Assitance with EnCa...
 
Notifications
Clear all

Assitance with EnCase Servlet Deployment  

  RSS
bntrotter
(@bntrotter)
Member

First bit of information. I am the IT Security/Forensic Analyst for my enterprise; not the network/software deployment analyst.

My company wants the EnCase Servlet deployed over the enterprise for data collections. And the parameters that need to met is

1. An admin service account assigned to enterprise machines
2. Assign a the EnCase service a customized service name (not the default enstart64)
3. Have EnCase service run on the admin service account (prevent end user from stopping the EnCase service).

Discussed the needed parameters with the IT division over software deployments. They wished to use SCCM deployment of the MSI Installer. When a test deployment was performed. The service name stayed at the enstart64 default, and the service account wasn't assigned to the EnCase service.

What commands/processes would be needed to meet these parameters.

Wouldn't the EXE installer be a better fit.

Seems like I am fighting with my Network divisions desire to keep things basic.

Quote
Posted : 22/02/2017 2:31 am
chrisvaughanuk
(@chrisvaughanuk)
New Member

Your best bet is Guidance. They're really helpful and obviously know the product, and the various versions of it, better than anyone else.

You will find some administrative manuals online such as these-

http//download.guidancesoftware.com/fYEavbLPmdZvCBIMvRaAQFW/V21CyK9yhxn0VEJbiC6xB7bq+lezFnh9MK/qoi32GgVz47/EilM= [Version 7]

http//download.guidancesoftware.com/YD30MjDMK96KeVWa0tiLuQmmQyt6JVCCR7iaE4YNh3e7FrK8lShT2A== [Version 6]

The version 6 manual says to use the '-n' option with setup.exe/.msi to change the service name-

-n <name> Sets the name of the servlet binary and the service name; the default is enstart.exe for the binary and enstart for the Windows Service Name.

If you consult Guidance, they'll be best placed to advise you on administration of your version - or at least could assist with manuals. There has been a lot of crossover in previous versions and perhaps there still is.

I'm pretty rusty with Enterprise/Cyber as I've not used it for a while. I can tell you, however, that we used to run the EnCase/Safe server with a service account whilst the Servlet was deployed as part of the gold build and would have had sufficient privileges to ensure that a non-admin user could not terminate it. By the way, the version 6 manual also mentions that you could hide the Servlet (x32 systems) from Task Manager but perhaps this has changed?

FYI from the version 7 manual-

Servlets
A servlet is a process or service with administrative privileges that runs on one or more target machines accessed through the SAFE. The servlet accepts commands from EnCase via the SAFE and has access to the target machines at the bit level. EnCase requests are signed by the SAFE server and verified by the network device. The servlet is signed by the SAFE server private key and contains the SAFE server public key.

ReplyQuote
Posted : 22/02/2017 10:40 am
jpickens
(@jpickens)
Active Member

Just to make sure I read this correctly, you just want to deploy the servlet to run as local service and not a domain service account, correct?

I'd highly advise anyone to never deploy with the agent running as anything but local unless you have very good reason for it.

Unless you're pushing the servlet out to a non-windows box, its very simple to run via SCCM, EPO, or command line install like PSExec. The user guide (like mentioned above) has all that detailed.

Also go into the C\Programs Files\SAFE folder and there should be deployment scripts pre-made for you that you can edit and use with Perl or batch file. Just make sure you have proper rights to the endpoint when you push.

(edit) to rename the service you need to double check your flags in your deployment script as well.

Finally, you can have the SAFE do this for you when you need, but you must run the SAFE as a service account vs. local so it has the permission. Read through Sweep Enterprise and there is an option to push the safe there, as well as an enscript (depending on your version of EnCase).

ReplyQuote
Posted : 22/02/2017 7:15 pm
bntrotter
(@bntrotter)
Member

For clarification, my parameters for the Servlet deployment are

1. Assign a service account with administrator privileges to the target machines
2. Rename the service - I do not want company personnel to be able to identify the service
3. Have the service account run the EnCase service to prevent end users from stopping the service.

Initially, I am wanting the EnCase servlet deployed to 10 machines for testing. My enterprise's network/software deployment group (not in my local office) wants to use the MSI installer over SCCM deployment.

If I am reading the EnCase documentation correctly, the MSI file runs only at default level for Win7/10 machines.

In experience of others, which installer was used? And what is the method of deployment of choice?

ReplyQuote
Posted : 22/02/2017 10:55 pm
pbobby
(@pbobby)
Active Member

#1 will be handled by your deployment method.

#2 Do not use enstart64.exe, recommend setup.exe or setup.msi

Setup.exe -n CustomProcessNamet -l (recommend changing port also, but it requires your SAFE have been built with that port.

The MSI equivalent
msiexec.exe /i setup.msi /quiet ENSTCMDLINE="-n -l "

Remove the <>

#3 will be handled by your deployment method.

ReplyQuote
Posted : 24/02/2017 12:27 am
Share: