One thing that tends to bite folks in the backside when dealing with EnCase is a desktop firewall. If you are trying to communicate with a servlet running on a target machine check that the port is listening. The default listening port for the EnCase servlet is TCP 4445. That is assuming you have not changed it to some other port. To change the listening port use the -l switch on install.
An easy way to check is to simply telnet to the port.
Example: “telnet targetIP 4445“.
If you get a connection this will (possibly) mean that the servlet is listening. If you do not, there is a chance that they system is running the windows firewall or whatever similar product you might be using in your enterprise. The vast majority of the time this is the culprit with failed communication from the EnCase Examiner and the servlet.
To check if your local system has the servlet running simply type:
C:\net start
This will list the services that are running on your windows box and look for the service named “enstart”. Unless of course it has been renamed in your corporate environment.
This may seem simple but, by and large the desktop firewall tends to be overlooked by rookie forensic examiners causing them much grief.
[tags]EnCase, Forensics[/tags]
Hi Dave,
Is it true to say that EnCase is running as a root kit on a workstation?
Is it true that the process “enstart.exe” may be hidden or renamed in the net start services list?
This forensic software runs underneath the OS?
EnCase is not OS-dependent?
Other rootkits installed on the same workstation will be detectable instantly?
Thanks for your answers.
Frank
@Frank
Hi Frank, I’ll try to answer your questions in order.
I wouldn’t characterize EnCase as a rootkit per se as it doesn’t permit you to manipulate data or alter the target machine in any fashion. It provides write-blocked read-only access in order to maintain forensically sound methods.
Enstart.exe is the default name for the servlet portion of the EnCase Enterprise which gets installed on the target machine. As with any service yes, it can be renamed and/or hidden.
EnCase is limited to the operating systems that in can in fact analyze. However, there aren’t any consumer grade operating systems that are immune that I’m aware of. It will work with Windows, *nix (incl Mac) et cetera.
EnCase can perform either a logical or physical disc capture.
Now rootkits are in fact detectable. But I should say that this is an investigative tool as opposed to a proactive defense. So, I’m not sure if you are searching for an antivirus type capability. In the past I have managed to ferret out evidence pertaining to Adore, NTIllusion, Vanquish, FU Rootkit and Hacker Defender to name a few.
I hope this helps.
cheers,
Dave
Hi Dave,
Thanks for you answers and they all sound good and right to me.
I got those questions in my mind after reading an article in a magazine called “The Hacker Quaterly 2600” (volume 24, # 4). The article is “Forensics Fear” (page 51) and it talks about a software that “looks and feel” like EnCase. The author said the software can change files but your answers tells me he was completely wrong on this point.
Thanks again for your answers.
Frank
Hi,
I’m not familiar at all with Encase and would like to know a little more.
How does Encase make time zone adjustments. I’ve been working on a case where the forensic expert says there was a sofware issue and an incorrect adjustment for British Summer time was made, moving the time 1 hour back instead of 1 hour forward. Does anyone know of this bug or was it likely to be user error.
If Encase makes an adjustment does it do it on a file by file basis or for the whole drive that it being copied.
Why would you use port 4445? why not something that nothing else uses, or rarely uses? Just finding out that it conflicts with other well known/used software. Seems silly to pick a port that is already heavily used.
@NI Did you read the post? Silly that the vendor has a default port? They’ve been using that for years. I’m confused, what exactly makes it silly?
Silly would be leaving a comment on a web site from a corporate network connection and hoping to be anonymous. 😉
can not install Guidance Software Encase Servlet 7.13.00.11 on Windows 10 , 1709 (Fall Creator). After running Setup.EXE is stop right away. Installing on Windows 10 1703 (Creator) has no issue. Does anyone run into this problem if so what is the fix?
Thank you