agents deployed on them. You can
organize it by physical location, company department, IP address ranges, or operating
systems.

Setting up the network tree involves creating a tree structure that contains information about
each of these machines. Investigators access this tree when looking for a machine to
investigate. Because of its importance, it is wise to develop a tree that scales according to the
anticipated growth of your organization.

Before you set up your network tree, compile a list of the IP addresses or machine names of all
nodes where agents have been or will be deployed.

1. Open the GuidanceSoftware SAFEConfiguration Tool and log into the SAFE.
2. Select Option >Enterprise >Network from the menu bar or click Network from the
home page. The Network pane displays.
3. Create parent folders in the Tree-Table view: click Select View >Tree-Table.
4. Right click Network in the Tree pane, then select New Folder.
5. Position and name the folder.
6. Right click a parent folder and click New to add machines or IP ranges to child
folders. The New Machine dialog displays.

o Machine Name can be an IP address, host name, or DNS name. IPv4 and IPv6 formats
are supported.
o Comment helps distinguish machines and ranges when viewing the network tree.
78 Guidance Software SAFEUser Guide Version a.05

o Select Default if you used the default port number. Otherwise, manually select another
port number.
o To manually enter an IPrange with start and stop IPaddresses. Click the IP Range
checkbox and specify the start and stop IP addresses. IPv4 and IPv6 format are sup-
ported.

7. Click OK.

Setting up Roles
Setting up and assigning roles must be done before a user can perform any task.

1. Select Option >Enterprise >Roles from the menu bar, or click Roles from the home
page. The Roles pane displays.
2. Select New from the Roles pane menu bar. The Role dialog displays.

o Enter the name of the role.


o Enter optional comments.
o Assign the minimum number of connections allocated to each role so that the total
number of connections allowed by the SAFE is distributed appropriately.
Any connections not allocated fall into a pool with a first come, first served policy.
Each child role has only the number of connections allocated to the parent.
CHAPTER 4 Using the SAFE Configuration Tool 79

If the number of connections allocated to the children roles exceeds that of the par-
ent role, all connections in the parent role fall into the pool.
Pools of parent roles can be accessed by children roles.
Any allocations of the child role can be taken by the parent role.

o You can see the current number of connections for each role in the Table view.

3. Click Next. The Permission dialog displays.

4. Click New to select permissions to add to the new role. The New Permission dialog dis-
plays.
80 Guidance Software SAFEUser Guide Version a.05

o Acquire Image gives the investigator the ability to acquire network devices while
assigned to this role. If this permission is not given, the user can only preview network
devices associated with the role.
o View Pictures activates pictures displayed in the Doc tab in the View pane.
o Browse File Structure displays the file structure in the Tree pane. A user with this per-
mission can also expand and contract folders within the file structure.
o View File Contents gives the user the ability to see file content in the View pane. If this
is the only permission given, the View pane is the only active pane.
o Copy Files gives the user the ability to copy folders from the Tree pane and copy/u-
nerase files from the Table and View panes. It also enables the user to use external view-
ers.
o Keyword Search allows the user to conduct only a keyword search or index a case. Res-
ults are not displayed if this is the only permission selected. The search button is the
only active button.
o Allow Script File Access allows use of EnScript programs while previewing network
devices.
o Snapshot Information allows the snapshot function to access the dynamic data.
o Allow Registry Value Access allows the snapshot function to access registry values.
o Allow Registry List Access allows the snapshot function to access registry lists.
o Edit Registry allows EnScript programs to edit the target registry (available only if your
SAFE is enabled for remediation). To check if your SAFE is remediation-enabled, nav-
igate to the Guidance Software SAFE directory and run the command safe -diag
from the Windows command line.
o Terminate Process allows EnScript programs to terminate a process on a target
machine (available only if your SAFE is enabled for remediation). To check if your SAFE
is remediation-enabled, navigate to the Guidance Software SAFE directory and run the
command safe -diag from the Windows command line.
o Run Process allows EnScript programs to run a process on a target machine (available
only if your SAFE is enabled for remediation). To check if your SAFE is remediation-
enabled, navigate to the Guidance Software SAFE directory and run the command
safe -diag from the Windows command line.
o Edit Files allows EnScript programs to edit files on a target machine (available only if
your SAFE is enabled for remediation). To check if your SAFE is remediation-enabled,
navigate to the Guidance Software SAFE directory and run the command safe -diag
from the Windows command line.
o Read Memory grants the user access to physical and process memory on any com-
puter accessible to that role. Administrators should be aware that users in this role
potentially have access to security information such as passwords and other cre-
dentials on the computer they are examining, to the same extent they would have if
logged on as a local administrator. Allowing a user read memory access to any
CHAPTER 4 Using the SAFE Configuration Tool 81

computer containing secure information, such as the SAFE or network servers, should
be done with caution.
o Deploy Agents enables users assigned this role to deploy agents automatically from
the SAFE. Using configurable control scripts, the SAFE automatically installs agents on
targets that do not have agents currently installed. For automatic deployment, the
SAFE user must have this permission, control scripts must be configured, and the
Deploy Agents checkbox must be selected when processing devices from a SAFE net-
work preview or during a Sweep Enterprise job.
o Undeploy Agents enables users assigned this role to remove all GuidanceSoftware
agents from the target machine.
o Snapshot Scanner enables the user to create targets from IP ranges in EnCase End-
point Security and EnCase eDiscovery.

5. Open the Time Frame tab to further control the permissions by time.

6. Click Next. The Network dialog displays a selection of machines to access.


82 Guidance Software SAFEUser Guide Version a.05

o Machines (or nodes) are always in one of three states: Included, Excluded, or Neutral.
o Machines can have different states for different roles.
o When you add a machine, it is by default in a Neutral state, neither specifically included
or excluded.
o Select a machine to enable the change state buttons.
o Add Selected Items sets the selected machines to the Included state.
o Subtract Select Items sets the selected machines to the Excluded state.
o Clear Selected items returns the selected machines to the Neutral state.
o Permissions are inherited:
The state of a parent machine propagates down through the tree to its children.
If you exclude a parent folder but leave an individual machine within that folder in
Neutral state, the machine is excluded.
A parent role must have a machine included before you can create a child node.

o A machine must be Included for an investigator to preview it. Subsequent nodes that
refer to the same machine are Included for access if they are left in a Neutral state.
o If a network range is left Neutral for security purposes, no machine in this range can be
accessed unless explicitly set to be included in the network tree.
o If you have conflicting states for the same machine within the same role, then access is
denied. For example, if you allow access for 192.168.2.100, but deny access to the
range 192.168.2.1-192.168.2.200 within the same role, then access to that node will be
denied.
o If a permissions conflict arises, denying access takes precedence over granting access.

7. Click Next.the Enhanced Agents Plugins dialog displays available plugins.


CHAPTER 4 Using the SAFE Configuration Tool 83

o Select a plugin, and click Allow or Deny to control access to the plugin from the role.

8. Click Finish to save all changes and create the role.

Setting up User Accounts


Use the Guidance Software SAFEConfiguration Tool to create keymaster and other user
accounts.

To add a Guidance Software SAFEuser:

1. Select Option >Enterprise >Enterprise Users from the menu bar, or click Enterprise
Users from the home page. The Enterprise Users pane displays.
2. Select New from the Enterprise Users pane menu bar. The Enterprise User dialog dis-
plays.
84 Guidance Software SAFEUser Guide Version a.05

o Enter any optional comment.


o Enter or browse to the location of the user's public key file.
o Select None if no additional security is required.
o Select Windows Authentication to use Windows Authentication. The Domain Trustee
field displays.
Click the Domain Trustee browse button. The Select User or Group dialog displays.

Enter the required information for the user or group.


When you finish, click OK.

o Select Additional password if you want to use a password not tied to the encryption
key password created by the user.
This additional password is created when the user first logs on.
This password does not use password strength enforcement.
The administrator cannot view the additional password, but can reset or disable it.

3. Click Next. The Permission/Role dialog displays.


4. Assign default administrative permissions to the user.
CHAPTER 4 Using the SAFE Configuration Tool 85

Select the permissions to add to the new user.


o Create Users lets the user create other users.
o Create Roles lets the user create and define roles.
o Edit Network Layout lets the user edit the network in the Network tab (for example
adding, moving, and removing nodes and folders and scanning selected nodes).
o View Logs lets the user view the logs of child users and roles.
o Remote Logon determines whether a user can remotely log on to a SAFE Server.
Remote is defined as the users location being outside the corporate network infra-
structure with a publicly accessible IP address.
o Allow Remote Logon enables manual authentication of remote logons for a particular
SAFE Server by establishing an outbound connection. A user with this permission must
be logged on locally to allow a remote connection.
o View All Logs allows a user to read the SAFE logs. A user logged on to the SAFE with
this permission can view the logs as the keymaster sees them. For the View All Logs per-
mission to work, you must also set the View Logs permission. When these two per-
missions are active, you cannot have any other permissions set.
o The lower pane gives a quick representation of the permissions and the time frame val-
ues.
o To edit the Start, Expires, Days, or Hours fields, right click the permission name in the
table and select Edit.
o Set the desired values in the Time Frame tab, then click OK.

5. All users must be assigned a role before they are able to perform any tasks. To add a role
to the user, in the Permission/Role tab right click the permission name, then click New.
SeeSetting up Roles on page78 to create a new role.

6. Choose the role for this user.


7. The default permissions are for every day, and at every hour. Select the Time Frame tab
to change the values.
86 Guidance Software SAFEUser Guide Version a.05

8. To finish, click OK.

For more information on setting up keymaster and other user accounts, see the Guidance
Software SAFEUser Guide.

Accessing Event Logs


You can use the Guidance Software SAFEConfiguration Tool to view and export log files for
logon, system, role, administration, windows authentication, and job status events. Your user
account must have SAFE access with View Logs (for user and child logs) or View All Logs (for all
logs the keymaster can view) permission to read event logs.

1. Select Option >Enterprise >Events from the menu bar or click Events from the home
page. The Events pane displays.
2. Select Read Logs from the Events pane menu bar. The Read Logs dialog displays.

The Event Types tab shows event folders and the individual event names contained in
the selected folder.
CHAPTER 4 Using the SAFE Configuration Tool 87

The Users tab filters event logs by user. When expanded, the left pane shows all users,
while the right pane shows the children of the left pane selection.

The Roles tab filters event logs according to a user's SAFE identification role. The left
pane shows established access rights, while the right pane shows the peers of the item
selected in the left pane.
88 Guidance Software SAFEUser Guide Version a.05

The Time Frame tab filters an event activity by time. The Start Date and Stop Date
selections are independent of each other. If Any Time is selected in one, a specific date
and time can be selected in the other.

3. Click OK to return to the main window.

Logs in the selected folder display in the right pane.


CHAPTER 4 Using the SAFE Configuration Tool 89

Network Plugin Repository


GuidanceSoftware product users can use the Network Plugin Repository to deploy and use
the Enhanced Agent for remote data acquisition and asynchronous collection and processing.
To access this functionality, you must enable it in the SAFE and assign the functionality to a
role.

To enable the Enhanced Agent and assign it to a role:

1. Log into the Guidance Software SAFE as keymaster.


2. Select Option >Enterprise >Network Plugin Repository from the menu bar, or click
Network Plugin Repository from the home page. The Network Plugin Repository pane
displays.

3. Select New from the Roles pane menu bar to add a new plugin. The Enhanced Agent
Plugin dialog displays.
4. Select the EnCase Enhanced Agent cab file from the current installation location or
browse to another location. Click Next. The Enhanced Agent Plugin dialog displays.
90 Guidance Software SAFEUser Guide Version a.05

5. Select disk space quota, memory allocation, timeout, and redistributable deployment
options, or accept the default settings. Click Next.
o Select Disk Space Quota (Percent) to allocate disk space as a percentage of total disk
space available, or enter zero (0) to activate Disk Space Quota (MB) and select disk
space available to the enhanced agent by MB.
o Select Memory Quota (Percent) to allocate memory space as a percentage of total
memory available, or enter zero (0) to activate Memory Quota (MB) and select
memory allocation available to the enhanced agent by MB.
o Select Timeout (hours)to indicate how many hours a job will sit on the target machine.
If the job is not finished or if the results have not been retrieved, the job is deleted from
the target.
o Check the Deploy Redistributables checkbox to deploy required C++runtime libraries
to the target.

6. The Network dialog displays. Add agent machines or IP ranges to be allowed to run the
Enhanced Agents (a green plus sign displays over the machines).
CHAPTER 4 Using the SAFE Configuration Tool 91

7. Click Finish.
8. Select Option >Enterprise >Roles from the menu bar, or click Roles from the home
page. Select the role you want to add Enhanced Agent functionality to and click Edit .
The Edit role window displays. Click the Enhanced Agent Plugins tab. Select the
Enhanced Agent plugin and click Allow.
92 Guidance Software SAFEUser Guide Version a.05

9. Click OK. Log off the keymaster user account.

Generate Encryption Keys


Guidance Software SAFE authentication is based on public and private key encryption. Public
keys are distributed widely and can be used to encrypt data. Private keys are held only by a
single user and are used to decrypt files encrypted with the corresponding public key.

To install a SAFE server, you must generate a keymaster public/private key pair for use as the
master key to the SAFE. Investigators who are added as users must also generate a key pair
before they can be given user accounts and permissions.

License Manager requires a key during setup, which can be generated during the setup
process.

GENERATING A KEYMASTER ENCRYPTION KEY PAIR


1. Select Option >Enterprise >Encryption Key from the menu bar. The Encryption Keys

pane displays on the right. Click New from the menu bar to add a keymaster key.
The Generate Encryption Key dialog displays.
CHAPTER 4 Using the SAFE Configuration Tool 93

2. Click Next. The second Generate Encryption Key dialog displays, showing the progress of
generating the key.

3. After the key is generated, the Password dialog displays.

o In the Name field, enter keymaster.


o Enter and confirm a password. The Password Quality bar turns green when you enter a
password with sufficient complexity.
94 Guidance Software SAFEUser Guide Version a.05

4. Click Finish to complete the key generation process. The Copy Public Key File dialog dis-
plays.

5. Accept the default location, or browse to another location where you want to save the
keys, then click Save.
6. The keymaster public and private keys are saved to the specified location.
7. Send the keymaster.PublicKey and [SAFEname].machine files to Guidance Soft-
ware using the SAFEsetup link email to generate the [SAFEname].machine token and
CHAPTER 4 Using the SAFE Configuration Tool 95

complete the setup process. For information on generating the [SAFEname].machine


token and sending both files to Guidance Software, see Installing the SAFE.

GENERATING A USER ENCRYPTION KEY PAIR


Follow the same steps followed when creating a keymaster encryption key pair. When logged
into the SAFEas keymaster, a Generate Encryption Key link is also available on the home page.

l Enter the specific username. Guidance Software recommends using the user's real name,
as it makes administration more manageable.
l Keep the user's password in a secure location. You must provide it when you log on to
the SAFE, and when you set up the SAFE network and define users. No one except the key-
master can log on to the SAFE until the keymaster sets up users. If you lose the pass-
word, you must perform the installation again.
96 Guidance Software SAFEUser Guide Version a.05
CHAPTER 5
MANAGING SAFEUSER ACCOUNTS AND
ROLES

Overview 99

Setting up User Accounts 100

Setting up Roles 104

Assigning User Permissions and Roles 110

SAFE User Management Role 112

Ability to Lock Require Case Information Setting 113

Resetting a User Password 114

Integration with Active Directory 115

Managing Encryption Keys 118


98 Guidance Software SAFEUser Guide Version a.05
CHAPTER 5 Managing SAFEUser Accounts and Roles 99

Overview
Once you have installed and configured the SAFE and desktop clients, you need to set up user
accounts, roles, and permissions.

User accounts must be created for every user. This entails creating encryption key pairs for
each user account. Users create them on their investigator machines and provide the
username.PublicKey file to the keymaster. The keymaster then adds them as users to the
SAFE.

A role is a grouping of connections, permissions, and access rights to certain machines in the
network tree. Roles are created with various permissions, then assigned to users when their
accounts are set up. You may assign multiple roles to a user; a user then chooses the desired
role when starting a new case. Users can create roles containing only the permissions for which
they have access.

Roles can be nested within a hierarchical folder structure, with child roles inheriting the
attributes of the parent roles.

