Issafe Ugd en

Download as pdf or txt
Download as pdf or txt
You are on page 1of 180

OpenText™ EnCase™ SAFE

User Guide

The SAFE (Secure Authentication for Enterprise) is used in


conjunction with desktop and web-based clients to enable
investigations across the network. The SAFE server administers
access rights, provides for secure data transmission, and brokers
communications between endpoints and clients across your
network. The SAFE is required for network-based collection,
analysis, and investigation and is a central component for users
of OpenText security, forensic, and information assurance
products.

ISSAFE230400-UGD-EN-1
OpenText™ EnCase™ SAFE
User Guide
ISSAFE230400-UGD-EN-1
Rev.: 2023-Nov-15
This documentation has been created for OpenText™ EnCase™ SAFE 23.4.
It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product,
on an OpenText website, or by any other means.

Open Text Corporation

275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1

Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com

Copyright © 2023 Open Text.


One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.

Disclaimer

No Warranties and Limitation of Liability

Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
Table of Contents
1 SAFE Introduction ..................................................................... 7
1.1 The SAFE server .............................................................................. 7
1.2 Interacting with the SAFE .................................................................. 8
1.3 SAFE configuration and management ................................................ 9
1.4 Product licensing ............................................................................... 9
1.5 System requirements ...................................................................... 10

2 Installing the SAFE .................................................................. 11


2.1 Installation overview ........................................................................ 11
2.1.1 CodeMeter ..................................................................................... 11
2.2 Installing the SAFE in virtual environments ....................................... 12
2.3 Installing the SAFE .......................................................................... 12
2.3.1 RSA SecurID configuration .............................................................. 23
2.3.2 Running the SAFE under a non-local service account ........................ 24
2.3.3 VMware support .............................................................................. 25
2.3.4 Upgrading the SAFE ....................................................................... 25
2.3.4.1 Performing a SAFE quick update ..................................................... 25
2.3.4.2 Migrating data from SAFE versions a.01 through a.11 ....................... 26
2.3.5 SAFE text logging ........................................................................... 27
2.3.6 EnCase Agent Management logging ................................................ 29
2.3.7 Advanced SAFE installation command line options ........................... 30
2.3.8 Preparing a hardware independent SAFE ......................................... 31
2.3.8.1 Certificate requirements ................................................................... 31
2.3.9 Installing a hardware independent SAFE .......................................... 32
2.4 Installing the SAFE Configuration Tool ............................................. 34
2.5 SAFE mirroring ............................................................................... 35
2.5.1 Creating a mirror set ........................................................................ 35
2.6 SAFE configuration ......................................................................... 37

3 Configuring the SAFE ............................................................. 39


3.1 Logging onto SAFE configuration via the web ................................... 39
3.2 Logging onto SAFE configuration via Endpoint Investigator ................ 42
3.3 Logout ............................................................................................ 46
3.4 Setting up the network tree .............................................................. 46
3.4.1 Setting up the network tree with EnCase Endpoint Investigator .......... 50
3.4.2 Export and import targets using EnCase Endpoint Investigator ........... 52
3.5 Setting up roles ............................................................................... 53
3.5.1 Setting up roles using EnCase Endpoint Investigator ......................... 58
3.6 Setting up user accounts and permissions ........................................ 63
3.6.1 Setting up user accounts using EnCase Endpoint Investigator ........... 73
3.7 Accessing event logs ....................................................................... 90

ISSAFE230400-UGD-EN-1 User Guide iii


Table of Contents

3.7.1 Access event logs with EnCase Endpoint Investigator ....................... 94


3.7.2 Printing or exporting event logs with EnCase Endpoint Investigator .... 97
3.8 Configuring the Network Plugin Repository ....................................... 99
3.8.1 Configuring the Network Plugin Repository with EnCase Endpoint
Investigator ................................................................................... 102
3.9 Generating encryption keys ........................................................... 106
3.9.1 Generating encryption keys using the SAFE web application ........... 106
3.9.2 Generating encryption keys using EnCase Endpoint Investigator ..... 107
3.10 Backing up the SAFE .................................................................... 108
3.11 SAFE configuration package .......................................................... 109
3.11.1 Creating a SAFE configuration package ......................................... 109
3.11.2 Installing a SAFE using a SAFE configuration package .................... 110
3.12 Configuring and managing a SAFE mirror set ................................. 111
3.12.1 Viewing the mirror set .................................................................... 111
3.12.2 Adding a SAFE to a mirror set ........................................................ 111
3.12.3 Removing a secondary SAFE from a mirror set ............................... 113
3.12.4 Promoting a secondary SAFE to primary SAFE ............................... 114
3.13 Configuring SAFE settings for desktop clients ................................. 116
3.14 Configure the SAFE and agents for off-net collection ....................... 118
3.14.1 Agent check-in configuration and management ............................... 120
3.15 Configuring EnCase Agent Management ........................................ 123

4 Deploying and managing agents ......................................... 125


4.1 Port configuration .......................................................................... 125
4.2 Variables ...................................................................................... 126
4.3 Deploying agents .......................................................................... 126
4.4 Automatically deploying agents ...................................................... 127
4.4.1 Modifying control scripts for automatic deployment of agents ........... 128
4.4.1.1 Deployment.wsf ............................................................................ 128
4.4.1.2 Additional control scripts ................................................................ 128
4.4.1.3 Testing control scripts .................................................................... 129
4.5 Deploying Windows agents ............................................................ 129
4.5.1 Running Windows agents as a service or as a process .................... 131
4.5.1.1 Running Windows agents as a service ........................................... 132
4.5.1.2 Running Windows agents as a process .......................................... 133
4.5.2 Deploying Windows agents with Active Directory ............................. 134
4.5.3 Deploying Windows agents using a domain push ............................ 134
4.5.4 Deploying Windows agents using PsTools ...................................... 135
4.5.4.1 Using PsTools to deploy agents to a single machine ....................... 135
4.5.4.2 Using PsTools to deploy agents to multiple machines ...................... 135
4.5.5 Creating a text file of nodes ........................................................... 136
4.5.6 Deploying Windows agents using IPC$ and PsExec ........................ 137

iv OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


Table of Contents

4.5.6.1 Creating IPC$ connections ............................................................ 137


4.5.6.2 Copying the agent using xcopy ...................................................... 138
4.5.6.3 Executing the agent using psexec .................................................. 139
4.5.7 Deploying Windows agents using removable media and psexec ...... 140
4.5.8 Running agents on Windows IoT Core for ARM .............................. 140
4.6 Deploying *NIX agents .................................................................. 141
4.6.1 Deploying *NIX agents using removable media ............................... 142
4.6.2 Deploying *NIX agents using SSH and SCP ................................... 143
4.6.3 Deploying *NIX agents using telnet and FTP ................................... 144
4.7 Deploying Linux agents ................................................................. 144
4.7.1 Deploying the Linux agent as a process .......................................... 145
4.7.2 Deploy the Linux agent using the RPM package .............................. 146
4.7.3 Enabling the Linux agent for check-in ............................................. 147
4.7.4 Deploying the Linux agent with SysV .............................................. 148
4.7.5 Deploying the Linux agent with systemd ......................................... 150
4.7.6 Deploying the Linux agent with Upstart ........................................... 151
4.8 Deploying Solaris agents ............................................................... 152
4.8.1 Solaris agent files .......................................................................... 152
4.8.2 Solaris version .............................................................................. 152
4.8.3 Check before deploying Solaris agents ........................................... 153
4.8.4 Installing the Solaris 11 agent ........................................................ 153
4.8.5 Deploying Solaris agent as a process ............................................. 154
4.8.6 Deploying in Solaris using inittab .................................................... 155
4.9 Deploying AIX agents .................................................................... 156
4.10 Deploying macOS agents .............................................................. 156
4.10.1 SAFE version compatibility ............................................................ 157
4.10.2 Adding macOS agents to the allow list during deployment ............... 157
4.10.3 Deploying agents on macOS versions 10.12 and later ..................... 158
4.10.3.1 Agent installation with installer.zip .................................................. 158
4.10.3.2 Agent installation with installer.sh ................................................... 158
4.10.3.3 Removing the agent with terminal or SSH ....................................... 159
4.10.3.4 Verifying macOS agent deployment ................................................ 159
4.10.4 Configuring the macOS agent to work with check-in functionality ...... 159
4.10.5 Enabling full disk access for macOS agents .................................... 160
4.10.6 macOS troubleshooting ................................................................. 160
4.10.6.1 Older macOS agents fail to upgrade ............................................... 161
4.11 McAfee ePolicy Orchestrator (ePO) integration ............................... 161
4.11.1 Checking In the ePO agent package .............................................. 161
4.11.2 Installing the optional agent extension ............................................ 162
4.11.3 Creating an agent deployment task ................................................ 162
4.12 Verifying agent deployment ............................................................ 163
4.12.1 Verifying agent deployment with net start command ........................ 164

ISSAFE230400-UGD-EN-1 User Guide v


Table of Contents

4.12.2 Verifying agent deployment with netstat command .......................... 164


4.12.3 Verifying agent deployment using telnet .......................................... 164
4.12.4 Verifying AIX agent deployment ..................................................... 165
4.13 Stopping and removing agents ....................................................... 165
4.13.1 Stopping an agent using PsTools ................................................... 166
4.13.2 Removing check-in functionality ..................................................... 166
4.13.2.1 Removing the check-in agent from a Windows computer ................. 166
4.13.2.2 Removing the check-in agent from a Linux computer ....................... 166
4.13.3 Removing the Windows agent ........................................................ 167
4.13.3.1 Removing the agent using an automated procedure ........................ 167
4.13.3.2 Removing the agent manually ........................................................ 167
4.13.4 Removing the agent from Linux or macOS ...................................... 168
4.13.4.1 Determine how the agent is installed .............................................. 168
4.13.4.2 If the agent is running as a process, stop the process ...................... 169
4.13.4.3 If the Agent is running as a service, stop the service ........................ 169
4.13.4.4 Delete the agent and configuration files .......................................... 169
4.13.5 Removing the AIX package ............................................................ 170

