LA NECESIDAD DE COMUNICAR, RADIO UNIVERSITARIAS

EnCase Forensic allows you to preview and acquire over a network crossover cable, with the length of the crossover cable setting the limit as to how far apart the machines can be. With the EE (EnCase Enterprise) and FIM (Field Intelligence Model) editions of EnCase, the pre- view and acquisition occurs over the network and can occur over thousands of miles if need be. The only practical limit is the speed of the connection. This method of preview and acqui- sition cuts travel expenses drastically and enables incident-response time to be cut to near zero levels, if the systems are in place when the incident occurs.

Another distinction between the network cable preview and acquisition and one done with EE or FIM is that with EE and FIM, the target system is live and running its native operating system. As such, the target machine can be examined with or without the user’s knowledge and the live system-state data (volatile data) can be previewed and captured. By capturing the volatile system-state data, examiners can analyze running processes, network connections, HPA and DCO in LinEn

LinEn supports direct access mode if the underlying Linux distribution supports it. If it doesn’t, you won’t see it. Thus, whether HPA or DCO can be seen and acquired by LinEn depends on your Linux distribution.

Remember that what is supported in the way of attached devices (USB, FireWire, SCSI, and so forth) depends completely on the Linux distribution being used. For the best device sup- port, use the most current distributions of Linux, and update them with the most current ver- sion of LinEn.

logged-in users, and much more. Such data is valuable when examining network intrusions, mounted encrypted volumes (if mounted they can be previewed and acquired intact), cases where malicious code is running, and cases where covert analysis is warranted. The live sys- tem-state data is accessed by an optional feature called the Snapshot, which is a sophisticated EnScript located, naturally, in the EnScript section.

This is not intended to be a tutorial on how to configure, administer, and use EE or FIM. That involves two weeks of training and is beyond the scope of this book. Rather, the intent here is to familiarize you with the function and features so you can understand them well enough to intelligently decide on their applicability in any given situation should the need arise to deploy them.

The major differences between the EE version and the FIM version are in licensing and con- figuration. The FIM version can be licensed only to law enforcement and military customers. The EE version is, essentially, for everyone else needing EE/FIM features. Additionally, typi- cally the FIM is licensed for only one simultaneous connection, whereas EE starts at three con- nections and goes up depending on customer need and licensing agreements. The Snapshot feature that captures live system-state data is a separate license and is enabled for all connec- tions when purchased.

To understand the configuration differences, you must first understand how EE is config- ured and functions. Only then can you appreciate how FIM differs from EE. There are three major components of an EE/FIM system. As shown in Figure 4.42, those components are the examination machine, the servlet node (target machine), and the SAFE.

F I G U R E 4 . 4 2 Schematic of EnCase Enterprise. Note the three components: the examination machine, the servlet node (target machine), and the SAFE.

(1) Request to Preview Node

Located at IP Addreess: 10.0.0.2

(4) Node Initiates Contacts Examiner (5) 128-bit AES Encryption Random High-Port Destination on Examiner

(Unless Statistically Assigned)

Examiner

IP: 128.175.24.251

SAFE

Secure Authentication For EnCase

(installed on Save Admin’s PC) (verifies examiner’s permissions)

Servlet/Node

IP: 128.175.67.3

128-bit AES Encryption Destination Port 4445

128-bit AES Encryption Destination Port 4445

(3) T

As the examiner, you have EE on your examination machine. Your target machine (servlet node), however many miles away, must have a servlet installed and running. A servlet is a small piece of code that places the target machine in a server mode listening on the network for a connection. The servlet is thus a server that will communicate with your examination machine, and it must also communicate with yet another machine called a SAFE. SAFE, as explained earlier, stands for Secure Authentication for EnCase. The SAFE is not technically necessary for a network forensic connection, but it is necessary to place a high level of security and supervisory control over the entire process.

The function of the examination machine and the servlet node (target machine) are self-evident, because they are analogous to the two machines in the network cable acquisition model. What is slightly different, however, is the installation of the servlet. The servlet acts as a secure network connection to the examination machine, after first authenticating through the SAFE. The servlet allows EE to have physical access to the target computer at a level below the operating system. When installed, the servlet listens on port 4445, but you can configure it for other ports when you create and install it.

The servlet can be preinstalled by a variety of methods, or it can be installed when needed. You can be physically present for the installation, or you can deploy the servlet remotely by using one of many remote administration tools or “push technologies,” such as Active Direc- tory. It can be done manually or automated with scripts. To install the servlet on Windows sys- tems, you must have administrator rights. On Linux/Unix, you must have root-level privileges. Guidance Software has published a small manual that deals strictly with deploying servlets. This document is available on its website.

The SAFE, the new piece in the model, is a stand-alone machine that stands between, ini- tially, the examination machine and the servlet node. The SAFE is usually administered by, or at the direction of, a high-level person in the organization, typically at the level of the chief information officer or equivalent.

This SAFE administrator controls what servlet nodes the examiner can access and is dubbed the keymaster. The granularity of control is very coarse or very fine. The controls can determine days and times an examiner can access a given node. Further, the controls can deter- mine the level of functions permitted to the examiner. For example, an examiner can be limited to previewing only and not permitted to acquire or copy files.

Each examiner must be added to the list of examiners for each SAFE and is assigned keys for authentication and encryption. Before a node can be accessed by an examiner, the keymaster must log on to the SAFE and add the servlet node to the list of nodes the examiner may access, along with any limitations on that access. Furthermore, all traffic between any devices in the EE system is encrypted using 128-bit AES (Advanced Encryption Standard) encryption. Thus, the SAFE provides supervisory oversight, serves as an authentication gateway, and facilitates the encryption of the network connection.

When an examiner wants to connect to a target machine, the examiner communicates with the SAFE with a request to do so. If the requested connection and access is permitted by the established rules, the SAFE communicates with the target node. The SAFE tells the target node to communicate directly with the examination machine. The servlet node (target machine) then communicates directly with the examination machine, and the session takes place with whatever controls may be in place as directed by the SAFE. This connection is depicted in Figure 4.42.