Permissions are rules determining whether or not a user can perform specific functions. Two
kinds of permissions control the ability of users to perform certain actions or view certain
elements:

l Role-based permissions control access and ensure proper enforcement of policies. These
permissions control investigative functions such as acquisitions and image viewing.
l User-based permissions apply to administrative functions, such as the ability to add
other users and modify the network.

SPECIAL ADMINISTRATIVE USER ACCOUNTS


There are two special administrative user accounts that always need to be created: the
keymaster role and the SAFE administrator role.

The keymaster is the super administrator for a SAFE server. The primary duties of the
keymaster are:

l Creating initial roles.


l Creating initial user accounts.
l Creating the initial network tree.

The keymaster account is unique in several ways:


100 Guidance Software SAFEUser Guide Version a.05

l The keymaster can delegate responsibilities to another user.


l One keymaster account can be used for multiple SAFE servers.
l After installation, the keymaster is the only person who can log on to the SAFE server
until other user accounts are created.
l The keymaster account is restricted from performing any previews or acquisitions
through the SAFE.
l The keymaster account acts solely as an administrator; it cannot perform any actual
work.

Because of the power that the keymaster has over the system, Guidance Software
recommends the keymaster not be a regular user of the SAFE server. Instead, the keymaster
account should be held by a person within the company who meets the following criteria:

l C-level (CEO, CFO, CIO, CTO, COO, CISO, CSO) or senior executive.
l Not likely to leave the company.
l Has corporate liability.

If the keymaster password is lost or the keymaster keys become corrupted, there is no way to
recover a lost password or keypair. Please maintain backup copies of the keymaster keypair
and take steps to ensure the keymaster password is not irretrievably lost. If the keymaster
keypair requires replacement, please see the Guidance Software Support Portal
knowledgebase article on replacing the keymaster key.

The SAFEadministrator, created by the keymaster, is in charge of the daily administration of


the SAFE server, and should report to the keymaster. This account usually performs these
tasks:

l Maintaining user accounts.


l Maintaining roles.
l Maintaining the network tree.
l Maintaining the SAFE events.
l Updating the SAFE as new versions become available.

Setting up User Accounts


1. Launch the Guidance Software application.
2. From the View menu, select Users. The Users tab displays.
3. Click New. The User dialog displays.
CHAPTER 5 Managing SAFEUser Accounts and Roles 101

o Enter any optional comment.


o Enter or browse to the location of the user's public key file.
o Select None if no additional security is required.
o Select Windows Authentication to use Windows Authentication.
o Click the Domain Trustee browse button. The Select User or Group dialog displays.

Enter the required information for the user or group.


When you finish, click OK.

o Select Additional password if you want to use a password not tied to the encryption
key password created by the user.

This additional password is created when the user first logs on.
This password does not use password strength enforcement.
The administrator cannot view the additional password, but can reset or disable
it.
102 Guidance Software SAFEUser Guide Version a.05

4. Click Next.
5. On the Permission/Role tab, assign default administrative permissions to the user.

Select the permissions to add to the new user.


o Create Users lets the user create other users.
o Create Roles lets the user create and define roles.
o Edit Network Layout lets the user edit the network in the Network tab (for example
adding, moving, and removing nodes and folders and scanning selected nodes).
o View Logs lets the user view the logs of child users and roles.
o Remote Logon determines whether a user can remotely log on to a SAFE Server.
Remote is defined as the users location being outside the corporate network infra-
structure with a publicly accessible IP address.
o Allow Remote Logon enables manual authentication of remote logons for a particular
SAFE Server by establishing an outbound connection. A user with this permission must
be logged on locally to allow a remote connection.
o View All Logs allows a user to read the SAFE logs. A user logged on to the SAFE with
this permission can view the logs as the keymaster sees them. For the View All Logs per-
mission to work, you must also set the View Logs permission. When these two per-
missions are active, you cannot have any other permissions set.
o The lower pane gives a quick representation of the permissions and the time frame val-
ues.
CHAPTER 5 Managing SAFEUser Accounts and Roles 103

o To edit the Start, Expires, Days, or Hours fields, right click the permission name in the
table and select Edit.
o Set the desired values in the Time Frame tab, then click OK.

6. All users must be assigned a role before they are able to perform any tasks. To add a role
to the user, in the Permission/Role tab right click the permission name, then click New.
SeeSetting Up Roles to create a new role.

7. Choose the role for this user.


8. The default permissions are for every day, and at every hour. Select the Time Frame tab
to change the values.
104 Guidance Software SAFEUser Guide Version a.05

9. To finish, click OK.

Setting up Roles
Setting up and assigning roles must be done before a user can perform any task.

1. From the View menu, select Roles. The Roles tab displays.
2. Right click the desired parent role in the Tree pane and click New. The Role dialog dis-
plays.
CHAPTER 5 Managing SAFEUser Accounts and Roles 105

o Enter the name of the role.


o Enter optional comments.
o Assign the minimum number of connections allocated to each role so that the total
number of connections allowed by the SAFE is distributed appropriately.
Any connections not allocated fall into a pool with a first come, first served policy.
Each child role has only the number of connections allocated to the parent.
If the number of connections allocated to the children roles exceeds that of the par-
ent role, all connections in the parent role fall into the pool.
Pools of parent roles can be accessed by children roles.
Any allocations of the child role can be taken by the parent role.

o You can see the current number of connections for each role in the Table view.

3. Click Next. The Permission dialog displays.


106 Guidance Software SAFEUser Guide Version a.05

4. Click New to select permissions to add to the new role. The New Permission dialog dis-
plays.

o Acquire Image gives the investigator the ability to acquire network devices while
assigned to this role. If this permission is not given, the user can only preview network
CHAPTER 5 Managing SAFEUser Accounts and Roles 107

devices associated with the role.


o View Pictures activates pictures displayed in the Doc tab in the View pane.
o Browse File Structure displays the file structure in the Tree pane. A user with this per-
mission can also expand and contract folders within the file structure.
o View File Contents gives the user the ability to see file content in the View pane. If this
is the only permission given, the View pane is the only active pane.
o Copy Files gives the user the ability to copy folders from the Tree pane and copy/u-
nerase files from the Table and View panes. It also enables the user to use external view-
ers.
o Keyword Search allows the user to conduct only a keyword search or index a case. Res-
ults are not displayed if this is the only permission selected. The search button is the
only active button.
o Allow Script File Access allows use of EnScript programs while previewing network
devices.
o Snapshot Information allows the snapshot function to access the dynamic data.
o Allow Registry Value Access allows the snapshot function to access registry values.
o Allow Registry List Access allows the snapshot function to access registry lists.
o Edit Registry allows EnScript programs to edit the target registry (available only if your
SAFE is enabled for remediation). To check if your SAFE is remediation-enabled, nav-
igate to the Guidance Software SAFE directory and run the command safe -diag
from the Windows command line.
o Terminate Process allows EnScript programs to terminate a process on a target
machine (available only if your SAFE is enabled for remediation). To check if your SAFE
is remediation-enabled, navigate to the Guidance Software SAFE directory and run the
command safe -diag from the Windows command line.
o Run Process allows EnScript programs to run a process on a target machine (available
only if your SAFE is enabled for remediation). To check if your SAFE is remediation-
enabled, navigate to the Guidance Software SAFE directory and run the command
safe -diag from the Windows command line.
o Edit Files allows EnScript programs to edit files on a target machine (available only if
your SAFE is enabled for remediation). To check if your SAFE is remediation-enabled,
navigate to the Guidance Software SAFE directory and run the command safe -diag
from the Windows command line.
o Read Memory grants the user access to physical and process memory on any com-
puter accessible to that role. Administrators should be aware that users in this role
potentially have access to security information such as passwords and other cre-
dentials on the computer they are examining, to the same extent they would have if
logged on as a local administrator. Allowing a user read memory access to any com-
puter containing secure information, such as the SAFE or network servers, should be
done with caution.
o Deploy Agents enables users assigned this role to deploy agents automatically from
the SAFE. Using configurable control scripts, the SAFE automatically installs agents on
108 Guidance Software SAFEUser Guide Version a.05

targets that do not have agents currently installed. For automatic deployment, the
SAFE user must have this permission, control scripts must be configured, and the
Deploy Agent checkbox must be selected when processing devices from a SAFE net-
work preview or during a Sweep Enterprise job.
o Snapshot Scanner enables the user to create targets from IP ranges in EnCase End-
point Security and EnCase eDiscovery.

5. Open the Time Frame tab to further control the permissions by time.

6. Click Next. The Network dialog displays a selection of machines to access.


CHAPTER 5 Managing SAFEUser Accounts and Roles 109

o Machines (or nodes) are always in one of three states: Included, Excluded, or Neutral.
o Machines can have different states for different roles.
o When you add a machine, it is by default in a Neutral state, neither specifically included
or excluded.
o Select a machine to enable the change state buttons.
o Add Selected Items sets the selected machines to the Included state.
o Subtract Select Items sets the selected machines to the Excluded state.
o Clear Selected items returns the selected machines to the Neutral state.
o Permissions are inherited:
The state of a parent machine propagates down through the tree to its children.
If you exclude a parent folder but leave an individual machine within that folder in
Neutral state, the machine is excluded.
A parent role must have a machine included before you can create a child node.

o A machine must be Included for an investigator to preview it. Subsequent nodes that
refer to the same machine are Included for access if they are left in a Neutral state.
o If a network range is left Neutral for security purposes, no machine in this range can be
accessed unless explicitly set to be included in the network tree.
o If you have conflicting states for the same machine within the same role, then access is
denied. For example, if you allow access for 192.168.2.100, but deny access to the
range 192.168.2.1-192.168.2.200 within the same role, then access to that node will be
denied.
o If a permissions conflict arises, denying access takes precedence over granting access.

7. Click Finish to save all changes and create the role.


110 Guidance Software SAFEUser Guide Version a.05

Assigning User Permissions and Roles


You can organize the user accounts in a hierarchical folder structure, so that a child inherits
permissions and roles from the parent.

Users can be moved from one parent to another.

l You must be in Tree-Table mode to change the user hierarchy in the tree pane.
l If a user is moved to another parent, the permissions allowed by the parent carry over.
l Those permissions denied to the parent, but previously allowed to the child, are now
denied to the child.

To assign user permissions:

1. Log on to the SAFE as the keymaster.


2. From the View menu, select Users. The Users tab displays.
3. Right click on a user name and select Edit. The Edit User dialog displays.
4. On the Permission/Role tab you can assign new permissions to an existing role.

o Create Users lets the user create other users.


o Create Roles lets the user create and define roles.
o Edit Network Layout lets the user edit the network in the Network tab (for example
adding, moving, and removing nodes and folders and scanning selected nodes).
o View Logs lets the user view the logs of child users and roles.
CHAPTER 5 Managing SAFEUser Accounts and Roles 111

o Remote Logon determines whether a user can remotely log on to a SAFE Server.
Remote is defined as the users location being outside the corporate network infra-
structure with a publicly addressable IP address.
o Allow Remote Logon enables manual authentication of remote logons for a particular
SAFE Server by establishing an outbound connection. A user with this permission must
be logged on locally to allow a remote connection.
o View All Logs allows a user to read the SAFE logs. A user logged on to the SAFE with
this permission can view the logs as the keymaster sees them. For the View All Logs per-
mission to work, you must also have the View Logs permission. When these two per-
missions are active, you cannot have any other permissions se.

5. To add a role to the user, click New in the Permission/Role tab. The New Permission/Role
dialog displays.

6. Choose the new role for this user.


7. The default permissions are for every day and at every hour. Select the Time Frame tab
to change the values.
112 Guidance Software SAFEUser Guide Version a.05

8. When you finish, click OK.

SAFE User Management Role


A keymaster can grant permission to non-keymaster SAFE users for them to administer user
accounts. This is useful in larger organizations where it can be burdensome for only one
keymaster to administer a large number of accounts.

Note: Any user who has this Administer Users permission cannot have any other
roles; that is, this account can be used to administer users only, not to acquire data
from agent nodes.

To grant a user permission to administer user accounts:

1. Log into the SAFE as keymaster.


2. Click View > Users from the menu bar. The Users tab displays.
3. Right click a username, then click Edit in the dropdown menu. The edit dialog displays.
4. Click the Permission/Role tab.
5. Right click in the tab, then click New in the dropdown menu. The New Permission/Role
dialog displays.
6. In the Permission Type tab, click the checkbox for the Administer Users role.
CHAPTER 5 Managing SAFEUser Accounts and Roles 113

7. Click OK. Administer Users is added to the list of permissions for the designated user.
8. Click OK to close the Edit dialog.

Ability to Lock Require Case Information Setting


SAFE administrators can require users to specify case information when they create cases by
enabling the Require Case Information setting for users. Saved cases appear with their case
number in the SAFE event log.

With the Require Case Information feature enabled, the user can log into the SAFE only if all
open and active cases contain a case number. If the user has unsaved cases, SAFE login will fail
and an error message displays until all cases are saved.

To activate the Require Case Information feature for a user:

1. Launch the Guidance Software application and log into the SAFE as an administrator.
2. From the View menu, select Users. The Users tab displays.
3. Select a user and click Edit. The User dialog displays.

4. Click the Require Case Information checkbox. Click OK.

A user can check if the Require Case Information setting has been enabled for them by opening
the desktop client and logging into the SAFE. The Require Case Information checkbox appears
on the Global tab of the user's Options dialog.
114 Guidance Software SAFEUser Guide Version a.05

Resetting a User Password


All users have a password associated with their private key file. This password is required for
logging on to the SAFE.

If users forget their password or lose their private key file, assign a new key pair to a user
account:

1. On the user's machine, create a new encryption key pair. See Generating Encryption
Keys.
Note: The name of the new key must match the username. Either the newly created
public key must match the name in the Name field, or you must manually change the
value in the Name field to match the name of the public key file.

2. Log on to the SAFE using the keymaster account, or another account that has the per-
missions to edit users.
CHAPTER 5 Managing SAFEUser Accounts and Roles 115

3. Click View >Users. The User tab displays.


4. Right click the user name and select Edit. The Edit User dialog displays.

5. Browse to or enter the location of the new public key file, then click OK. Users can now
log on using the newly generated password.

Integration with Active Directory


Guidance Software SAFEsupports Active Directory integration. This option secures SAFE user
accounts by allowing SAFE administrators to associate a SAFE account with a Windows domain
account (user or group) from Active Directory. If a Windows user running a Guidance Software
product is associated with a SAFE account, or is a member of a Windows domain group
associated with a SAFE account, access to SAFE is granted. Otherwise, access is denied.

This option implements the following Windows built-in account management features:

l Password strength and expiration policies are enforced at the Windows domain level.
l Windows user accounts can be disabled upon employment termination.
l Users can be included or excluded from Windows groups using standard Windows man-
agement tools.

Guidance Software recommends Active Directory integration in favor of using the Additional
Password function; however, the latter is still supported by Guidance Software SAFE for
backward compatibility.
116 Guidance Software SAFEUser Guide Version a.05

SAFE Account Types


The SAFE maintains two types of user accounts:

l Regular user accounts perform collection work, select data to be collected and the
machines from which to acquire evidence.
l The keymaster account manages permissions for regular users, but is unable to perform
collections.

Guidance Software recommends that keymaster and regular users have different associations
with Active Directory accounts.

Configuring Active Directory Groups


This section provides a sample configuration of Active Directory that can be used with SAFE
accounts. Here, two Windows Domain groups are created:

l SAFE Users: Includes Windows users who run Guidance Software products.
l SAFE Administrators: Includes all Windows users who are allowed to log on to a SAFE as
keymaster users and configure SAFE network, roles, and permissions. This group can
include users as well as other groups, such as built-in administrators and domain admin-
istrators.

Securing a Keymaster Account


A keymaster account is a built-in account created during SAFE installation. It cannot be
modified. Therefore, to use Active Directory Integration for a keymaster, you must configure it
during SAFE installation.

You can specify security for the keymaster account while installing a SAFE. When the dialog
below displays, select Windows Authentication to associate a keymaster account with a SAFE
administrators Windows group. This ensures that only members of that group can log on to
the SAFE as keymaster.

See Installing the SAFE on page25.