5 Troubleshooting .................................................................... 171


5.1 Resolving installation errors ........................................................... 171
5.2 Checking the SAFE status ............................................................. 173
5.3 Stopping or starting the SAFE ........................................................ 173
5.4 Performing a service diagnostic ..................................................... 174
5.5 Checking the agent status ............................................................. 174
5.6 Checking the desktop client status ................................................. 175
5.6.1 Licensing errors ............................................................................ 175
5.6.2 Errors logging on to the SAFE ........................................................ 175
5.6.3 Desktop client errors connecting to a node ...................................... 177
5.7 Viewing and exporting event log files .............................................. 177
5.7.1 Logon events ................................................................................ 177
5.7.2 System events .............................................................................. 178
5.7.3 Role events .................................................................................. 178
5.7.4 Administration events .................................................................... 178
5.7.5 Active Directory authentication events ............................................ 179
5.7.6 Job events .................................................................................... 179

vi OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


Chapter 1
SAFE Introduction

The SAFE (Secure Authentication for Enterprise) is a central component for users of
OpenText EnCase security, forensic, and information assurance products. The SAFE
enables network-based collection, analysis, and investigation via desktop and web-
based clients. The SAFE server administers access rights, provides for secure data
transmission, and brokers communications between endpoints across your network
and EnCase products. Multiple SAFE servers can be installed within an organization
based on factors such as geography, network topology, network speed, redundancy,
and type of endpoint.

This user guide is written for SAFE administrators responsible for the following
tasks:

• Installing and configuring the SAFE server


• Configuring and managing user accounts, roles, and permissions for OpenText
products that use the SAFE
• Deploying agents
• Troubleshooting network, SAFE, and agent issues
• Configuring EnCase desktop applications and web clients to work with the SAFE

For information about OpenText products that use the SAFE, see the user or
administrative guide for the corresponding product from OpenText My Support
(https://support.opentext.com).

Refer to the product release notes for specific compatibility details, supported
operating systems, and additional information on third party software.

1.1 The SAFE server


A SAFE server enables OpenText EnCase products to securely access endpoints and
servers on an organization’s network. The SAFE server administers access rights,
enables secure data transmission, manages jobs sent to endpoints, and gathers
information about the endpoint on a network.

Multiple SAFE servers can be installed within an organization.

The SAFE provides these core functions:

• User authentication – Multiple user authentication methods are supported,


including Microsoft Active Directory, smart card, RSA SecurID, or PKI. The
SAFE can be used to generate PKI keys for users. See “Generating encryption
keys” on page 106.

ISSAFE230400-UGD-EN-1 User Guide 7


Chapter 1 SAFE Introduction

• Encrypted communication – The SAFE uses 128-bit and 256-bit AES encrypted
data streams to protect inter-component and SAFE-endpoint communication.
• Role-based access controls – The SAFE server uses role-based permissions to
control access and ensure policy enforcement as well as role-based permissions
to control investigative functions, such as acquisitions and image viewing. User-
based permissions apply to administrative functions, such as the ability to add
other users and modify the network. The SAFE administrator can view all rights
for each user, their assigned roles, and all network devices the user can access.
See “Setting up roles” on page 53 and “Setting up user accounts and
permissions” on page 63.
• Logging – Logs are generated for transactions conducted on a particular SAFE
server. These logs can be used to establish an initial chain of custody by
indicating the date and time that a certain network device was previewed or
acquired. The logging also provides security auditing to allow the administrators
of a SAFE server to easily determine how particular investigators have used the
system. See “Accessing event logs” on page 90.
• Job queuing and endpoint queries – EnCase Agent Management, a component
of the SAFE, queues jobs for endpoints and permits administrators to view the
status of endpoints on the network.

1.2 Interacting with the SAFE


Most EnCase products interact regularly with the SAFE. Depending on the EnCase
application, users may interact with the SAFE via a desktop client, a web client, or
both. In general, the desktop application requires the user to log on directly to the
SAFE in order to interact with data sources. Web applications generally handle
SAFE interaction on behalf of the user.

• EnCase Endpoint Investigator users interact with the SAFE via web or desktop
clients.
• EnCase Information Assurance and EnCase Endpoint Security users primarily
use a web client to interact with the SAFE.

For EnCase Endpoint Investigator users, the desktop client is installed on a user’s
primary workstation. It uses a secure virtual connection to communicate with target
machines across the network. The number of concurrent connections determines the
number of machines that can be analyzed simultaneously.

When paired with a SAFE, the desktop client enables you to:

• Add and list the SAFE nodes available on the network


• Provide sign-in access to the SAFE for those nodes
• Add and list network devices connected to each of the SAFE nodes

The desktop investigative client uses the agent installed on a specific node to
remotely discover, preview, and acquire data.

