One thing that tends to bite folks in the backside when dealing with EnCase is a desktop firewall. If you are trying to communicate with a servlet running on a target machine check that the port is listening. The default listening port for the EnCase servlet is TCP 4445. That is assuming you have not changed it to some other port. To change the listening port use the -l switch on install.
An easy way to check is to simply telnet to the port.
Example: “telnet targetIP 4445“.
If you get a connection this will (possibly) mean that the servlet is listening. If you do not, there is a chance that they system is running the windows firewall or whatever similar product you might be using in your enterprise. The vast majority of the time this is the culprit with failed communication from the EnCase Examiner and the servlet.
To check if your local system has the servlet running simply type:
C:\net start
This will list the services that are running on your windows box and look for the service named “enstart”. Unless of course it has been renamed in your corporate environment.
This may seem simple but, by and large the desktop firewall tends to be overlooked by rookie forensic examiners causing them much grief.
[tags]EnCase, Forensics[/tags]