CHAPTER 5 Managing SAFEUser Accounts and Roles 117

o Select Windows Authentication to use Windows Authentication.


o Click the Domain Trustee browse button. The Select User or Group dialog displays.

o Enter the required information for the user or group.


o When you finish, click OK.

Note: To either disassociate the keymaster account from the Windows account, or
associate the keymaster with another Windows account, you must run the SAFE
Installer again.
118 Guidance Software SAFEUser Guide Version a.05

Securing Regular User SAFE Accounts


Use the EnCase user interface to create regular user accounts. To provide a way of associating
a SAFE user with an Active Directory user or group (in Windows terminology, a trustee), the
New/Modify User dialog includes an option to add a Windows trustee. This input control
invokes a standard Windows dialog to choose either a user or a group.

The following screenshot demonstrates how to associate a SAFE user account with a
previously created SAFE Users Windows group:

Managing Encryption Keys


Manage encryption keys in EnCase in the Encryption Keys tab.

Encryption Keys Tab Functions


You can use the Encryption Keys tab to:

l Create encryption keys


l Change encryption key passwords
l Delete encryption keys

Opening the Encryption Keys Tab


To open the Encryption Keys tab, click View > Encryption Keys from the menu bar.
CHAPTER 5 Managing SAFEUser Accounts and Roles 119

The Encryption Keys tab displays:

Creating Encryption Keys


To create new encryption keys:

1. Select Tools >Generate Encryption Keys from the main menu, or from Encryption Keys
tab, click New on the Encryption Keys tab toolbar.

2. The Generate Encryption Key dialog displays.


120 Guidance Software SAFEUser Guide Version a.05

3. Click Next to generate a public/private key pair. The Password dialog displays.

4. Enter a name for the key and a password. Click Finish. EnCase gives you the option of sav-
ing the public key.

Changing Passwords
To change the private key password:

1. Highlight a key, and click Edit. The Edit screen displays with a path to the selected key and
an empty Password field.
CHAPTER 5 Managing SAFEUser Accounts and Roles 121

2. Enter the existing password for the key and click Next. Enter and confirm the new pass-
word. Click Finish to update the password.

Deleting Encryption Keys


To delete keys, select a key to delete and press the Delete button or right click an encryption
key, and select Delete from the context menu.
122 Guidance Software SAFEUser Guide Version a.05
CHAPTER 6
CONFIGURING LICENSE MANAGER

Configuring Desktop Clients to use License Manager 125

Copying License and License Manager Public Key Files 126

Verifying License Manager Connectivity 127


124 Guidance Software SAFEUser Guide Version a.05
CHAPTER 6 Configuring License Manager 125

Configuring Desktop Clients to use License


Manager
This chapter details the steps required to configure the License Manager for use with your
system.

To enable a desktop client to use License Manager:

1. Install License Manager. See Installing License Manager on page40.


2. Install the Guidance Software product onto all investigator workstations.
3. Copy the [LicenseManagerName].safe file and either the default.nas file or the
individual .nas license file to the desktop workstation installation directory (typically
\EnCase\Keys in your documents and settings or documents folder).
4. If a security key (dongle)is present on the client machine, remove it, and start your Guid-
ance Software product. Acquisition displays in the title bar.
5. Click Tools > Options, then click the License Manager tab.
126 Guidance Software SAFEUser Guide Version a.05

6. Select the Use License Manager for licensing option.


7. Enter the License Manager Key Path or browse to its location:
o To use general licensing, browse to the file <default.nas>. By default, this file is loc-
ated in the License Manager installation directory under \Program Files\EnCase
LM\NAS\.
o General licensing is the most common scenario.
o Note that the .nas file may reside on a separate machine from your desktop client. If
this is the case, consult with your Guidance Software License Manager administrator for
machine access.
o To create an individual license for a specific user, click Create User Key. Follow the
prompts to create a user key and password. When the process completes, click Finish
to create the license file.

8. Enter the License Manager License Manager .SAFE Key Path or browse to the location of
the [LicenseManagerName].safe file. By default, this file is located in the EnCase
LMinstallation directory, under \Program Files\GuidanceSoftware\EnCase
LM\.
9. Enter the License Manager License Manager Address. This is the IP address or machine
name of the License Manager authentication server. If you are using a port other than
4446, append the port number to the address (for example, 192.168.1.34:4446).
10. Click OK and restart your Guidance Software product to access the license files.

Perform this operation for each desktop client.

Note: EnCase Forensic uses the License Manager for licensing purposes only. No
SAFEis needed for EnCase Forensic.

Copying License and License Manager Public Key


Files
Use this procedure to put the necessary files on a desktop investigator machine, removable
media, or a network share for distribution to the clients.

To copy the License Manager license and License Manager public key files:

1. In Windows on the License Manager machine, copy the [LicenseMan-


agerName].SAFE file from the Guidance Software SAFE folder (typically c:\Program
Files\GuidanceSoftware\EnCase LM\).
CHAPTER 6 Configuring License Manager 127

2. Navigate to the License Manager folder (typically C:\Program Files\EnCase


LM\NAS) and copy either the default.nas file or the individual .nas license file from
the License Manager machine.
3. Copy the .safe file and the .nas file to the Keys folder of the investigator machine (typ-
ically \EnCase\Keys in your documents and settings or documents folder), or to
whatever removable media or network share you require.

Verifying License Manager Connectivity


To verify License Manager is operational, make sure:

l The License Manager is installed, connected to the network, and running.


l The desktop client machine has network connectivity and no firewalls are blocking access
to the required port.
l You implemented the License Manager client correctly, as described in Configuring
Desktop Clients to use License Manager on page125.
l Your Guidance Software product is not running on the client.
l There is no security key attached to the client machine (unless the client and the License
Manager are on the same machine).

To test client operation and License Manager connectivity:

1. Open the Guidance Software product on the client.


2. Confirm that the title bar indicates that the program is in Acquisition mode.
Note: If your client still displays Acquisition in the title bar, investigate connectivity
between your client and the License Manager. See Troubleshooting License Manager
on page191for more information.

3. Click the Help question mark and select About to verify that License Manager is properly
configured on your client machine.
o Program Version contains information about your licenses:
NAS License Used shows the number of licenses currently in use.
NAS License Max shows the number of licenses purchased for your SAFE.
Instance shows the instance number of the client on this machine. If you open mul-
tiple instances of the client on the same machine, each instance has an incremental
number.

o Modules lists modules available for your client. These are enabled with the .cert files.
128 Guidance Software SAFEUser Guide Version a.05
CHAPTER 7
DEPLOYING AND MANAGING AGENTS

Overview 131

Deploying Agents 132

Automatically Deploying Agents 133

Deploying Check In Agents 136

Deploying Windows Agents 136

Copying *NIX Agents 148

Deploying Linux Agents 150

Deploying Solaris Agents 153

Deploying AIX Agents 156

Deploying OS X Agents 157

HP-UX VxFS and Agent Support 166

McAfee ePolicy Orchestrator (ePO) Integration 167

Verifying Agent Deployment 170

Stopping and Removing Agents 172


130 Guidance Software SAFEUser Guide Version a.05
CHAPTER 7 Deploying and Managing Agents 131

Overview
The Guidance Software SAFEuses agents installed on individual machines across the network
as a secure way to communicate with and gather information from these machines. These
agents are verified with the SAFE using private/public key encryption and appear as running
services on the target machines.

Once an agent is deployed on the network machine, or node, it runs as a service with
administrative privileges and provides full access to the machine. After the SAFE server
authenticates and verifies a command from the examiner, the agent executes it on the node
machine.

You can use Check In agents outside your network using an Internet connection. Use the
Sweep Enterprise EnScript program to investigate machines using a Check In agent.

To verify agent deployment, see Verifying Agent Deployment on page170.

To stop or remove agents, see Stopping and Removing Agents on page172.

Port Configuration
By default, the agent service uses port 4445 to listen for commands from the SAFE server.

l You can specify a different port as part of the SAFE installation.


l If the SAFE port number and the device port number do not match, you should specify
the agent port number when configuring the SAFE and adding the machine to the net-
work tab.
l You can specify non-default port numbers:
o Navigate to Add Evidence >Add Network Preview and click Add Text List at the top of
the Add Network Preview dialog.
o Enter the machine name or IP address in this dialog as [machine name or IP]:
[Port number].

l Guidance Software suggests that machines running on a non-standard port be indi-


vidually defined on the Network and Role tabs. By defining the machine on these tabs,
the port information is saved in the network tree, eliminating the need to type it in the
Add Text List dialog each time you connect to the node.
l Verify that the address of the device is specified, either individually or within a range, in
the Network tab.
l You must also define permissions for that machine in the user role.
132 Guidance Software SAFEUser Guide Version a.05

You must specify the agent port number when connecting. You can install the agent using the -
L switch to specify a different port number. See Deploying Windows Agents on page136.

Variables
The following variables are used in this chapter to refer to the specifics of your installation.

Variable Description
<node> Node machine name

Path where the agent will be installed.

The following locations are used:


l Linux: /usr/local/encase

<deploy path> l Solaris: /var/spool/pkg

l AIX: /opt

l OS X: /usr/local/encase (if using xinetd)

or /Library/Startupitems (if using


launchd)

Path on the SAFE machine where the agent


<host path> resides (typically C:\Program
Files\EnCase SAFE\Agents)

Name of the agent or package for Solaris and


<agent name>
AIX nodes

Each agent has unique command line switches.

Deploying Agents
Deploying agents consists of using enterprise push technology to install the agent on a remote
machine. All enterprise push technologies require an agent running on the target systems to
deploy and execute files.

The steps for deployment and execution depend on the file used and the method by which the
agent is executed.

You can deploy and execute agents in a variety of ways:


CHAPTER 7 Deploying and Managing Agents 133

l Deploy an agent as a service.


l Deploy the executable file only and execute it when needed.
l Execute an agent via inetd or xinetd.
l Execute an agent via an initialization script.
l Configure the SAFE so it automatically deploys agents when it encounters a target that
does not already have an agent installed. See Automatically Deploying Agents below.

Some operating systems write to the registry or other parts of the system when an executable
is launched. To prevent writing to the file system, execute the agent from other media such as
a DVD, although some operating systems do not support operating the agent from removable
media. See Running Windows Agents as a Service or as a Process on page139.

If you execute an agent from another device, you must manually place the media containing
the agent in the appropriate location prior to executing it. For example, if a DVD containing the
agent is placed into a systems optical DVD drive, you must know the drive letter of that drive
before you can execute the agent remotely.

When deploying agents, these files are used:

l The Agent file contains the code to be executed on each network node. The name of the
agent depends on the operating system.
l The Agent Setup file, used on Windows operating systems only, contains multiple agents
and automatically detects which agent to install when you run the setup file. Its file name
is either setup.exe or setup.msi.
l The Agent Package files, used on Solaris and AIX machines, contain multiple agents for
multiple versions of the operating systems. The file names are GSIservl.tar for Solaris
and encase.agent.rte.bff for AIX.
l The Agent Configuration file, used for the Check-In agent exclusively on *nix machines,
contains the information used to check in what is otherwise contained in the Windows
Registry for Windows machines.

Automatically Deploying Agents


You can configure the SAFE to automatically deploy agents if a target does not already have an
agent installed.

These requirements are needed to automatically deploy agents:

l You must set up the SAFE service to run under a privileged account with access to the tar-
get machine. Generally, this is a domain account with administrative access on the target.
l The SAFE user needs to be assigned a role that is configured with the Deploy Agents per-
mission.
134 Guidance Software SAFEUser Guide Version a.05

l A master control script creates the agent on the target machine. See Modifying Control
Scripts for Automatic Deployment of Agents below.
l You must select the Deploy agents option.

Modifying Control Scripts for Automatic Deployment of


Agents
Control scripts are text files that can be modified as desired for the automatic deployment of
agents. These sample scripts are not intended to be executed in a production environment
and should be tailored to operate within your own environment, depending on the
deployment strategy that best suits your specific needs.

You can modify control scripts using a basic text editor.

All scripts are stored in the [SAFE installation]\Deployments folder.

Deployment.wsf
The SAFE uses deployment.wsf to deploy agents. Prior to use, rename
DeploymentExample.wsf to Deployment.wsf and modify it as needed using a text editor.

Even though the SAFE only uses this single script to deploy the agent, the Deployment.wsf
script can invoke multiple scripts to create whatever deployment strategy you require. Modify
the GetScript() function to run additional scripts from the deployment.wsf file.

Additional Control Scripts


Several additional sample control scripts are installed in the [SAFE
installation]\Deployments folder. The following control scripts are included to
facilitate the creation of your customized deployment strategy. You can always create
additional control scripts as needed for your specific environment.

l Psexec.wsf
o Psexec is a popular utility you can download from Microsoft free of charge.
o Within psexec.wsf, search for the "psexecpath=" function to point to the correct
location of the tool.
CHAPTER 7 Deploying and Managing Agents 135

l Wmi.wsf
o This strategy uses the Windows Management Instrumentation infrastructure built into
the Windows operating system.
o No additional script editing is required to use this strategy.
o If WMI is not accessible, this script does not work.

l Ssh.wsf
o This script is used primarily for deployment to UNIX hosts.
o This script automatically determines which UNIX operating system is being used on the
target machine and runs the corresponding installer.
o If using this script, an SSH client utility is required to be installed on the SAFE machine.
PuTTY is an SSH client utility for Windows you can download for free from
http://www.putty.org/.
Plink.exe is a command-line version of the PuTTY utility and is also available for down-
load at http://www.putty.org/.

o In Ssh.wsf, search for the "sshexec.path=" function to point to the correct SSH client
utility.

l Java.wsf
o This script opens java.exe using the following command line: java.exe -Dser-
vletPath="<AgentPath>" -DIPAddress="<IPAddress>" -DMachineName-
e="<MachineName>" -jar"<JarFileName.jar>".
o In Java.wsf, search for fname to specify a user-provided .JAR file that executes the
agent deployment process.
o The .JAR file must be located in the same folder as the Java.wsf file.

Testing Control Scripts


Assuming you have appropriate permissions for a target, you can use the following command
line to test the control scripts on a target machine:

cscript /NoLogo "<ScriptName.wsf>" /ServletPath:"<Path to


Agents>" /IPAddress:"<IPAddress>" /MachineName:"<MachineName>"

l ServletPath is the full local path for the agent's location.


l IPAddress is the address of the target machine for deployment.
l Agents are stored in the <SAFE installation>\Agents\<Operating Sys-
tem>\<Installer or Agents>\<File> folder.

If the command line instructions successfully install an agent on a target machine configured
according to your parameters, then automatic deployment works as well.
136 Guidance Software SAFEUser Guide Version a.05

Deploying Check In Agents


Check In agents are used in organizations with mobile users not connected continuously to
the network.

To define Check In agent parameters and define the computers where you want to use this
feature, see the sections of this chapter that correspond with the operating system of the
target machine.

If you have an existing infrastructure and have performed a quick update instead of a full
update, you can still use the Check In agent by modifying the existing agents. To do this,
specify the parameters and machines with the Sweep Enterprise EnScript program or, in the
case of Unix/Linux-based machines, copy an extra file to the machine.

The Check In parameter is an option for installed agents only. You can alter the installing script
to install Check In functionality.

Use the Sweep Enterprise EnScript program to investigate machines using the Check In agent.
You cannot specify the automatic deployment of agents and the use of Check In agents at the
same time.

The procedure for removing the Check In agent depends on whether the agent resides on a
Unix or Windows system.

Deploying Windows Agents


The Windows agent name is enstart.exe. All Windows agent files are incorporated into a
single executable, setup.exe. The agent setup file for the Windows XP and 2000 operating
systems is setup.msi. This file deploys the agent using Active Directory.

The Windows agent includes a snapshot kernel driver integral to the agent, and it is used when
providing snapshot data. This file is named enstart.sys. It is automatically dropped into
%windir%\system32\ when installing using setup.exe. If enstart.exe is manually
deployed or running as a process, then this driver file is not included and memory acquisitions
and snapshots are not possible.

The following options are used with enstart.exe:


CHAPTER 7 Deploying and Managing Agents 137

Option Description
-l <port> Specifies the port where the agent listens.

Returns the following diagnostic codes:

Code Description

0Status OK

1No Node Certificate


-diag
2No Security Key

4No Serv (a problem exists with the


service)

8No Port (unable to bind to port,


port already in use)

-run Runs the server in the console.