8 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


1.3. SAFE configuration and management

See “Configuring SAFE settings for desktop clients” on page 116 to configure the
desktop client to perform investigations across the network and to enable access to
the SAFE.

A valid license is required to use the OpenText EnCase products. Physical security
keys, electronic licenses, License Manager, and CodeMeter licenses can be used for
product licensing. For more information about product licensing, see “Product
licensing” on page 9.

For web-based EnCase application users, SAFE access is usually configured by the
SAFE administrator using EnCase Endpoint Investigator or via a standard web
browser.

1.3 SAFE configuration and management


To configure and manage the SAFE, use either of the following applications:

• EnCase Endpoint Investigator

• SAFE configuration via a standard web browser

If your user account is enabled with administrative access to the SAFE, you can
perform numerous administrative tasks either via EnCase Endpoint Investigator or a
standard web browser. The web-based SAFE management module is a component
of the SAFE. It can perform all administrative functions found in EnCase Endpoint
Investigator.

Note: The SAFE Configuration Tool desktop application, which performs


administrative functions, has been deprecated. While the SAFE 23.2 installer
includes the SAFE Configuration Tool, it will no longer include it in future
releases.

SAFE management and configuration is nearly identical for EnCase Endpoint


Investigator and SAFE configuration via a web browser. This user guide notes
where a configuration or management procedure differs between the two methods.

1.4 Product licensing


The SAFE does not require licensing. To configure licensing for EnCase products,
see the documentation for that product.

The transition in product licensing to CodeMeter license server began with release
21.1. License Manager, the legacy product licensing mechanism for EnCase
products, will be deprecated in a future release. Documentation for License Manager
that was previously found in the SAFE 20.4 User Guide has been removed from the
SAFE 21.1 User Guide and later versions. For information about License Manager,
refer to the SAFE 20.4 User Guide.

ISSAFE230400-UGD-EN-1 User Guide 9


Chapter 1 SAFE Introduction

1.5 System requirements


System software and hardware requirements for the SAFE and SAFE server are
listed in the following table.

The SAFE web server is automatically installed with the SAFE. It includes the
EnCase Agent Management module and SAFE configuration module and requires
additional disk storage, as noted below.

System Requirements
Class Desktop or server class hardware (64-bit)
Operating System • Windows Server 2016
• Windows Server 2019
• Windows Server 2022
Processor (CPU) • Intel® Core i5, i7, i9
• AMD Ryzen or Epyc
Memory (RAM) 16 GB or more
Hard Drive Capacity 3 GB free space on system volume required for installation

40 GB minimum storage required for SAFE application

200 GB minimum storage required for SAFE web server


Network Configuration Gigabit Ethernet (GbE)
VMware Support is provided for running the desktop client on
VMware and Boot Camp as follows. VMware is only
supported with electronic licensing.
• VMware Workstation 6.5
• VMware Workstation 7.0
• VMware Server 1.1 (GSX)
• VMware vSphere 4.0 ESXi
• VMware vSphere 5.5 ESXi
• Boot Camp v2.0
• Boot Camp v3.0

10 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


Chapter 2
Installing the SAFE

Check the current Release Notes for your product to determine the compatible
version number of the SAFE.

2.1 Installation overview


Before you begin installing the SAFE, confirm the following:

• You have a registered customer account at OpenText My Support..


• Your OpenText My Support customer account is linked to the product
purchasing account.
• You have the latest SAFE installer, which can be downloaded at OpenText My
Support (https://support.opentext.com).
• You have local administrator rights on the destination computer.
• Host-based firewall is off or set to allow TCP connections to the SAFE processes

– For the SAFE, the default value for the TCP port is 4445.
• If you intend to use SAFE mirroring and are installing one or more secondary
SAFEs, see “Configuring and managing a SAFE mirror set” on page 111 for a list
of prerequisite steps.
• For the SAFE, if you intend to use features that rely on check-in functionality, the
destination computer must have a public-facing IP address.

Note: If you only use EnCase Forensic, you do not need to install the SAFE.

2.1.1 CodeMeter
As of release 21.4, SAFE does not require a CodeMeter license. CodeMeter runtime is
still installed and used by the SAFE for internal application use. While CodeMeter is
not used by SAFE for licensing, it is used for licensing in other EnCase products.
Refer to product-specific documentation for information about CodeMeter licensing.

ISSAFE230400-UGD-EN-1 User Guide 11


Chapter 2 Installing the SAFE

2.2 Installing the SAFE in virtual environments


You can deploy the SAFE entirely within virtual environments.

With a standard installation, the SAFE generates a machine key calculated based, in
part, on the hardware profile of the machine on which it was generated. Because
virtual machines may regularly use different processing resources, it is
recommended that a hardware-independent SAFE be used in virtual environments.

