Email us! Subscribe to Liquidmatrix!

EnCase Trouble Shooting

Author: Dave Lewis
May 22, 2007 at 7:38 pm · Filed under Forensics

One thing that tends to bite folks in the backside when dealing with EnCase is a desktop firewall. If you are trying to communicate with a servlet running on a target machine check that the port is listening. The default listening port for the EnCase servlet is TCP 4445. That is assuming you have not changed it to some other port. To change the listening port use the -l switch on install.

An easy way to check is to simply telnet to the port.

Example: “telnet targetIP 4445“.

If you get a connection this will (possibly) mean that the servlet is listening. If you do not, there is a chance that they system is running the windows firewall or whatever similar product you might be using in your enterprise. The vast majority of the time this is the culprit with failed communication from the EnCase Examiner and the servlet.

To check if your local system has the servlet running simply type:

C:\net start

This will list the services that are running on your windows box and look for the service named “enstart”. Unless of course it has been renamed in your corporate environment.

This may seem simple but, by and large the desktop firewall tends to be overlooked by rookie forensic examiners causing them much grief.

Tags: ,

Tag It:
  • Digg
  • del.icio.us
  • Slashdot
  • Technorati
  • SphereIt
  • StumbleUpon
  • Fark
  • YahooMyWeb
  • Furl
  • Spurl
  • Ma.gnolia
  • NewsVine
Related Articles:

  • EnCase Forensics Training Day 1
  • NATO Beefs Up Computer Security
  • Guidance To Lead Incident Response DoD Seminar
  • Guidance Software Offers Cell Phone Forensic Course
  • Computer Forensics

    • Frank said,

    February 24, 2008 @ 3:14 pm

    Hi Dave,

    Is it true to say that EnCase is running as a root kit on a workstation?
    Is it true that the process “enstart.exe” may be hidden or renamed in the net start services list?
    This forensic software runs underneath the OS?
    EnCase is not OS-dependent?
    Other rootkits installed on the same workstation will be detectable instantly?

    Thanks for your answers.

    Frank

    Dave Lewis said,

    February 25, 2008 @ 2:14 pm

    @Frank

    Hi Frank, I’ll try to answer your questions in order.

    I wouldn’t characterize EnCase as a rootkit per se as it doesn’t permit you to manipulate data or alter the target machine in any fashion. It provides write-blocked read-only access in order to maintain forensically sound methods.

    Enstart.exe is the default name for the servlet portion of the EnCase Enterprise which gets installed on the target machine. As with any service yes, it can be renamed and/or hidden.

    EnCase is limited to the operating systems that in can in fact analyze. However, there aren’t any consumer grade operating systems that are immune that I’m aware of. It will work with Windows, *nix (incl Mac) et cetera.

    EnCase can perform either a logical or physical disc capture.

    Now rootkits are in fact detectable. But I should say that this is an investigative tool as opposed to a proactive defense. So, I’m not sure if you are searching for an antivirus type capability. In the past I have managed to ferret out evidence pertaining to Adore, NTIllusion, Vanquish, FU Rootkit and Hacker Defender to name a few.

    I hope this helps.

    cheers,
    Dave

    Frank said,

    February 25, 2008 @ 10:41 pm

    Hi Dave,

    Thanks for you answers and they all sound good and right to me.
    I got those questions in my mind after reading an article in a magazine called “The Hacker Quaterly 2600″ (volume 24, # 4). The article is “Forensics Fear” (page 51) and it talks about a software that “looks and feel” like EnCase. The author said the software can change files but your answers tells me he was completely wrong on this point.

    Thanks again for your answers.

    Frank

    RSS feed for comments on this post · TrackBack URI

    Leave a Comment