Starts the server in the console (32-bit


-c
agents only).

-h Displays a help message.

The following options are used with setup.exe and setup.msi:

Option Description
-drop Drops this agent to the local directory.

Sets the path for installing the agent bin-


-p <path> aries. The default is %sys-
temroot%\system32.
138 Guidance Software SAFEUser Guide Version a.05

Option Description
Sets the name of the agent binary and the
service name. The default is enstart.exe
-n <name>
for the binary and enstart for the Win-
dows Service Name.

Removes the service, the registry entry,


-r and the binary. This does not remove the
directory where the binary resides.

Starts the agent in stealth mode, hiding it


-s from the Task Manager (32-bit agents
only).

-l <port> Specifies the port where the agent listens.

-h Displays a help message.

Adds the automatic snapshot interval and


backlog values to the agent. These values
are set in the SAFEinstaller.
-c
With setup.msi, use this command line:

Msiexec.exe /I setup.msi /quiet


ENSTCMDLINE=-c

You can use several methods to deploy agents to Windows machines:

l Active Directory
l Domain Push
l PsTools
l IPC$and PsExec
l Removable Media and PsExec

The method you use depends on your network configuration and user account/password
policy.
CHAPTER 7 Deploying and Managing Agents 139

Running Windows Agents as a Service or as a Process


When deploying agents on Windows machines you must determine whether to run the agent
as a service or as a process.

l When running as a service the agent runs every time the network node is restarted. This
method requires making registry entries to the system.
l Running as a process runs the agent once. If the node is restarted, it no longer runs the
agent. Running the agent as a process does not allow memory acquisitions or snapshots.

Running Windows Agents as a Service


Installing the agent to run as a service requires the setup.exe file. This file identifies the
version of the operating system and installs the correct agent.

Before deploying agents to remote nodes as a service:

l Configure the following Windows Administration tool settings to:


o Enable these Windows services:
Remote Procedure Call (RPC)
DCOM Server Process Launcher
WMI Performance Adapter

o Disable these Windows services:


Windows Firewall (or add it to the rules to allow incoming port)
In Vista, disable the Windows Firewall service and add it to the rules to allow incoming
port

o Synchronize the Local Security Policy between the remote node and the deploying
machine.
Navigate to Administration tools Local Security Policy > Local Policies > Security
Options > Network access: Sharing and security model for local accounts.
Set to Classic.

l Verify you have a SAFE installed and running on your network.

To run your agent as a service:

1. Copy setup.exe or setup.msi from C:\Program Files\EnCase SAFE onto the


node using any push technologies described in this chapter.
140 Guidance Software SAFEUser Guide Version a.05

2. From the command line, execute one of the following commands:


o For the executable agent, execute setup.exe -<options>.
o For the msi agent, execute msiexec.exe /i setup.msi /quiet ENSTCMDLINE=
"<options>".
ENSTCMDLINE is case sensitive.
See additional notes on using the msi agent in this section.

The setup file automatically determines the operating system version and installs the correct
agent.

To use the msi agent:

1. If you run the msiexec command on a machine that already has the msi and agent
installed, it uninstalls the msi, but not the agent. Running it again reinstalls the msi, but it
does not affect the agent.
Note: To remove the msi, you must use the /x switch with msiexec.

2. To uninstall the agent and msi using the msi, the only way is to create a batch file and
execute it on the remote system in the same directory that setup.msi is located. Here is
an example of the batch file required:

@echo off
:Uninstall msi package (using /x switch)
Msiexec.exe /x setup.msi /quiet
:Install msi, but feed agent setup file a '-r' to
uninstall agent
Msiexec.exe /I setup.msi /quiet ENSTCMDLINE='-r'
:Uninstall msi package (again)
Msiexec.exe /x setup.msi /quiet

If you have a problem feeding the command line options to the msi, you can edit the
msi:

1. Set a Property with a name of ENSTCMDLINE.


2. Set a Value of the command line options, such as -nABCDE_INFOSEC_Svc -c.
Note: If you edit the msi database using tools such as Orca, and set the above
property in the msi, you do not need to send the command line to the remote system.

Running Windows Agents as a Process


Running agents as a process does not allow memory acquisitions or snapshots.

Ensure that you have a SAFE installed and running on your network.
CHAPTER 7 Deploying and Managing Agents 141

To run an agent as a process:

1. Copy the enstart.exe file from C:\Program Files\EnCase SAFE\Agents onto


the node using any push technology. If the node is a 64-bit machine, copy
enstart64.exe.
2. From the command line, execute enstart[64].exe -run -<options>.

Deploying Windows Agents with Active Directory


To deploy agents using Microsoft Active Directory:

l Identify target systems and users. Make an inventory of the platforms in use and determ-
ine if all target systems are members of the Active Directory.
l Create a central distribution point. Select a central location where you want to deploy or
initiate agent installation. The target systems must be able to see this location.
l Place setup.exe or setup.msi, generated during SAFE installation, in the central loc-
ation.
l Create a push script. This is a custom script that installs the agent from the central dis-
tribution point onto the target system and runs when a user logs in. This section contains
an example of a push script.
l Deploy the Push Script:
o Place the script in your Active Directory controller so it runs at login.
o Place the push script in the location containing the agents.
o Configure your domain so the script executes each time a user logs on.
o Place the script on the Active Directory controller under C:\%sys-
temroot%\sysvol\domain\scripts.
o Add the script to the Domain Users Properties box under the Profile tab.
o Logging on to a target system opens and runs a dialog showing enpush.bat.

Deploying Windows Agents Using a Domain Push


If you do not use Active Directory, you can push the agents using your domain.

Verify that you created a push script as described in Deploying Windows Agents with Active
Directory above.

1. Deploy the push script to a central location on the domain controller.


2. Using User Manager, add a user or group profile pointing to the location of your push
script.
3. Specify in the user's profile that the agent is installed via the push script when the user
authenticates.
142 Guidance Software SAFEUser Guide Version a.05

Deploying Windows Agents Using PsTools


The PsExec tool in the PsTools Suite can be used to manually deploy the agent from a
Windows examiner to a Windows NT-based target machine, saving deployment time when
copying files to and deleting from the remote machine and starting and stopping services
throughout the deployment process.

The PsTools suite is available at the Microsoft TechNet Internet site at


https://technet.microsoft.com/en-us/sysinternals/pstools.aspx.

Using PsTools to Deploy Agents to a Single Machine


Prerequisites for installing PsTools include:

l Knowing the IP address of the node for installing the agent.


l Having an administrative account and password to the node.
l Knowing the absolute path to the agent.

1. Open a command shell on your examiner machine.


2. Execute this command: psexec \\<targetIP> -u <administrative_account>
-p <password> -s -c <absolute_path_to_agent>.

Note: If you do not use the -p option (to allow a password) in the command line,
you must enter it later. When using the -p option, the administrative level password
displays in plain text on the screen.

Even though PsExec returns an error, it completes with an error code of zero. Running
net start on the remote machine verifies that enstart is running.
Note: The PsExec utility transmits the password across the network in plain text,
which can cause problems if intercepted by an unauthorized person using a packet
sniffer.

Using PsTools to Deploy Agents to Multiple Machines


To deploy to multiple machines using PsTools, prepare a text file including the IP addresses of
all of the nodes where you want to deploy the agent.

Also required:

l An administrative account and password to the node.


l The absolute path to the agent.
CHAPTER 7 Deploying and Managing Agents 143

1. Open a command shell on your Examiner machine.


2. Execute this command: psexec @e:\deploy\export.txt -u <administrative_
account> -p <password> -s -c <absolute_path_to_agent>.

If the -p option (to allow a password) is not used in the command line, you are prompted to
enter it later. With the -p option used, the administrative level password displays in plain text
on the screen. Do not use this option if there are others you do not want to share this
password with.

Note: The PsExec utility transmits the password across the network in plain text,
which can cause problems if intercepted by an unauthorized person using a packet
sniffer.

Even though PsExec returns several errors, it completes each node with an error code of
zero. Running net start on any of the successful remote machines verifies that enstart is
running.

Creating a Text File of Nodes


When creating the list of nodes where you want to deploy the agent, you can add all nodes to
the network tree, then export the list of machines to a text file. You can then use this text file to
quickly input the list of nodes.

1. Create all the nodes in the Network tab.


2. From the Add Evidence dropdown menu, select Add Network Preview. The Add Net-
work Preview dialog displays.
3. Select the folder containing the nodes to add. To create a partial list of nodes, blue check
the nodes you want to include.
4. Click the hamburger menu on the far right of the Add Network Preview dialog and select
Save As. The Save As dialog displays.
144 Guidance Software SAFEUser Guide Version a.05

o Select Only Checked Rows to include the machines you have blue checked in the
current view only.
o Set the Stop row to the maximum number of rows for EnCase to include in the
export file. To include all machines in the view, set this equal to the last row
number.You must assign this value even if you are exporting only checked rows.
o Select the Name field only from the list of available fields.
o Keep the Output Format default of Tab Delimited.
o Specify the export path and filename.

5. When you finish, click OK to export the list.


6. In the output file, you must remove the line numbers and column header fields before
Psexec can use the file. You can remove the information by any desired method.Two sug-
gested methods are:
o Drag and drop the exported file into a blank Excel spreadsheet.Excel auto-
matically formats the data into two columns.You can delete the first column and
first row for clarity. Alternately, you can copy and paste the list of machines start-
ing on row 2 into a text editor such as Notepad. If the machine names contain
any leading spaces, you can remove them by performing a find and replace in
Excel or Notepad. Set the find value to a space character, and replace it with noth-
ing.
o Use a text editor capable of selecting columns (such as Notepad++) to highlight
and delete unnecessary information.
CHAPTER 7 Deploying and Managing Agents 145

Deploying Windows Agents Using IPC$ and PSExec


To use IPC$in conjunction with PsExec when deploying agents, you must first map an IPC$
connection.

You can disable the ability to map an IPC$connection on the target system, or deny it through
network permissions. You must create the IPC$connection only if the account used to log into
the client system is not a member of the local administrator group on the target system(s), or
a member of the domain administrator group. You must have administrator credentials to
deploy agents.

Creating IPC$ Connections


To create multiple specific IPC$connections, you must create a text file containing the names
of each node.

If you are creating multiple IPC$connections (specific or all nodes on a subnet), every node
machine must have one common username.

1. Open a command shell on the examiner machine.


2. Execute one of these commands:
o For a single node: net use \\<node name>\ipc$/u:<username> <password>.
o For multiple, specific nodes: for /f %1 in (<node list>) do net use
\\%1\ipc$/u:%1\<username> <password>.
o For all nodes on a subnet: for /L %1 in (1,1,254) do net use
\\<A.B.C>.%1\ipc$<username> <password>.

Parameter Description
<node Text file containing the list of node names. The default
list> name is export.txt.
<node
name> Name of the node with the IPC$connection.

First three octets of the IP address subnet where you want


<A.B.C>
to deploy (for example, 10.0.0).

Common username on all systems where you want to


<username>
deploy.

Common password on all systems where you want to


<password> deploy. If you want to be prompted for the password, use
an asterisk (*).
146 Guidance Software SAFEUser Guide Version a.05

3. If prompted, enter the password for the node and press Enter.
4. Confirm the IPC$connection by executing the command net use.

After IPC$is connected, you can deploy by copying the agent to the nodes.

Copying the Agent Using XCOPY


After you map an IPC$connection, do the following to copy the agent to your nodes:

1. Open a command shell on your examiner machine.


2. Execute one of these commands:
o To copy to a single node: xcopy /v <agent> \\<node name>\c$.
o To copy to multiple specific nodes: for /f %1 in (<node list>) do xcopy /v
/y <agent> \\%1\c$.
o To copy to an entire subnet: for /L %1 in (1,1,254) do xcopy /v /y
<agent> \\<A.B.C>.%1\c$.

Parameter Description
Name of the agent: usually setup.exe for running as a ser-
<agent>
vice, and enstart.exe for running as a process.
<node
name> Name of the node for the IPC$connection.

<node Text file containing the list of node names. The default is
list> export.txt.

The first three octets of the IP address subnet where you


<A.B.C.>
want to deploy (for example, 10.0.0.).

After copying the agent to the node, you must execute the agent. See Executing the
Agent using PsExec below.

Executing the Agent using PsExec


To execute the agent using PsExec, set up the following:

l IPC$connection established with node.


l Agent copied to node.
l To execute the agent on multiple specific nodes, you need a text file containing the names
of each node.
CHAPTER 7 Deploying and Managing Agents 147

1. Open a command shell on your examiner machine.


2. Execute one of these commands:
o To execute an agent on a single node: psexec \\<node name> -s <agent>
<agent options>.
o To execute an agent on multiple specific nodes: for /f %1 in (<node list>) do
psexec \\%1 -s <agent> <agent options>.
o To execute every agent on a subnet: for /L %1 in (1,1,254) do psexec
\\<A.B.C>.%1 -s <agent> <agent options>.

Parameter Description
<node Text file containing the list of node names. The default name
list> is export.txt.
<node
name> Name of the node with the IPC$connection.

First three octets of the IP address subnet where you want


<A.B.C>
to deploy (for example, 10.0.0).

Name of the agent: usually setup.exe for running as a ser-


<agent>
vice, and enstart.exe for running as a process.
<agent
options> Any agent options you want to use.

Running net start on the remote machine verifies that enstart is running.

Deploying Windows Agents Using Removable Media and


PsExec
To deploy an agent without copying it to a node, it is best to deploy using removable media
and PsExec.

1. Copy your agent to removable media. The agent is typically enstart.exe. Do not use
setup.exe, as it creates a copy of itself on the node machine.
2. Insert the removable media into the node machine.
3. Open a command shell on your examiner machine.
4. Execute the command psexec \\<node name> -s <agent path> -r.
148 Guidance Software SAFEUser Guide Version a.05

Parameter Description
<node
name> Name of the node with the IPC$connection.

Location and path of the agent, usually enstart.exe for


<agent
path> running as a process, or setup.exe for running as a ser-
vice.

Running net start on the remote machine verifies that enstart is running.

Copying *NIX Agents


Because of the number of different distributions in Unix, there is no setup file. Instead,
Guidance Software provides the agent for you to install as your distribution permits.

The following command line options are used with all *nix agents:

Option Description
-d Runs as daemon.
-i Uses stdin/out (inetd or xinetd).

Specifies the agent path. Used for auto-updating. Do not use


-p when running from read-only media. Do not include the agent
<path> itself with the -p option; instead, provide the path where it
resides.
-h Displays a help message.
-l
<port> Specifies the port where the agent listens.

You can copy the agent to the nodes using one of the following:

l Removable media. See Copying *NIX Agents Using Removable Media on the facing page.
l SSH and SCP. See Copying *NIX Agents Using SSH and SCP on the facing page.
l Telnet and FTP. See Copying *NIX Agents Using Telnet and FTP on page150.
CHAPTER 7 Deploying and Managing Agents 149

Copying *NIX Agents Using Removable Media


Deploying your agent using removable media offers an extra layer of security because you do
not open a command shell across the network.

To copy the agent using removable media, verify the following:

l Make sure your removable media contains enough storage space to fit the agent and any
additional agent configuration files. Many of the agents do not fit on a floppy disk.
l You must have physical access to the machine where you want to deploy the agent.
l You must know the specific instructions for mounting the removable media for your dis-
tribution.

1. Insert media into your SAFE computer or another computer that contains the agent and
agent configuration files.
2. Copy the agent and the agent configuration file to the removable media. The agent and
agent configuration file is usually located at C:\Program Files\EnCase SAFE\A-
gents on your SAFE.
3. Remove the media and insert into the machine where you want to copy the agent.
4. Mount the device using the instructions specified in your operating system doc-
umentation.

For example, this command mounts a floppy drive on a Linux system: mount F pcfs
/dev/diskette /floppy.

Note: If you are using Solaris, you may need to use the command volcheck
before the mount command, if the mount command generates an error.

5. Create a destination folder using the command mkdir -p <deploy path>.


6. Copy the agent using the command cp <mount point>/<agent name> <deploy
path>.

If you want to use the check-in feature, follow these steps.

1. Copy the agent configuration file using the command cp <mount point>/nix-
checkin <deploy path>.
2. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.
3. Make the agent executable using the chmod command chmod 700 <deploy path>.