2.3 Installing the SAFE


For a pre-installation checklist and overview of the SAFE installation process, see
“Installation overview” on page 11.

If you want to upgrade an existing SAFE, you can perform a quick update. See
“Upgrading the SAFE” on page 25.

For installation troubleshooting, see “Resolving installation errors” on page 171.

Note: To perform an advanced SAFE installation using command line options,


see “Advanced SAFE installation command line options” on page 30.

To install a SAFE:

1. Download and run the SAFE installation wizard from OpenText My Support.

2. Select an installation path. The default is C:\Program Files\OpenText\SAFE.

3. Click Next. The End User License page appears the first time a SAFE is
installed on a machine.

4. Select the I agree and accept check box to accept the end user license agreement.
5. Click Next.
The SAFE Private Key page appears.

12 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

• Create a new key creates a new set of SAFE encryption keys. This is
typically used when installing a SAFE for the first time, in an environment
using only one SAFE.
• Import existing private key allows you to select an existing private key for
use with the agents. This is typically used when multiple SAFEs are used in
the enterprise environment and matching agents are desired for each SAFE.
Accept the suggested path for the SAFE.PrivateKey or browse to another
location. Enter the password associated with this private key.
• Use key from existing installation updates your current SAFE after you
have opted not to use the quick update feature.
• Read key from SAFE backup token enables you use a key from your
backup file. To install the same SAFE on a new computer, you must have a
backup copy of your SAFE folder, including the SAFE Backup.spvk and the
keymaster.PrivateKey files. You must also know the SAFE backup token
password. If you are adding a SAFE to a mirror set, you must have
previously copied the SAFE Backup.spvk and the keymaster.PrivateKey
from the Primary SAFE to the installation location. See “Creating a mirror
set” on page 35 for more information.
• Uninstall and remove the SAFE stops the SAFE service, and removes the
SAFE from the computer.
• Read from backup lets you restore the SAFE settings from the .sbk backup
file. This file is generated when the keymaster performs a manual backup of
the SAFE configuration. You can also install a SAFE from a backup file using

ISSAFE230400-UGD-EN-1 User Guide 13


Chapter 2 Installing the SAFE

the command line. Run the SAFE executable and append the following
options: -frombackup [backup file path] -targetfolder [install folder
path].

• Install using existing SAFE Configuration Package enables you to set up a


SAFE sharing the configuration and agents from another SAFE. See
“Installing a SAFE using a SAFE configuration package” on page 110 for
more information.
• Migrate data from an existing Guidance SAFE enables you to migrate data
from a legacy Guidance Software SAFE (a SAFE prior to v20.2).
• Use Port to specify the port the SAFE uses to communicate across the
network. We strongly recommend keeping the 4445 default value.

Note: The SAFE cannot share the port with another application. If you
change the default, confirm there is no conflict with another application.

6. Click Next. The Check In Information page appears.

Note: Entering information in this page is optional. If you do not plan to


use the check-in or volatile artifacts storage functionality, keep the default
settings. You can reconfigure these and other SAFE options by running the
installer later.

• Check In Options enables you to configure agents that check on nodes, such
as laptops, that are not connected continuously to the network. This
functionality is available for certain products (such as EnCase Endpoint

14 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

Investigator and EnCase Information Assurance). By default, check-in


functionality is off.

– In the SAFE list box, identify the SAFE with the fully-qualified domain
machine name or IP address and port number. Node machines use this to
locate the SAFE on the network. There can be more than one machine
name or IP address for the SAFE machine, depending on the setup of the
network. A publicly facing IP address must be used for some features,
such as off-net collection jobs. Use the format, [IP Address/Machine
Name]:[Port].

– Interval (Minutes) is the interval between check-in attempts, in minutes.


– Select the Round Robin SAFE check box if you have multiple SAFEs and
want initial agent check-in to be randomly assigned from the SAFE list,
and then move sequentially through the list after that. After the end of
the list is reached, check-in moves to the first SAFE in the list. This option
may be useful to distribute check-in load among multiple SAFEs. If the
Round Robin check box is cleared, the SAFE list is treated as an ordered
list. The agent would always check in to the first SAFE in the list, if it is
available. If the first SAFE is not available, the agent attempts to check in
to next SAFE in the list.
• Volatile Artifacts Storage is a feature used by EnCase Endpoint Security. It
should not be enabled for other EnCase products.

– Select the Enabled check box to enable automatic snapshot settings when
manually deploying agents. This feature will only function if your
OpenText application supports automatic snapshot functionality.
– Interval (Minutes) is the interval between snapshots, in minutes.
– Number of snapshots to retain is the maximum number of snapshots
stored.

7. When done, click Next.


The Options page appears.

ISSAFE230400-UGD-EN-1 User Guide 15


Chapter 2 Installing the SAFE

• Enter a SAFE name.

– We recommend you name the SAFE to reflect the location of the SAFE
within the organization or by number (if there are multiple SAFEs).
– If you are upgrading your SAFE, do not change the existing name.
• Enter a Service Name. This can be the same name as the SAFE.
• Select Enable Event Logging to turn on Windows event logging. This logs
SAFE events to the Windows Event Log.