Copying *NIX Agents Using SSH and SCP


Secure Shell (SSH) and Secure Copy (SCP) are recommended over other methods because they
offer an added layer of security.

From a machine containing the agent or installation package:


150 Guidance Software SAFEUser Guide Version a.05

1. Establish a connection: execute the command ssh2 root@<node>.


2. Enter the password for the root account.
3. Create a destination folder using the command mkdir -p <deploy path>.
4. If you are copying to a location that is not yet mounted (such as a network share), mount
it now.
5. Copy the agent using the command scp2 <host path>\<agent name>
root@<node>:<deploy path>.
6. Enter the password for the root account. The transfer starts.

If you want to use the check in feature:

1. Copy the agent configuration file using the command scp2 <host path>\nix-
checkin root@<node>:<deploy path>.
2. Enter the password for the root account. The transfer starts.
3. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.
4. Make the agent executable using the command chmod 700 <deploy path>.

Copying *NIX Agents Using Telnet and FTP


If your node machine does not have Secure Shell (SSH) or Secure Copy (SCP) installed, you can
Telnet into the machine and use the File Transfer Protocol (FTP).

1. Connect to your node using the command ftp <node>.


2. Enter your username and password.
3. Enter bin to set the file transfer mode to binary.
4. Transfer the file using the command put <host path>/<agent name> <deploy
path>/<agent name>.
5. If you want to use the check in feature, transfer the agent configuration file using the com-
mand put <host path>/nixchekin <deploy path>/.<agent name>.
Note: This command transfers and renames the nixcheckin file to a file with the
same name as your agent, preceded by a dot.

6. Enter quit to exit FTP.


7. Make the agent executable using the command chmod 700 <deploy path>.

Deploying Linux Agents


The Linux agent is typically named enlinuxpc. The agent supports Linux versions that meet
or exceed these criteria:
CHAPTER 7 Deploying and Managing Agents 151

l The kernel is 2.6.4.


l It uses the Process File System (procfs).

When using AutoUpdate with Linux Agents, you must execute the agent specifying the
autoupdate path using the /p option.

To deploy a Linux agent:

1. Copy the agent using removable media, SSH and SCP, or Telnet and FTP.
2. Determine how you want to deploy the Linux agent. Available methods include:
o Running the agent as a process.
o Deploying using xinetd.
o Deploying using inittab.
o Deploying using inetd.

Verify the agent is connected using one of the methods discussed in Verifying Agent
Deployment on page170.

Running a Linux Agent as a Process


When running the agent as a process, the agent does not run after the node machine is
restarted.

To run the agent as a process:

1. Copy the agent to the node using removable media, SSH and SCP, or Telnet and FTP.
2. Insert this text before the STARTX command: LOAD <agent name>.

Deploying the Linux Agent Using inittab


You can deploy the Linux agent by executing a script by inittab at the desired run level. In Linux
this is run at level three. This example is for SUSE 9.3.

1. Establish an SSH session: ssh2 root@<node>.


2. Create a script called <agent name> in the /etc/initd.d directory.
3. Using a text editor such as vi, insert this text into the file, then save and close it:
152 Guidance Software SAFEUser Guide Version a.05

#!/bin/sh
#This script automatically starts and stops the <agent name>
agent
pid=`/usr/bin/ps -e | /usr/bin/grep enlinuxpc | /usr/bin/sed
-e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
<path to agent directory and agent file name> -d -p <path to
agent directory>
;;
'stop')
if ["${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/enlinuxpc {start|stop}"
;;
esac
A symbolic link must be placed in the desired run level to call the script. The best run level to
use in Linux is three. Set this as:

cd /etc/init.d/rc3.d

ln s /etc/init.d/enlinuxpc S94enlinuxpc

Confirm the agent is running. See Verifying Agent Deployment on page170Verifying Agent
Deployment on page170.

Deploying the Linux Agent using inetd


To deploy the Linux agent from inetd:

1. Confirm that inetd is running: execute the command ps -ef | grep inetd | grep
-v grep.

Receiving output similar to this confirms that inetd is running:


root 423 1 0 18:44:57 ? 0:00
/usr/sbin/inetd -s
2. Add a line to /etc/inetd.conf that refers to your agent, for example:
<agent name> stream tcp6 wait root <deploy path>
<agent name> <agent name> -i -p <deploy path>
3. Make an entry in the /etc/services file for the port the agent will listen from:
CHAPTER 7 Deploying and Managing Agents 153

<agent name> 4445/tcp # EnCase Agent


4. Confirm the agent is running. See Verifying Agent Deployment on page170Verifying
Agent Deployment on page170.

Deploying Solaris Agents

Solaris Agent Files


All Solaris agent executables except Solaris 11 are incorporated into a single package, called
GSIservl.tar, which you can install with the pkgadd utility. Individual agent files are located
on the SAFE machine in C:\Program Files\EnCase SAFE\Agents. Solaris 11 is
distributed as executable only, as no driver is needed.

The Solaris 8, 9, and 10 agent differs from the Linux agent in that it has separate files for each
distribution and kernel and it requires special drivers to function properly. The typical agent
name is ensolsparc<version number> or ensolsparc<version number>64.

Solaris Version
To deploy the correct agent, you must identify the version of Solaris you are using. After
logging into Solaris, note the information you are given. The version is the number
immediately after the decimal point. For example:

Solaris 11: Oracle Corporation SunOS5.11 11.0 September 2012

You can also get the version using the command: uname -a

The command gives you the Solaris version in a format such as:

Feb 13 10:07:06 soldev9-64x genunix: [ID 540533 kern.notice]


^MSunOS Release 5.9 Version Generic_112233-07 64-bit

Identifying the Solaris Kernel


If you are deploying an agent on a version prior to Solaris 11, you must identify the kernel in
order to deploy the correct agent. Solaris 11 only supports the 64-bit kernel, so the kernel does
not need to be identified prior to agent deployment on Solaris 11.

Execute the command isainfo b to display the number of bits in the address space of
native instruction set. The installed agent should correspond with the bit space of the kernel.
154 Guidance Software SAFEUser Guide Version a.05

Before Deploying Solaris Agents


1. Before deploying Solaris agents, check the following:
o Identify attributes of the target systems, such as DNS names, IP addresses, and the
operating systems.
o Verify that the machine the agent is deployed from has network connectivity to all tar-
get systems.
o Guidance Software recommends you install an SSH client with file transfer capabilities.
o Guidance Software recommends you run SSHD on the target systems.

Note: Solaris agents function only on SPARC architecture. Intel architecture is not
supported.

2. You must also determine properties for the node where you want to install the agent.
o Solaris version
o Kernel version

3. Copy your agent to the Solaris node using removable media, SSH and SCP, or Telnet and
FTP.
4. Install the tar package.
5. Determine how you want to deploy the Solaris agent. Available methods include:
o Running the agent as a process
o Deploying using inittab

Verify the agent is connected using one of the methods discussed in Verifying Agent
Deployment on page170.

Installing the Solaris 11 Agent


You must be logged in as root to install the Solaris 11 agent.

Solaris 11 does not require a tar package for installation. It is a standalone executable. Copy
the agent to the Solaris node using removable media, SSH and SCP, or Telnet and FTP.

Installing the Tar Package


You must be logged in as root to install the tar package.
CHAPTER 7 Deploying and Managing Agents 155

To install the tar package:

1. Change the directory to the location of the agent with the command cd
/var/spool/pkg.
2. Decompress the tar package with the command tar xvf GSIservl.tar.
3. Install the package with pkgadd GSIservl . A prompt displays asking if you want to
install the driver for Solaris.
4. Press y to install the Solaris driver. A prompt displays asking if you want to install the
agent for Solaris.
5. Press y to install the Solaris agent. A prompt displays asking where you would like to
install the agent.
6. Press Enter to accept the default location. Or you can enter a different location and press
Enter. A message displays stating that the package contains scripts that will be executed
with super user permissions during the installation process.
7. Press y to complete the installation.

Running a Solaris Agent as a Process


When running the Solaris agent as a process, the agent does not run after the node machine is
restarted.

To run the agent as a process:

1. Copy the agent to the node using removable media, SSH and SCP, or Telnet and FTP.
2. Insert the following before the STARTX command: LOAD <agent name>.

Deploying in Solaris Using inittab


Another way to deploy a Solaris agent is to write a script and have it executed by inittab at the
desired run level. In Solaris, the desired run level is two.

1. Establish a SSH session: execute ssh2 root@<node>


2. Create a script called <agent name> in the /etc/initd.d directory.
3. Using a text editor such as vi, insert this text into the file:
156 Guidance Software SAFEUser Guide Version a.05

#!/bin/sh
#This script automatically starts and stops the
ensolsparc864 agent
pid=`/usr/bin/ps -e | /usr/bin/grep <agent name> |
/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
case $1 in
'start')
<deploy path>/<agent name> -d -p <deploy path>
;;
'stop')
if ["${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/<agent name> {start|stop}" ;;
Esac
4. Save the file.
5. To set permissions properly, execute:
chmod 744 /etc/init.d/<agent name>
chgrp sys /etc/init.d/<agent name>
6. You must place a symbolic link in the desired run level to call the script. The best run level
to use in Solaris is run level two. To set this run level, execute:
cd /etc/rc2.d
ln s /etc/init.d/<agent name> S96<agent name>

To confirm the agent is running, see Verifying Agent Deployment on page170.

Deploying AIX Agents


AIX agents are similar to Solaris agents. AIX uses 32 and 64-bit versions of the agent along with
drivers unique to the version of AIX you are using. A typical agent name is enaix<version
number> and enaix<version number>64. All AIX agent files are incorporated into a single
package, called encase.agent.rte.bff, which can be installed using the installp utility.

Before deploying AIX agents:

1. Identify attributes of the target systems, such as DNS names, IP addresses and operating
systems.
CHAPTER 7 Deploying and Managing Agents 157

2. Verify the machine the agent is deployed from has network connectivity to all target sys-
tems.
3. An SSH client with file transfer capabilities is recommended.
4. Guidance Software recommends running SSHD on the target systems.
5. Deploy the agent to the AIX node using removable media, SSH and SCP, or Telnet and
FTP.
6. Install the AIX agent package:
o You must be logged in as root in order to install the package.
o Install the package with the command installp a d /opt encase-
.agent.rte. Do not enter the bff file extension when entering this command.
o The installer determines the correct agent to install and output information regarding
the install.
o The installation finishes with the output encase.agent.rte 5.4.0.0 USR APPLY
SUCCESS.

Verify the agent is connected using one of the methods discussed in Verifying Agent
Deployment on page170.

Deploying OS X Agents
OS X uses two agents. The enosx agent is for PPC Macintosh computers. The enosxintel
agent is for Intel based Macintosh computers. Select the appropriate agent according to the
hardware you are using.

Note: If you have OS X 10.5 or higher and are upgrading from EnCase version 7.05
or older, you must install agents using the installer. SAFE-initiated update of
Macintosh agents is not sufficient for all the latest OS X agent functionality.

To change the default name of the OSX agent from EnStart, you need to update the name in
two locations:

l In /Library/LaunchDeamons/com.GSI.Servlet.plist, modify the full path in


the first string in the ProgramArguments section to reference the new name.
l In the enoxsintel.SafePublicKey file in the agent's directory to reference the new
name.

The installation method to use depends on your version of OS X.Check the table below and
refer to the following sections in this chapter for details.

OSXVersion Intel PPC


10.6 and newer Use the installer.pkg. N/A
158 Guidance Software SAFEUser Guide Version a.05

OSXVersion Intel PPC


Use the installer.pkg on
Use the DMG on PPC
Intel PPC and create
10.4/5 and create launchd
launchd configuration
configuration scripts.
scripts.

Use the installer.pkg file Use the .dmg file and


10.3 or older and create xinetd con- create xinetd con-
figuration scripts. figuration scripts.

Deploying Agents on OS X 10.6 and Newer Versions


Using the installer.pkg
Double click the installer. Enter information, such as username and password, as prompted.

To confirm the agent is running, see Verifying Agent Deployment on page170.

Deploying Agents on OS X 10.4/5


Using the installer.pkg and Creating launchd Configuration Scripts
This section covers deploying OS X agents to a computer running OS X 10.5 on Intel hardware.
If you have a different version, see the table in Deploying OS X Agents on the previous page.

Note: The following deployment scripts are provided as examples only. You should
modify them to reflect the actual agent you are using. You can modify the scripts or
write your own as appropriate for your environment and requirements.

1. Run the installer as described in the Deploying OS X Agents section.


2. Create a folder named "EnCase" in the/Library/StartupItems directory.
3. Give the EnCase folder the appropriate permissions by executing the command:
chmod 755 /Library/StartupItems/EnCase
4. Create two executable files within the folder in the/Library/StartupItems/ with
these commands:
touch /Library/StartupItems/EnCase/StartupParameters.plis
touch /Library/StartupItems/EnCase/EnCase
CHAPTER 7 Deploying and Managing Agents 159

5. Set the permissions of the EnCase file:


chmod 755 /Library/StartupItems/EnCase/EnCase
6. Using a text editor such as vi, insert this text into the EnCase file:

#!/bin/sh
. /etc/rc.common
StartService ()
{
ConsoleMessage "Starting EnCase Agent"
/usr/local/encase/enosxintel -d -p /usr/local/encase
}
StopService ()
{
ConsoleMessage "Stopping EnCase Agent"
pid=`/bin/ps -ax|/usr/bin/grep enosxintel|/usr/bin/grep -v
grep
|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
}
RestartService ()
{
ConsoleMessage "Restarting EnCase Agent"
pid=`/bin/ps -ax|/usr/bin/grep enosxintel|/usr/bin/grep -v
grep
|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
/usr/local/encase/enosxintel -d -p /usr/local/encase
}
RunService "$1"
7. Save and close the file.
8. Insert this text into the StartupParameters.plist file:

{
Description = "EnCase Forensic Agent";
Provides = ("EnCase");
OrderPreference = "Last";
Messages =
{
start = "Starting EnCase Agent";
stop = "Shutting down EnCase Agent";
};
}
9. Restart the computer, or execute the process directly, passing the start option.

To confirm the agent is running, seeVerifying Agent Deployment on page170.


160 Guidance Software SAFEUser Guide Version a.05

Deploying Agents on OS X 10.3 or Older


Using the .dmg file and Creating xinetd Configuration Scripts
This section covers deploying OS X agents to computers OS X 10.2 or 10.3. If you have a
different version, see the table in Deploying OS X Agents on page157.

Note: Agents installed using this method may require firewall permission at the user
level to function.

This example uses the PPC Macintosh enosx agent. If you are using an Intel-based Macintosh
computer, use enosxintel instead of enosx.

Note: The following deployment scripts are provided as examples only. You should
modify them to reflect the actual agent you are using. You can modify the scripts or
write your own as appropriate for your environment and requirements.

1. Establish an SSH session with ssh2 root@<node>.


2. Verify xinetd is running using the command:
ps aux | grep xinetd | grep -v grep

If you receive similar output, xinetd is running and you can proceed with this command:
root 1270 0.0 0.1 2048 828 ? S Sep09 0:00 xinetd -stayalive
pidfile /var/run/xinetd.pid

3. Create a configuration file called enosx in the /etc/xinetd.d directory.


4. Using a text editor such as vi, insert this text into the file:

#default: on
# description: EnCase agent for Mac OS X 10.2-10.3
service enosx
{
disable = no
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enosx
server_args = -i -p /usr/local/encase
}
5. Save and close the file.
6. Using a text editor such as vi, open the configuration file /etc/services.
CHAPTER 7 Deploying and Managing Agents 161

7. Comment out the existing entries for the port you are using, one for UDP and one for
TCP:
upnotifyp 4445/udp # UPNOTIFYP

upnotifyp 4445/tcp # UPNOTIFYP

8. Create new entries for the port you are using. Here are two examples:
enosx 4445/udp # EnCase

enosx 4445/tcp # EnCase

9. Save and close the /etc/services file.


10. Start the new service: issue the command /sbin/services enosx start. The agent
starts.

To confirm the agent is running, see Verifying Agent Deployment on page1.

Running in OS X Using xinetd


This section covers deploying the OS X agent to a 10.2 or 10.3 operating system. If you have a
10.4 or newer system, Guidance Software recommends you use the launchd method.

This example uses the PPC Mac agent enosx. If you are using an Intel-based MAC, use
enosxintel instead.

1. Establish an SSH session with ssh2 root@<node>.


2. Verify xinetd is running using this command:
ps aux | grep xinetd | grep -v grep

3. If you receive similar output, xinetd is running and you can proceed:
root 1270 0.0 0.1 2048 828 ? S Sep09 0:00 xinetd -stayalive
pidfile /var/run/xinetd.pid

4. Create a configuration file called enosx in the /etc/xinetd.d directory.


5. Using a text editor such as vi, insert this text into the file:
162 Guidance Software SAFEUser Guide Version a.05

#default: on
# description: EnCase agent for Mac OS X 10.2-10.3
service enlinuxpc
{
disable = no
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enosx
server_args = -i -p /usr/local/encase
}
6. Save and close the file.
7. Using a text editor such as vi, open the configuration file /etc/services.
8. Comment out the existing entries for the port you are using, one for UDP and one for
TCP:
upnotifyp 4445/udp # UPNOTIFYP

upnotifyp 4445/tcp # UPNOTIFYP

9. Create new entries for the port you are using. Here are two examples:
enosx 4445/udp # EnCase

enosx 4445/tcp # EnCase

10. Save and close the /etc/services file.


11. Start the new service: issue the command /sbin/services enosx start. The agent
starts.

To confirm the agent is running, see Verifying Agent Deployment on page170.

Running in OS X Using launchd


This section covers deploying the OS X agent to a 10.4 or newer operating system. If you have
a 10.2 or 10.3 system, Guidance Software recommends you use the xinetd method.

This example uses the PPC Mac agent enosx. If you are using an Intel-based Mac, use
enosxintel instead.

1. Create a folder named EnCase in the /Library/StartupItems directory.


2. Give the EnCase folder appropriate permissions by executing the command:
CHAPTER 7 Deploying and Managing Agents 163

chmod 755 /Library/StartupItems/EnCase

3. Create two executable files in the folder in the /Library/StartupItems/ using the com-
mands:
touch /Library/StartupItems/EnCase/StartupParameters.plist

touch /Library/StartupItems/EnCase/EnCase

4. Set the permissions of the EnCase file:


chmod 755 /Library/StartupItems/EnCase/EnCase

5. Using a text editor such as vi, insert this text into the EnCase file:

#!/bin/sh
. /etc/rc.common
StartService ()
{
ConsoleMessage "Starting EnCase Agent"
/usr/local/encase/enosx -d -p /usr/local/encase
}
StopService ()
{
ConsoleMessage "Stopping EnCase Agent"
pid=`/bin/ps -ax|/usr/bin/grep enosx|/usr/bin/grep -v
grep
|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
}
RestartService ()
{
ConsoleMessage "Restarting EnCase Agent"
pid=`/bin/ps -ax|/usr/bin/grep enosx|/usr/bin/grep -v
grep
|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
/usr/local/encase/enosx -d -p /usr/local/encase
}
RunService "$1"
6. Save and close the file.
7. Insert this text into the StartupParameters.plist file:
164 Guidance Software SAFEUser Guide Version a.05

{
Description = "EnCase Forensic Agent";
Provides = ("EnCase");
OrderPreference = "Last";
Messages =
{
start = "Starting EnCase Agent";
stop = "Shutting down EnCase Agent";
};
}
8. Restart the machine, or execute the process directly passing start, stop, and restart
options.

To confirm the agent is running, seeVerifying Agent Deployment on page170.

Configuring the OS X Agent to Work with Check In Func-


tionality
To configure the OS X agent to work with check in functionality:

1. When installing your SAFE, in the Check In Information dialog, specify the IP address and
port of the SAFE.
2. From the SAFE installation directory, copy the nixcheckin file to the target machine's
agent folder (where you installed the agent).
CHAPTER 7 Deploying and Managing Agents 165

3. Rename the nixcheckin file to .enosxintel (note the dot before the name).
4. Start and restart the agent.

Using Code-Signed Mac Agents


EnCase code-signs Macintosh agents. To use this feature, you must reinstall both the agent
and the driver. This requires uninstalling the old driver and agent and installing the new
installer.pkg, which includes the new agent and drivers.

Formerly, when using Macintosh agents, OS X displayed a confirmation dialog. With code-
signed agents, this message does not display.

As a result of this and other Macintosh agent changes, you need to install agents using the
installer. SAFE-initiated update of Macintosh agents is not sufficient.

Note: Agents may require firewall permission at the user level to function.
166 Guidance Software SAFEUser Guide Version a.05

HP-UX VxFS and Agent Support


EnCase can snapshot, preview, and acquire a machine using an agent running on an HP-UX
system.

This includes the capability to parse the Veritas File System (VxFS) on HP-UX machines. All
traditional agent capabilities, such as hashing and searching, are included as well.

Supported Hardware
HP 9000 server family with HP PA-8900 processors

Supported Operating Systems


l HP-UX 11.0
l HP-UX 11.1x
l HP-UX 11.2x

Additional Resources
l Installing HP-UX Applications: http://docs.hp.com/en/5990-8144/ch07s01.html#babjhibf
l swinstall(1M): http://docs.hp.com/en/B3921-60631/swinstall.1M.html

Installing the HP-UX Agent


The HP installer installs the HP-UX agent using the GSIservl.depot file.

Note: You cannot install the HP-UX agent if another agent is running or present on
the system. If you receive an installation error, remove the existing agent from the
system before trying to install again.

To install the HP-UX agent:

1. Place the GSIservl.depot file in any directory on your HP-UX machine. You can find
this file in the base EnCase installation directory.
2. At a command prompt, enter swinstall -s /<location>/GSIservl.depot.
3. Click Enter. The swinstall installation instructions display.
4. Click Enter. The installation screen displays and begins searching for installation files.
5. When it displays in the list, select GSIservl by highlighting the green box and clicking
the spacebar.
CHAPTER 7 Deploying and Managing Agents 167

Note: Be sure to select the top level file. If you accidentally drill down and only
select to install a part of the package, the agent will not work.

6. To mark the file for installation, navigate to the Actions menu and select Mark for Install.
o Use Tab to move up to the menu bar.
o Use the arrow keys to move back and forth.
o Use the Enter key to pull down a menu item or select a menu item.
o Use the spacebar to select an item in the list.

Note: You cannot install a file without first marking it for installation. If you receive
an error message, go back and perform the steps to mark the file for installation.

7. Click Enter. The file now displays as Partial in the Marked? column.
8. To install the file, navigate to the Actions menu and select Install.
9. Click Enter. The installation analysis dialog displays.
10. When analysis is complete, click OK. The installation screen displays.
11. Click Done when installation is complete.
12. Navigate to the File menu and click Exit.

Running the HP-UX Agent


Once you install the HP-UX agent, you must run it. After the agent is running, EnCase can
connect to HP-UX machines and perform its usual functions.

By default, the HP-UX agent is placed in the /opt/encase directory.

To run the HP-UX agent:

1. Navigate to the /opt/encase directory.


2. Enter ./enhpux -d in the command line to start the agent.
o -d starts the agent as a daemon.
o -h displays help instructions and other switches.

Note: After a system reboot, you must restart the agent manually; however, a
system administrator can create a shell script that restarts the agent when the system
reboots.

McAfee ePolicy Orchestrator (ePO) Integration


McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase agents to ePO-
managed nodes. Once installed, the EnCase agent communicates this information to the ePO
agent:
168 Guidance Software SAFEUser Guide Version a.05

l Installation status
l Language of the machine
l Version of the EnCase agent ePO plugin
l Whether the agent is running
l Directory where the agent is installed
l Version of the installed agent

Checking In the ePO Agent Package


The EnCase SAFE installer creates a folder named ePO in the root of the EnCase SAFE folder.
The installer adds two files: S_EESERV7000.zip and GuidanceServletExtension.zip to
this ePO folder. Record these locations to assist in checking in the agent package.

To check in the agent package:

1. Log on to McAfee ePO as administrator.


2. From the dropdown menu, select Software.
3. Select Master Repository. The Packages in Master Repository table displays.
4. Click the Check in Package button. The Check In Package dialog displays.
5. Select Product or Update (.ZIP).
6. Browse to the location of the S_EESERV7000.zip file and click Next. The Package
Options tab displays package information.
7. Click Save to finish placing the package in ePO.

Installing the Optional Guidance Software Agent Extension


Instead of displaying S_EESERV7000 in the McAfee Machine Info tab, you have the option to
install a Guidance Software extension package.

1. On the ePO home page, open the dropdown menu, mouse over Software, and click
Extensions.
2. In the lower left corner of the screen, click Install Extension.
3. The Install Extension dialog displays.
4. Click Browse and navigate to the GuidanceServletExtension.zip file. This file is
part of the SAFE installation process, and is stored in the EnCase SAFE\ePO folder.
5. Click Open. The Install Extension window displays details about the extension package.
6. Click OK. The Configuration window shows the Guidance extension installed successfully.

Creating an Agent Deployment Task


You must create a client deployment task to deploy agents in ePO.
CHAPTER 7 Deploying and Managing Agents 169

1. On the ePO home page, click Menu > Policy > Client Task Catalog.
Note: You can drag the Client Task Catalog option and drop it into the top
navigation bar for easier access.

2. The Client Task Catalog displays. From the Client Task Types list in the left pane, select
Product Deployment.
3. At the top of the window, click New Task.
4. For the task type, select Product Deployment.
5. Enter information in the appropriate fields:
o Task Name: Enter a task name of your choice.
o Enter a Description (optional).
o For Target Platforms, select Windows.

6. In Products and Components, open the product dropdown menu and select EnCaseSer-
vlet <version>.
o Action: Select Install.
o Language: Select Neutral.

7. In the command line text box, provide the setup arguments needed to copy setup.exe.
Use the arguments listed below to tell ePO where to find the agent and what agent
options to use when deploying it.

a. Enter -f "<UNC path to the agent setup.exe file>": This must be avail-
able to the target via a network share. Guidance Software recommends you create a
\\share visible to network targets (nodes) to contain the agent. Copy the current
setup.exe from the root directory of the SAFE to this share, and specify the share
path in the cmd switches when you check in the agent.
b. When you update the SAFE, make sure to copy the new agent to the \\share
described above.
c. Enter -u <username> .
d. Enter -d <domain>.
e. Enter -t <password>.
f. Enter -o "<setup options>".
Note: -o "<setup options>" must be in quotes for it to be passed to the
agent setup program. For more information on setup.exe options, see the table in
Deploying Windows Agents on page136.

g. Enter -v <agent version>. Use this option to notify previously installed agents
that an update is needed. It does not matter what specific version number you enter.
When a deployment task executes, ePO checks the client registry for this version
number. If the number in the deployment task is greater than what exists on the cli-
ent, then the agent is deployed to the node.
170 Guidance Software SAFEUser Guide Version a.05

A complete example might look this this (note that the -o argument is not required and
includes optional agent options, which must be in quotes):
-f \\192.168.2.1\share\setup.exe -u john.doe -d mydomain.com -t
password o "-n custom_agent_name l 9999" -v 7001

8. Click Save. You can now create a client task assignment to deploy the agent via individual
client task operations or via agent wakeup calls.
Note: Any authentication errors are shown in the log file
C:\Windows\Temp\ServletSetupError.Log on the agent machine.

Verifying Agent Deployment


After pushing agents to the machines, check that they are running and communicating with
the SAFE and Examiner.

Use these methods to verify agents are running properly:

l Verifying Agent Deployment with Net Start Command below


l Verifying Agent Deployment with Netstat Command below
l Verifying Agent Deployment Using Telnet on the facing page
l Verifying AIX Agent Deployment on the facing page

You can also verify agent deployment using Sweep Enterprise.

Verifying Agent Deployment with Net Start Command


To use the Net Start command method, you must have command line access to the node you
want to examine.

1. Open a command shell on the target machine.


2. At the command prompt, type NET START and press Enter.

If the default name enstart or enstart64 process is not running, confirm that you have not
renamed the process to something else, or try reinstalling the agent on the node.

Verifying Agent Deployment with Netstat Command


To use the Netstat command method, you must have command line access to your client and
SAFE.
CHAPTER 7 Deploying and Managing Agents 171

1. Open a command shell on the client machine.


2. At the command prompt, type NETSTAT -NA | findstr 4445 and press Enter.
3. Confirm the machine is listening on the port number where your SAFE is configured. The
default port number is 4445.

Repeat steps 1-3 on your SAFE machine to verify it is also listening on the same port.

Verifying Agent Deployment Using Telnet


This test requires command shell access from both the SAFE and client machines. You must
turn on the Telnet feature in Windows, since this feature is off by default.

1. Open a command shell on the client machine.


2. At the command prompt, type TELNET <IP> <port> and press Enter.
o The IP can be an IP address, host name, or DNS name of the SAFE.
o The port number is the port number the SAFE is listening on, typically 4445.
o If you see an error message, you know the SAFE is not listening on that port:

A successful Telnet connection to the SAFE or agent results in a momentary pause with
no feedback in the Telnet window. Press Enter a few times for output to display.

Repeat these steps on your SAFE machine. This confirms your SAFE can connect to the client.

Verifying AIX Agent Deployment


You must be logged in as root in order to install the package.

To check the AIX agent:

1. Execute the command lslpp l | grep encase.


o The output is in the format <package name> <version> <status> <comment>.
For example: encase.agent.rte 5.4.0.0 COMMITTED encase AIX agent

2. Compare the status output to the information below to determine if the agent is oper-
ating as expected.
o APPLIED: The specified fileset is installed on the system. The APPLIED state means the
fileset can be rejected with the installp command and the previous level of the file-
set restored. This state is only valid for Version 4 fileset updates and 3.2 migrated file-
sets.
o APPLYING: An attempt was made to apply the specified fileset, but it did not complete
successfully, and no cleanup was performed.
o BROKEN: The specified fileset or fileset update is broken and should be reinstalled
before being used.
172 Guidance Software SAFEUser Guide Version a.05

o COMMITTED: The specified fileset is installed on the system. This means that a com-
mitment was made to this level of the software. A committed fileset update cannot be
rejected, but a committed fileset base level and its updates (regardless of state) can be
removed or reinstalled with the installp command.
o COMMITTING: An attempt was made to commit the specified fileset, but it did not
complete successfully, and no cleanup was performed.
o REJECTING: An attempt was made to reject the specified fileset, but it did not com-
plete successfully, and no cleanup was performed.

Stopping and Removing Agents


In some circumstances you may want to stop or remove an agent from a node. There are
several ways to do this, depending on the operating system of the node.

Stopping an Agent Using PsTools


To stop the agent on a node machine using PsKill:

1. Open a command shell on the examiner computer.


2. Execute the command pskill \\<node name> <agent name> with these para-
meters:

Parameter Description
<node name> The name of the node machine.

The name of the agent, usually setup.exe for


<agent name> running as a service, and enstart.exe for
running as a process.

Removing Check In Functionality


The method you use to remove check in functionality depends on the operating system of the
node.

Removing the Check In Agent from a Windows Computer


You must have command line access on the machine and you must have a copy of the agent
to redeploy.
CHAPTER 7 Deploying and Managing Agents 173

To remove the check in functionality on a Windows machine:

l Open a command prompt on the machine. Remove the agent using the command
setup -r.

Removing the Check In Agent from a Linux Computer


Removing the check in functionality from Linux-based differs from that of Windows machines,
because Linux machines do not have a registry. Removing the functionality does not require
removing and reinstalling the agent.

l From a command shell using either Telnet or SSH, delete the check in configuration file
using the command rm .<agent name>.

After you delete the check in configuration file, the agent resumes typical operation.

Removing the Agent in Windows


There are two ways to remove the agent from a Windows machine:

l An automated procedure using a CD at each node.


l A manual procedure you run in command mode at each node.

Removing the Agent using an Automated Procedure


Before you start, make sure you have the following:

l You need access to each node machine.


l Each machine must have a removable media device, such as a floppy drive or CD-ROM
drive.
l You need the setup.exe file from your SAFE.

To remove the agent using an automated procedure:

1. Copy setup.exe from your SAFE to the removable media. The file is typically located at
C:\Program Files\EnCase SAFE.
2. Insert the media into the machine where you want to remove the agent. Open a com-
mand window on the machine.
3. Execute the command setup.exe -r.