– Logged events include logons, logoffs, user creation, user modification,


etc.
– Log messages are written into the non-encrypted Windows Event Log.
– You can only enable event logging during the installation process.
– SAFE events are always logged internally in an encrypted, proprietary
format.
– This setting only affects the Windows Event Log.
• Select Enable Text Logging to turn on text logging. Text logs can be used to
analyze or troubleshoot the SAFE. Text logs can also be integrated with third
party applications such as Splunk.

– With the text logging feature enabled, logs are written as unencrypted
plain text files to the TextLogs subfolder relative to the SAFE installation
folder.

16 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

– By default, this location is: C:\Program Files\OpenText\SAFE\TextLogs.


– Log files use the following name convention: SafeLog[DATE_TIME].log
• Select Allow legacy AES-128 connections to allow the SAFE to
communicate with endpoints and clients using legacy AES-128 session keys.

– Desktop applications released before a.09 authenticate use AES-128


session keys.
– The SAFE and agents released before a.09 authenticate with and use
AES-128 session keys.
– If this option is cleared, the SAFE rejects all legacy AES-128 session keys.
Legacy agents are still upgraded.

8. If using RSA SecurID authentication, click the Configure RSA SecurID button.
The Configure RSA SecurID page appears.

• Enter the Primary RSA Authentication Server URL and port number
(example: https://dev-rsa-as-01.rd.otex:5555).
• Enter the 1st Replica RSA Authentication Server URL (optional).
• Enter the 2nd Replica RSA Authentication Server URL (optional).
• Enter the Access KEY.
• Enter the Access ID (optional).
• Select the method to register the Authentication Agent Name:

– Use “OpenText EnCase SAFE“ – All SAFEs on your network that use
this option can have RSA SecurID enabled or disabled with a single RSA
Authentication Manager command.
– Use SAFE Server’s FQDN – Select this option to permit the RSA
Authentication Manager administrator to enable or disable RSA SecurID
usage on individual SAFEs.
• Click OK.

Note: Use of RSA SecurId requires configuration of the


RSA Authentication Manager by the RSA Administrator. See “RSA
SecurID configuration” on page 23 for details.

9. Mirror Settings are used to set up this SAFE as a mirror to a pre-existing


Primary SAFE. If you are setting up a single SAFE, do not intend to use the
SAFE mirroring function, or are setting up a Primary SAFE, leave these settings
blank. For more on configuring and managing a SAFE mirror set, see SAFE
mirroring.

• Primary SAFE Host – Enter the hostname or FQDN of the primary SAFE.
An IP address can not be used.
• Port – Enter the port used for SAFE communication. Default port is 4445.

ISSAFE230400-UGD-EN-1 User Guide 17


Chapter 2 Installing the SAFE

• Update Poll Rate – Enter the interval in minutes at which the secondary
SAFE will poll the primary SAFE.
• Leave Mirror Set – Select this check box if you want to remove this
secondary SAFE from an existing mirror set. This option is only active if the
SAFE is an existing secondary SAFE that is part of a mirror set.

If configuring the SAFE as part of a mirror set, a valid primary SAFE hostname
or FQDN must be entered. When you click Next, an error message will be
displayed if the installer cannot connect with the Primary SAFE.

10. Click Next. The Generate Keymaster Keys page appears.

The Keymaster Type box contains three options:

• Use Keymaster Key Pair – Select this option if you have an existing
keymaster key pair and want to use it.

– The Keymaster Key Path Field in the Existing Keymaster box is active
when the above option is selected. Enter the path to the keymaster file or
click the browse button to navigate to the file.
• Use Active Directory Logon – Select this option if you want to associate the
keymaster with an Active Directory user.

– The Active Directory Keymaster field in the Existing Keymaster box is


where the AD user assigned to the keymaster role is listed when the

18 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

Active Directory Logon option is selected. Click the browse button to


display the Select User dialog box. Enter an AD user and click OK.

Note: OpenText recommends creating a unique Active Directory


service account to use as keymaster rather than a user account. In
the event of personnel changes, the keymaster AD service account
would be unaffected by disabled user accounts.
• Generate New Keymaster Keys – Select this option if you need to activate
the options in the Keymaster Generation box and generate new keymaster
keys. If you have existing keys, select the Use Keymaster Key Pair option
instead.

– Enter a unique Key Path location or browse to another location.


– Enter a secure password and re-enter the password. The Next button
becomes active when valid key path and password are entered.

11. Click Next. The SAFE Backup Token Password page appears.
Create a password for the SAFE Backup Token, confirm the password, and click
OK.
The Secondary Authentication page appears.

• Additional authentication for the keymaster may be used if a SAFE


keymaster pair was used in the previous step. If Active Directory was used
for keymaster authentication in the previous step, secondary authentication
is disabled and cannot be added. Secondary authentication is optional but

ISSAFE230400-UGD-EN-1 User Guide 19


Chapter 2 Installing the SAFE

must be configured during this step of SAFE installation. To skip this step,
keep the default None option. To use additional authentication, select one of
three available authentication options.

– Select Active Directory Authentication to use Active Directory


credentials.

○ Under Domain Trustee, click the browse button to select a user or


group.
○ In the dialog box that is displayed, enter the required information to
select a user or group to assign as keymaster.
○ When done, click OK.
○ To either disassociate the keymaster account from the Active
Directory account, or associate the keymaster account with another
Active Directory account, you must run the SAFE installer again.
– Select Smart Card Authentication to use smart card credentials. Add the
user certificate via card or file.

○ Click Card... to read the certificate directly from the card. The Select A
Certificate dialog box displays available certificates. Select one and
click OK.
○ Click File... to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the
user’s certificate file and click OK. On successful import of the
certificate, the certificate is displayed in the Smart Card Certificate
box.
– Select RSA SecurID Authentication to use RSA SecurID credentials.

○ Enter the RSA Username to associate with the keymaster account. To


use RSA SecurID, you must have configured the SAFE to
communicate with RSA SecurID Authentication Manager during the
Options step of SAFE installation.

12. Click Next.


The AMP User Configuration page appears. Use this page to configure the
EnCase Agent Management (EAM) component of the SAFE. EnCase Agent
Management is also referred to as the Agent Management Platform (AMP).

20 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

13. Select the user EnCase Agent Management will use to authenticate access to the
SAFE.

• Existing User – Select a user from a list of existing SAFE users. The Choose
SAFE User drop-down is visible when you select a user from the list. The
user’s private key or Active Directory password also must be provided.
• New SAFE User(auto-generate keys) – Create a user, called
AMPAutoGenUser_, that is used for the sole purpose of authenticating
AMP access to the SAFE. It is not used for other SAFE functions. No
additional information is needed on this page if this option is selected. This
option is selected by default if there are no existing users.
• New Active Directory User – Select to add an Active Directory user. The
Active Directory Logon Settings box is activated. Select a Domain Trustee
and enter their Password.
• New SAFE User(provide keys) – Select to add a new SAFE user. The
SAFE User Settings box is activated. Select a Private Key File and
corresponding Password.

14. Click Next.


The Complete Installation page appears.

ISSAFE230400-UGD-EN-1 User Guide 21


Chapter 2 Installing the SAFE

• Enter the Port number the EnCase Agent Management service will use to
serve web pages, or use the default 8443 value.
• Enter the Log Listener Port number, or accept the default 13000 value.
• Enter the Web Address the SAFE web server will display when serving
pages to SAFE users. The port is automatically appended to the web
address.
• Click the Certificate (optional) button to display the Import a Certificate
dialog box.

– Click the browse button to add a new or link to an existing Pfx


Certificate File. This file will indicate a secure connection to the server in
the SAFE user’s browser.
– Enter the optional Certificate Password if a certificate file was added.

Note: If you need to install a new certificate, re-run the SAFE installer.
It is important to install the new certificate and complete the SAFE
installation process before removing old certificates.

15. Click Finish to complete SAFE installation. When finished, the SAFE Setup
Complete page appears.

16. Click Yes to create a copy of the public key certificate for distribution.

17. Select a location for the public key and click OK. A confirmation dialog box
opens.

22 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

18. Click OK to complete the installation. A confirmation pop-up is displayed on


successful installation.
19. Click OK to close the pop-up.

Your SAFE is now running and ready for use.

2.3.1 RSA SecurID configuration


To enable users to use RSA SecurId Authentication with the SAFE, you must do the
following:

• Add RSA SecurID configuration information to the SAFE during


SAFE installation.
• Retrieve two RSA certificates from the RSA Authentication Manager server and
install them on the machine where the SAFE is installed.
• Add an OpenText EnCase SAFE authentication agent to the RSA Authentication
Manager server.
• Configure the user accounts in the SAFE to use RSA SecurID authentication.
• Configure the investigation application on user workstations to use
RSA SecurID authentication to log onto the SAFE.

Collect the following from the administrator of the RSA Authentication Manager
prior to configuring the SAFE:

• Primary RSA Authentication Server URL - The URL (including port number) of
the server hosting RSA Authentication Manager. The port number is typically
5555.
• Replica RSA Authentication Server URLs - The SAFE will automatically fail
over to using these RSA Authentication Servers if the Primary is unreachable.
• Access KEY - A secret key used to prove the SAFE has permission to use the
above Authentication Manager.
• Access ID - A unique identifier of the specific Authentication Manager this SAFE
is using. Optional at this time, but may be required in the future.
• Server certificates for web browsers to validate the RSA Authentication Manager
administration pages.