No output is returned. This stops the enstart service, deletes enstart.exe and
enstart_.sys (regardless of how they were named during installation), and removes registry
entries relating to the agent.
174 Guidance Software SAFEUser Guide Version a.05

Removing the Agent Manually


To manually remove an agent from a machine, you must have access to the node.

1. Open a command window from the node machine.


2. Execute the command net stop <agent name>.
3. Delete <agent name>.exe and <agent name>_.sys. The files can be located in the
following locations, which vary according to the operating system.

Operating System Location


XP / 2003 C:\Windows\System 32

NT 4.0 / Windows 2000 C:\WINNT\System32

4. Remove the following registry keys using regedit.exe for Windows XP/2003 machines
or regedit32.exe for all other machines:
o HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\LEGACY_ENSTART
o HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\enstart
o HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Enum\Root\LEGACY_ENSTART
o HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet002\Services\enstart
o HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet002\Enum\Root\LEGACY_ENSTART

Remove C:\WINDOWS\System32\enstart.exe from the HKEY_LOCAL_


MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup key.

Note: To delete ~LEGACY_ENSTART keys, you must first change permission to


Full Control for Everyone using the appropriate registry editor listed above.

Note: All the keys listed in step 4 may not exist on all machines.

5. Using the appropriate registry editor for your machine, search for and delete any remain-
ing values and keys that have enstart in the name.
CHAPTER 7 Deploying and Managing Agents 175

Removing the Agent from Linux or OS X


Unlike Windows, Linux does not provide an automatic method of removing agents. Follow
these procedures to manually remove the agent.

Determine How the Agent is Installed


This procedure uses default paths and agent names. If you changed the agent name, port, or
location of the agent, make the appropriate changes when following these steps.

To perform these commands you must be logged as root or use SU.

1. Make sure the agent is not currently being accessed by EnCase Examiner.
2. Determine if the agent is running as a process. Execute the command:
netstat an | grep 4445

If your results are similar to the output in this example, the agent is running as a process:
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN

3. Determine the agent's process ID (PID). Execute the command:


ps aux | grep <agent name> | grep -v grep

If your results are similar to the output in this example, the agent is running as a process:
root 2360 0.0 0.1 1400 552 ? S Jun17 0:07
/usr/local/encase/enlinuxpc d p /usr/local/encase

Note: 2360 is the PID on the machine used in this example. The PID on your
machine will differ.

4. If the output to the previous command returns nothing, the agent is probably running
using inetd or xinetd. Determine if the agent is running using xinetd: look in the
/etc/xinetd.d directory for a configuration file typically named enlinuxpc for Linux
or enosx for OS X. If you find the file, the agent is running using xinetd.
5. If you are using Linux, determine if the agent is running using inetd:view the contents of
the /etc/inetd.conf file. If you find an uncommented line referring to the agent as in
this example, the agent is running using inetd:
enlinuxpc stream tcp6 wait root /usr/local/encase/enlinuxpc
enlinuxpc -i -p /usr/local/encase

6. If you are using OS X 10.4 or newer, determine if the agent is launching during startup:
look for a folder called EnCase in the /Library/StartupItems folder.
176 Guidance Software SAFEUser Guide Version a.05

If the Agent is Running as a Process, Stop the Process


Determine if the agent is running as a process. If so, you must kill the process.

1. To kill the process, you must be logged on as root.


2. Kill the process for the agent: use the command kill -9 <PID number>. The Process
ID (PID) is the PID for your agent, as determined in step 3 above.

If the Agent is Running as a Service, Stop the Service


If the agent is running using xinetd or inetd, you must stop the service.

1. To stop the service, you must be logged on as root.


2. Stop the service by running the command:
/sbin/services <agent name> stop

Delete the Agent and Configuration Files


To delete the agent you must be logged on as root.

1. Delete the agent: execute the command rm R /usr/local/encase.


2. If the agent is running using xinetd, delete the configuration file: execute
rm /etc/xinetd.d/<agent name>

3. If you are using OS X 10.4 or newer and the agent is running from launchd, remove the
directory containing the startup files: execute
rm R /Library/StartupItems/EnCase

4. If the agent is running using inetd, open /etc/inetd.conf using a text editor such as
vi. Locate and delete (or comment out) the entries referring to your agent. Save and close
the configuration file. Some examples are:

enosx stream tcp6 wait root /usr/local/encase/enosx


enlinuxpc -i -p /usr/local/encase

5. If the agent is running using inetd or xinetd, open /etc/services and comment out
or delete the line referring to your agent.
6. Save and close the file.

Removing the Solaris Package


To remove the tar package, you must be logged in as root.
CHAPTER 7 Deploying and Managing Agents 177

1. Kill the package with the command pkill ensolspar.


2. Remove the package with the command pkgrm GSIservl.
3. Remove the directory containing the agent using the command rm R /us-
r/local/encase.

Removing the AIX Package


To remove the AIX agent package, you must be logged in as root.

1. Remove the AIX package with the command installp u encase.agent.rte.


Note: Do not type the bff file extension when entering the command.
o The installer determines the correct agent to remove and outputs information regard-
ing the removal.
o The removal process finishes with the message:

encase.agent.rte 5.4.0.0 USR DEINSTALL SUCCESS

2. Remove the EnCase directory and any remnants with the command:
rm R /usr/local/encase

Stopping the SAFE


To stop a SAFE:

1. Open a command shell on your SAFE machine.


2. Enter the command net stop safe and press Enter.

To manually start the SAFE again, use the command net start safe and press Enter.
178 Guidance Software SAFEUser Guide Version a.05
CHAPTER 8
TROUBLESHOOTING

Troubleshooting the SAFE 181

Checking the SAFE Status 181

Checking the Agent Status 182

Checking the Desktop Client Status 182

Viewing and Exporting Event Log Files 184

Troubleshooting License Manager 191


180 Guidance Software SAFEUser Guide Version a.05
CHAPTER 8 Troubleshooting 181

Troubleshooting the SAFE


Troubleshooting problems can be divided into three areas:

l Check the SAFE status for logon or target connection problems.


l Check the agent status if you are having problems connecting to a computer running an
agent.
l Check the desktop client status if both the SAFE and agents are working, but you are still
experiencing problems.

You must check each component because an error may appear as if the cause is one
component, when the actual source of the problem is in a different component. Follow the
troubleshooting steps in the next topics to solve common problems.

Checking the SAFE Status


The SAFE program must be running and listening for a client to log on, or connect to the
computers running an agent.

Look for safe.exe in the Windows Task Manager to see if the SAFE service is running.

To check if the SAFE is listening for the clients, run netstat -na from the command line. This
screen shows that the SAFE service is listening on port 4445. If you specified a different port
number during the installation of the SAFE, then you should see that port number.
182 Guidance Software SAFEUser Guide Version a.05

If the SAFE is not started or listening, you can start the SAFE using the command net start
safe from the Windows command line.

You can also try stopping and restarting the SAFE to refresh the service. To stop the SAFE, use
net stop safe from the Windows command line.

Checking the Agent Status


If you are unable to connect to a computer running an agent and your troubleshooting
determines that the SAFE is operating correctly, check the status of the agent.

First, ensure that the problem is not related to network connectivity:

l Can the client computer ping the computer hosting the agent?
l Can the client ping the SAFE computer?
l Can the SAFE ping the computer hosting the agent?
l Have you disabled or added an exception for any firewalls?

For further agent troubleshooting steps, see the corresponding Guidance Software product
user guide for details.

Checking the Desktop Client Status


If the SAFE and agents are operating correctly, check the desktop client status.

SECURITY KEY OR LICENSE ERRORS


You can check the security key simply by looking at the title bar of your desktop client.

If Acquisition displays in the window title bar, the program has lost contact with your security
key.

There are several possible causes:


CHAPTER 8 Troubleshooting 183

Cause Action
The security key
was removed Replace the security key.
from computer.

The wrong
security key is Replace the security key with your License Manager
inserted into security key.
the computer.

The USB port is


damaged, or
Try a different USB port, or install the appropriate secur-
the security key
ity key drivers for your USB port.
driver is not
installed.

The security key Order a replacement from Guidance Software Customer


is damaged. Service.

License Man- Check that you can connect to the License Manager
ager has not server and that there are enough License Manager
allocated a licenses for you to use. See Verifying License Manager
license to the Connectivity on page127 to check for the number of
desktop client. licenses.

DESKTOP CLIENT ERRORS LOGGING ON TO THE SAFE


There are two error messages you can receive when logging on to the SAFE:

Error
Solution
Message
This is usually caused when the security key is not inserted
into the SAFE.

Connection To correct this:


closed 1. Insert the security key into the SAFE.
2. Stop the SAFE with the command net stop safe
3. Restart the SAFE with the command net start
safe
184 Guidance Software SAFEUser Guide Version a.05

Error
Solution
Message
Invalid
Command This is usually caused by the agent being deployed on the
58 SAFE machine. This prevents the SAFE from listening on the
port because the agent (or possibly another process) is using
or that port.

Node is not To correct this, uninstall the agent from the SAFE.
a SAFE

Viewing and Exporting Event Log Files


You can view and export log files for logon, system, role, administration, windows
authentication, and job status events. The logID and event messages are listed below.

Logon Events
ID Event Message
20556 The command is not permitted

19276 Invalid key

20044 Invalid username

20309 User logged on

18005 User logged off

System Events
ID Event Message
17996 Invalid logon packet format

17484 Invalid SAFE


CHAPTER 8 Troubleshooting 185

ID Event Message
21587 SAFE start

21331 SAFE stop

18003 SAFE startup failed

21071 Orphaned user

Role Events
ID Event Message
20035 Connected

17220 Disconnected

17987 Connect failed

21843 Save user failed

21314 Start sweep

17730 Stop sweep

17747 Search

17729 Acquire

21061 EnScript

19541 User Defined Message

17988 Agent Deployment Failed

22340 Agent Deployment Successful

Administration Events
ID Event Message
17237 User Created

17493 User Deleted


186 Guidance Software SAFEUser Guide Version a.05

ID Event Message
19797 User Modified

17234 Role Created

17490 Role Deleted

19780 Role Modified

Windows Authentication Events


ID Event Message
21335 Windows Authentication Succeeded

18007 Windows Authentication Failed

Job Events
ID Event Message
21322 Start Remote Job

Accessing Event Logs


You must have SAFE access with View Logs (for user and child logs) or View All Logs (for all logs
the keymaster can view) permission to read event logs.

1. Click View > Events. The Events tab displays.


2. In the Table tab, click Read Logs.
CHAPTER 8 Troubleshooting 187

3. The Read Logs dialog displays.

The Event Types tab shows event folders and the individual event names contained in
the selected folder.

The Users tab filters event logs by user. When expanded, the left pane shows all users,
while the right pane shows the children of the left pane selection.
188 Guidance Software SAFEUser Guide Version a.05

The Roles tab filters event logs according to a user's SAFE identification role. The left
pane shows established access rights, while the right pane shows the peers of the item
selected in the left pane.

The Read Logs Time Frame tab filters an event activity by time. The Start Date and Stop
Date selections are independent of each other. If Any Time is selected in one, a specific
date and time can be selected in the other.
CHAPTER 8 Troubleshooting 189

4. Click OK to return to the main window.

Logs in the selected folder display in the right pane.

Printing or Exporting Event Logs


After obtaining the event logs for Users, Roles, and Time Frame, you can print a simple text file
by doing the following.

1. After using the Read Logs dialog to make selections, click OK to return to the main win-
dow. Select desired records in the Table pane if you do not want to print all of the inform-
ation.
2. Click the down arrow in the right corner of the Table tab, then click Save As in the drop-
down menu.
190 Guidance Software SAFEUser Guide Version a.05

3. The Save As dialog displays.

o Select which fields to print or export.


o Select which row numbers to start and stop with. The default is the entire range of
rows.
CHAPTER 8 Troubleshooting 191

If specific rows are selected, you can also opt whether to print or export only Only
Checked Rows and whether to Show Folders.

o Specify the output Format (Tab delimited, RTF, web page, XML, or Review).
o Designate a location for the saved file.
o Select Open file if you want the file to open after saving.

4. When done, click OK.

Troubleshooting License Manager


If a client is unable to obtain licensing from License Manager, check:

l EnCaseLMstatus in Windows Task Manager.


l Connection to the License Manager (via telnet or ping).
l Correct number of licenses detected: see Verifying License Manager Connectivity on
page127.
l Location and name of the [LicenseManagerName].SAFE and default.nas files
when you have multiple License Managers and SAFEs.
192 Guidance Software SAFEUser Guide Version a.05
CHAPTER 9
SUPPORT

Overview 195

Find Support Online 195

Contact Guidance Software 198

Contact EnCase eDiscovery Review Technical Support 200


194 Guidance Software SAFEUser Guide Version a.05
CHAPTER 9 Support 195

Overview
Guidance Software is committed to providing our customers with the best user experience
possible. There are a variety of ways for you to get the help you need, when you need it.

This section provides information on our various support resources.

l Technical Support
l Customer Service
l Sales

Find Support Online


Guidance Software provides an array of resources to help you find answers to your questions
online.

To access online support, navigate to www.guidancesoftware.com and click Support.

SALES
Links under Sales enable you to:

l Contact sales by phone or form submission


l Request a demo
l Call a sales representative
l Request a quote
l Locate your nearest reseller

TECHNICAL SUPPORT
Links under Technical Support enable you to:

l Find contact hours, phone numbers, and hours of availability


l Browse FAQs
l Call a technical support agent
l Register your product to receive future downloads
l Access customer community forums
l Join the customer community where you can:
o Access forums
o Read knowledge base articles
o Log and track issues
196 Guidance Software SAFEUser Guide Version a.05

o Chat with a representative


o Download documentation
o Download products

l Register your account

CUSTOMER SERVICE
Links under Customer Service enable you to:

l Find contact hours, phone numbers, and hours of availability


l Browse FAQs
l Call a technical support agent
l Register your product to receive future downloads
l Receive help immediately in the event of a breach
l Access customer community forums
l Join the customer community where you can:
o Access forums
o Read knowledge base articles
o Log and track issues
o Chat with a representative
o Download documentation
o Download products

l Register your account

Access the Customer Community


The customer community is an online meeting place where you can:

l Register your product


l Access forums
l Read knowledge base articles
l Log and track issues
l Chat with a representative
l Download documentation
l Download products

To access the customer community navigate to www.guidancesoftware.com/community.


CHAPTER 9 Support 197

View Customer Forums


The Guidance forums provide a rich repository of information:

l EnCase AppCentral offers downloadable user-created applications


l General discussion forums provide information about products and specific issues
l Non-English language forums are also available

In these forums you can learn from community members, ask questions, and share your
expertise with others.

To access the forums navigate to www.guidancesoftware.com/commmunity.

Browse the Knowledge Base


The knowledge base consists of articles on a variety of topics about Guidance Software
products.

The knowledge base is part of the Customer Community and may be accessed by navigating to
www.guidancesoftware.com/community.

Log and Track Issues


You can create a new support case to log issues, track existing cases, or request a new feature
through the customer community at www.guidancesoftware.com/community.

Register your Product


Register your Guidance Software product to receive product updates.

To register your product, navigate to www.guidancesoftware.com/register.

If you have trouble registering your product, contact Customer Service.

If you have trouble downloading updates after registering, contact Technical Support.

Register your Account


Registered owners of Guidance Software products gain access to the forums, knowledge base
articles, and other support resources contained within the Customer Community.
198 Guidance Software SAFEUser Guide Version a.05

To register your account, navigate to www.guidancesoftware.com and click Support >


Technical Support > Register Product. A registration form displays.

Provide all requested information. This helps us identify you as a registered owner of a
Guidance Software product.

After you complete the registration form, click Register.

After submitting your form, you will receive an email. Once you have verified your email
address, your account will be reviewed and approved within 24 business hours.

Once your registration is approved, you can access the Customer Community by navigating to
www.guidancesoftware.com and clicking Support > Technical Support >
CustomerCommunity.

Contact Guidance Software


There are many ways to contact Guidance Software if you want help, more information, or to
provide feedback.

l Contact Sales
l Contact Customer Service
l Contact Technical Support

Contact Sales

BY TELEPHONE:
626-229-9191
888-999-9712

BY ONLINE REQUEST:
Navigate to www.guidancesoftware.com and click Support > Sales to request a demo, speak to
a member of our sales team, or request a quote.

Contact Customer Service

BY TELEPHONE:
626-463-7964 (Monday through Friday, 7 am to 5 pm, Pacific Time)
866-229-9199
CHAPTER 9 Support 199

BY ONLINE REQUEST:
Navigate to www.guidancesoftware.com and click Support > Customer Service >Contact.

Contact Technical Support


Guidance Software provides telephone technical support 24 hours a day, excluding weekends
and holidays, through the regional support numbers listed below. All technical support
inquiries are automatically routed to either our US or UK office, depending on the time of day.

UNITED STATES:
Phone: +1 (866) 973-6577 or (626) 463-7977
Fax:+1 (626) 229-9199
1055 E. Colorado Blvd.
Pasadena, CA 91106

UNITED KINGDOM:
Phone: +44 (0) 1753-552252, Option 4
Fax:+44 (0) 1753-552232
Thames Central, 5th Floor
Hatfield Road
Slough, Berkshire UK SL1 1QE

EMEA AND APAC:


+800-4843-2623
For customers in the following countries, use your country's local exit code and call:
+800-GUIDANCE (4843-2623). Do not dial US country code 1.

l Australia
l Belgium
l China-North
l China-South
l Denmark
l Finland
l France
l Germany
l Hong Kong
l Italy
l Japan
l Malaysia
l Netherlands
l New Zealand
l Norway
l Poland
200 Guidance Software SAFEUser Guide Version a.05

l Singapore
l South Korea
l Spain
l Sweden

If you do not know your exit code, refer to http://www.howtocallabroad.com/codes.html. Dial


your country's exit code, then dial 800-4843-2623.

Chat with a Technical Services Engineer


Live chat is available with technical service engineers from 10 pm Sunday to 6 pm Friday, Pacific
Time.

To chat, navigate to www.guidancesoftware.com and click Support >Technical Support


>Customer Community.

On the Customer Community home page, open the left sidebar with the ALT +S keyboard
command, or by clicking the arrow in the left margin.

In the Live Chat area, click Start Chat.

Contact EnCase eDiscovery Review Technical


Support
EnCase eDiscovery Review Technical Support representatives are available seven days a week
to assist you with EnCase eDiscovery Review. You can submit questions via telephone, by
email, or from within EnCase eDiscovery Review.

TELEPHONE:
866-973-6577, Option 3
Technical Support business hours are 5 AM-5 PM. Pacific Time, Monday through Friday.
Calls after hours are routed to the on-call technician on duty.

EMAIL:
You can also submit Technical Support requests by email to support@encasereview.com.

ONLINE:
Click Support at the top right of the EnCase eDiscovery Review application window. A form
displays enabling you to send a support request, report a problem, or make a suggestion.
Fill in the form fields and click Send Email to close and submit the support request.
GLOSSARY

Acquisition
Acquisition is the process of importing the contents of a device into a data analytics tool in a
forensically sound manner.

Agent
An agent is a process or service with administrative privileges that runs on one or more target
machines accessed through the SAFE. The agent accepts commands from the Guidance Software
product via the SAFE and has access to the target machines at the bit level. Program requests are
signed by the SAFE server and verified by the network device. The agent is signed by the SAFE
server private key and contains the SAFE server public key.

Check In Agent
Use check in agents when your organization must establish an Internet connection outside your
network visibility. To investigate machines using the check in agent, use the Sweep Enterprise or
other EnScript programs. This technology overcomes issues of limited network visibility within
your organization, such as using Network Address Translation (NAT), where private IP addresses
are mapped to a public IP address.

Cluster
A cluster is a collection of sectors on a storage device. Clusters are considered the primary
addressable unit for operating systems. Cluster size varies and is determined by file system lim-
itations or volume size.

Disk Partition
The area of a physical disk that contains the space of a logical volume. A disks partition table con-
tains information about partition scheme, size, and location.
202 Guidance Software SAFEUser Guide Version a.05

Enhanced Agent
A process or service with administrative privileges that runs on target machines accessed
through the SAFE. The key feature of the enhanced agent is the ability to process scans locally
instead of sending scans to the Guidance Software server for processing instead.

Entropy Analysis
Algorithmic analysis of files based on similarity. A high entropy value indicates files are similar.
Entropy analysis can help find similar files that may have small differences, such as that found in
polymorphous malware.

File Allocation Table (FAT)


File Allocation Table is a file system that uses a simple table to list all clusters within a volume and
notes the status of each allocation block. Blocks can be allocated, unallocated, or bad.

File Extension
A three or four-letter extension that follows the dot at the end of a file. The file extension is used
by applications to identify files they can use.

File Extent
File system metadata about a file. Common extents include start sector, start byte, number of
bytes, start cluster, and number of clusters used.

File Fragmentation
The state of a file being stored across multiple non-contiguous sectors on a physical storage
medium. File fragmentation is used to maximize the use of available storage space.

File Signature
File signatures are bytes of data generally stored at the beginning of a file. File signature data is
used by an application to identify file types and verify file contents.

File Signature Analysis


Analysis of the signature in a file header to determine more information about that file. Such ana-
lysis can identify files with signature and file extension discrepancies, which might arise where a
user changed a file extension to hide its contents.
Glossary 203

File Slack
On a physical storage device, file slack is the area between the end of a logical file and the end of
the cluster. File slack may contain previously deleted file data and can be recovered and
examined using digital forensic tools.

File System
A computing devices file system controls how and where files are stored on a device as well as
the size and location of disk sectors. NTFS is a common file system for Windows machines.

GUID
A Globally Unique Identifier (GUID) is a unique reference number representing a software
object.

Hash Value
A unique numeric value of a file derived from a hash function. In cryptography, two common
hash algorithm functions are SHA-1 and MD5. Identical files have the same hash value.

Hexadecimal
A base 16 numbering system, represented by 16 digits 0-9 and A-F (representing decimal values
11 to 15).

Image
To image a physical storage device is to make a duplicate. A forensically-sound acquisition leaves
the original evidence unmodified and provides one or more ways to verify the duplicate image is
an exact bit-level copy of the original device.

IP Range
A description of consecutive, adjacent IP addresses that includes the starting and ending IP
address, for example 192.168.0.0 - 192.168.0.255. IP range can also be described in CIDR nota-
tion (ex. 192.168.0.0/22).
204 Guidance Software SAFEUser Guide Version a.05

Keymaster Public Key File


A file generated during the SAFE installation process. It is used by the SAFE Administrator to
logon to the SAFE. This filename is keymaster.publickey.

Logical Image
A logical image of a hard drive captures the in-use data found in a logical volume on a hard drive.
A hard drive may contain multiple logical volumes. Each logical image captures only one logical
volume.

Logical Partition
The portion of a physical storage device defined by a computer operating system and stored in
the administrative section of a physical device known as a partition table.

Logical Volume
The portion of a physical disk established by a file system to act as a discrete container for files.
Logical volumes are contained within disk partitions. In Windows systems, logical volumes are
assigned individual letters.

Machine Token File


A file generated during the SAFE installation process. This file is sent to Guidance Software, in
conjunction with the keymaster public key file to generate the setup completion file. The
machine token file has a .machine file extension and is located at C:\Program Files\Guidance Soft-
ware\SAFE.

MD5 Hash Value


A 128-bit value for a file entry, generated by the hash analysis process. Unique files have unique
hash values. Identical files should have identical hash values.

Metadata
Metadata is descriptive information about software objects and can provide important inform-
ation to investigators. For example, file metadata is contained in the files header and provides
Glossary 205

information about the file. File system metadata conveys important information about how and
where files are stored on a storage device.

Network Tree
The network tree represents all target nodes on a network available to investigators for invest-
igation.

New Technology File System (NTFS)


NTSF is a file system commonly found on Microsoft Windows physical drives that uses a database
to document information about files and folders on a volume.

Node
An entry in the network tree that describes a target machine using an IP address, machine name,
or IP range.

NSRL
The National Software Reference Library (NSRL) is a large and comprehensive collection of com-
mercial software with file metadata and hashes. The NSRL Reference Data Set (RDS) is updated
and published quarterly. Comparing data against the NSRL RDS permits analysts to quickly
exclude known components in standard software distributions from analysis.

Pathways
Introduced in EnCase 8.01, Pathways provide a step by step list to complete a particular work-
flow. In EnCase 8.03, the ability to create and distribute custom workflows was added.

Physical Image
A physical image of a hard drive captures the actual data at the bit level, including deleted file
data and file fragments. A physical image captures all logical volumes on a single hard disk.

RAM Slack
RAM slack is the remaining space between the end of a logical file and the rest of that sector.
206 Guidance Software SAFEUser Guide Version a.05

Role
A role is a set of permissions held in the SAFE that allow or deny access to target machines and
product functionality. Roles are created with various permissions, then assigned to users or user
groups when setting up accounts.

SAFE Backup File


This file is generated during the SAFE setup process. Use it where the SAFE private key file is
deleted, or has been corrupted. The file is located at C:\Program Files\Guidance Software\SAFE.
Its filename is SAFE Backup.spvk.

SAFE Private Key File


This file is generated during the SAFE Setup process. It is used when performing updates to the
SAFE. The file is located at C:\Program Files\Guidance Software\SAFE. Its filename is SAFE Private
Key.spvk.

SAFE Public Key File


This file is generated during the SAFE Setup process. It must be copied to the Keys folder in the
root of the installation directory for each machine. The file has the .SAFE file extension.

Sector
A sector is the smallest areas on a piece of media that can be written to or read from.

Setup Completion File


This file is sent to you from Guidance Software to complete the setup process. To complete
installation, copy this file into the location of your SAFE (C:\Program Files\Guidance Soft-
ware\SAFE). The file has a .Setup file extension.

SHA-1 Hash Value


A 160-bit value for a file entry, generated by the hash analysis process. Unique files have unique
hash values. Identical files should have identical hash values.

SSD
A Solid-State Drive (SSD) is a silicon microchip-based data storage device as opposed to a tra-
ditional hard disk drive.
Glossary 207

Target Machine
A computer on the network with an agent running on it.

Unallocated Clusters
An unallocated cluster is the part of a physical storage device that is not associated with a data
object. When EnCase acquires a physical device, all unallocated clusters are identified and
grouped together to aid investigators with analysis.

Unicode
A computer industry standard for consistently encoding and displaying text. The Unicode char-
acter set is represented by 16 bits of data, and space to map up to 65535 unique characters.

Write Blocker
A write blocker is a physical or software device that prevents any modification to a data storage
device such as a hard drive.
208 Guidance Software SAFEUser Guide Version a.05
Checking In the ePO Agent
INDEX Package 168

Checking the Agent


Status 182
A Checking the Desktop Client
Ability to Lock Require Case Status 182
Information Setting 113 Checking the SAFE Status 181
About this Book 11 Configuring Active Directory
Access the Customer Com- Groups 62, 116
munity 196 Configuring Desktop Clients
Accessing Event Logs 86, 186 to Use License
Manager 125
Activating the License for
License Manager 40 Configuring SAFE Settings for
Desktop Clients 54
Activating the Software
License for the SAFE 32 Configuring the OS X Agent
to Work with Check in
Assigning User Permissions Functionality 164
and Roles 110
Configuring the SAFE 60
Automatically Deploying
Agents 133 Contact Customer
Service 198

Contact Guidance
B Software 198
Backing Up the SAFE 66 Contact Sales 198

Contact Technical
C Support 199

Changing Passwords 120 Contacting EnCase eDis-


covery Review Tech-
Changing the Keys Folder nical Support 200
Location 54
Copying *NIX Agents 148
Chat with a Technical Ser-
vices Engineer 200 Copying *NIX Agents Using
Removable Media 149
Copying *NIX Agents Using SSH and Deploying Check In Agents 136
SCP 149
Deploying in Solaris Using
Copying *NIX Agents Using Telnet inittab 155
and FTP 150
Deploying Linux Agents 150
Copying License and SAFE Public
Key Files 126 Deploying OS X Agents 157

Copying the Agent Using Deploying Solaris Agents 153


XCOPY 146 Deploying the Linux Agent using
Creating a SAFE Package 65 inetd 152

Creating a Text File of Nodes 143 Deploying the Linux Agent Using init-
tab 151
Creating an Agent Deployment
Task 168 Deploying Windows Agents 136

Creating Encryption Keys 119 Deploying Windows Agents Using a


Domain Push 141
Creating IPC$ Connections 145
Deploying Windows Agents Using
IPC$ and PSExec 145
D Deploying Windows Agents Using
PsTools 142
Deleting Encryption Keys 121
Deploying Windows Agents Using
Deploying Agents 132
Removable Media and
Deploying Agents on OS X 10.3 or PsExec 147
Older 160
Deploying Windows Agents with
Deploying Agents on OS X Active Directory 141
10.4/5 158

Deploying Agents on OS X 10.6 and E


Newer Versions 158
Enabling Enhanced Agent Func-
Deploying AIX Agents 156 tionality 68
Deploying and Managing Encryption Keys Tab Functions 118
Agents 129
EnScript ii, 80, 107, 131, 136, 185 Installing and Configuring the
SAFE 49
Executing the Agent using
PsExec 146 Installing License Manager 40

Installing SAFE Using a SAFE Con-


figuration Package 66
F
Installing the Guidance Software
Find Support Online 195
SAFE and License Installer 23

Installing the HP-UX Agent 166


G
Installing the Optional Guidance
Generate Encryption Keys 92 Software Agent Extension 168

Generating Encryption Keys 51 Installing the SAFE 25

Glossary of Terms 201 Installing the SAFE and License Man-


ager 19
Guidance Software SAFE and
License Manager Installation Installing the Solaris 11 Agent 154
Overview 22
Installing the Tar Package 154
Guidance Software SAFE and
License Manager
Overview 13 L
Guidance Software SAFE Integ- Log and Track Issues 197
ration with Active Directory 61,
115 Logging on to the SAFE 56, 72

H M

HP-UX VxFS and Agent Support 166 Managing Encryption Keys 118

Managing SAFE User Accounts and


Roles 97
I
Managing SAFE User Accounts and
Installing and Configuring License Roles Overview 99
Manager 123
McAfee ePolicy Orchestrator (ePO) Removing Check In
Integration 167 Functionality 172

Modifying Control Scripts for Auto- Removing the Agent from Linux or
matic Deployment of OS X 175
Agents 134
Removing the Agent in
Windows 173
N Removing the AIX Package 177
Network Plugin Repository 89 Removing the Solaris Package 176

Resetting a User Password 114


O Running a Linux Agent as a
Process 151
Opening the Encryption Keys
Tab 118 Running a Solaris Agent as a Pro-
cess 155
Overview 72, 131
Running in OS X Using launchd 162

P Running in OS X Using xinetd 161

Performing a Quick Update of the Running the HP-UX Agent 167


SAFE 39 Running the SAFE under a Non-
Preface 11 Local Service Account 38

Preparing the Guidance Software Running Windows Agents as a Ser-


SAFE 21 vice or as a Process 139

Printing or Exporting Event Logs 189


S

R SAFE Account Types 62, 116

Reading the Knowledge Base 197 SAFE Server 15

Register your Account 197 SAFE Transfer File 64

Register your Product 197 SAFE User Management Role 112


Securing a Keymaster Account 62, Using PsTools to Deploy Agents to
116 Multiple Machines 142

Securing Regular User SAFE Using the SAFE Configuration


Accounts 64, 118 Tool 71

Setting up Roles 78, 104

Setting up the Network Tree 59, 77 V

Setting up User Accounts 83, 100 Validating the SAFE


Configuration 54
Stopping an Agent Using
PsTools 172 Verifying Agent Deployment 170

Stopping and Removing Verifying Agent Deployment Using


Agents 172 Telnet 171

Stopping the SAFE 177 Verifying Agent Deployment with


Net Start Command 170
Support 193
Verifying Agent Deployment with
Support Overview 195 Netstat Command 170

Verifying AIX Agent


T Deployment 171

The Desktop Client 16 Verifying License Manager Con-


nectivity 127
Troubleshooting 179
View Customer Forums 197
Troubleshooting License
Manager 191 Viewing and Exporting Event Log
Files 184

VMware Support 39
U

Using Code-Signed Mac


Agents 165

Using PsTools to Deploy Agents to a


Single Machine 142