To set up your SAFE and investigative applications to use


RSA SecurID authentication:

1. Run the SAFE installer. (See “Installing the SAFE” on page 12)

a. Advance to the Options page.


b. Click the Configure RSA SecurID button and add the values collected
above in the dialog box that opens.
c. If using RSA SecurID for keymaster authentication, select the option on the
Complete Installation step of SAFE installation wizard.

ISSAFE230400-UGD-EN-1 User Guide 23


Chapter 2 Installing the SAFE

d. Complete SAFE installation.

2. Install the following RSA certificates into Trusted Root Certificate Authorities
for ‘Local Computer’ on the SAFE machine.

• The certificate for your Primary RSA authentication server


• The “RSA root CA” certificate

Note: If you intend to access RSA Authentication Manager Security


Console web page, you must install the RSA certificates on your client
machine as well.

3. Add an OpenText EnCase SAFE authentication agent to the RSA Authentication


Manager.

a. Log into the RSA Security Console.


b. Navigate to Access > Authentication Agents > Add New. A dialog box
appears.
c. Set the Hostname to OpenText EnCase SAFE.
d. Leave the IP Address field blank.
e. Select the Protect IP Address check box to prevent auto-registration from
unassigning an IP address.
f. For Agent Type, select Standard Agent.
g. Click OK to add the agent.

4. Configure the SAFE user accounts to use RSA SecurID as an authentication


method. (See “Setting up user accounts and permissions” on page 63)

5. Configure the Options in the investigative application to use RSA SecurID


authentication. (See the configuration options for your investigative product to
enable RSA SecurID)

2.3.2 Running the SAFE under a non-local service account


With certain restrictions, you can run the SAFE under a custom service account.

When the SAFE is installed, the service is configured to use the Microsoft Windows
Local System account. The SAFE also acts as an agent, and agents must have local
administrative access. In the Windows Administration Tools Service Control
Manager, in the Log On tab, you can change the account the SAFE service uses. This
works as long as this account has local administrative access.

If you change it to an account that has limited rights, then you cannot snapshot or
preview the machine where the SAFE is running. If this is not a problem for you,
then you can use an account that does not have administrative rights. The SAFE
must be able to write to the file system to create user files and logs, and open sockets
and ports for network communications.

24 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

Due to the number of possible configurations, we cannot predict that all of them will
work. We recommend that the SAFE run as a Local System. If you change that, we
encourage you to thoroughly test the functionality of the SAFE in your environment.

2.3.3 VMware support


Support is provided for running secondary SAFEs on VMware and Boot Camp as
follows. VMware is only supported with electronic licensing.

• VMware Workstation 6.5


• VMware Workstation 7.0
• VMware Server 1.1 (GSX)
• VMware vSphere 4.0 ESXi
• VMware vSphere 5.5 ESXi
• Boot Camp v2.0
• Boot Camp v3.0

2.3.4 Upgrading the SAFE


You can upgrade or migrate your SAFE depending on the version of SAFE you are
currently using. The following options are available:

• If you are performing an installation of a SAFE on a machine that has not


previously had a SAFE installed, see “Installing the SAFE” on page 12.
• If you have a SAFE version 20.2 or later, and want to use the quick update
option, see “Performing a SAFE quick update” on page 25.
• If you have SAFE version a.01 through a.11, and want to upgrade to
SAFE version 20.2 or later, you must migrate data from your existing SAFE. See
“Migrating data from SAFE versions a.01 through a.11” on page 26.

Note: The quick update option cannot be used to update from any a.xx
SAFE version to SAFE version 20.2 or later. You must follow the Migrate data
from an existing Guidance SAFE option in the SAFE installer first.

2.3.4.1 Performing a SAFE quick update


The quick update feature of the SAFE installer package allows you to quickly update
your SAFE. If you have installed a new SAFE version 20.2 or later or already
migrated a SAFE version a.xx, you can use the quick update procedure below.

If you have a SAFE version a.xx, the quick update feature cannot be used, either by
running the installer or via the command line. You first must migrate your SAFE to
version 20.2 or later. See “Migrating data from SAFE versions a.01 through a.11”
on page 26. If you are upgrading from an earlier version (EnCase SAFE 7m12 or
earlier), see section “Upgrading with EnCase v7m or earlier” in the SAFE User Guide
version 20.4 (or earlier).

ISSAFE230400-UGD-EN-1 User Guide 25


Chapter 2 Installing the SAFE

If you are unsure which SAFE upgrade path to follow for your organization, contact
OpenText My Support.

To perform a quick update:

1. Open the installation file.

2. If you have installed a SAFE with the name “SAFE”, a dialog box opens asking
if you want to perform a quick update.

• Click Yes to perform a quick update.


• Click No to launch the SAFE installer instead of performing a quick update.

3. When the quick update process finishes, a dialog box opens indicating whether
the update completed or failed.

Note: If the SAFE has a name other than “SAFE” you can still use the
quick update feature, but you must run the SAFE installer from the
command line and explicitly identify the SAFE name using the following
command: <installer-filename>.exe -update "SAFEName".

2.3.4.2 Migrating data from SAFE versions a.01 through a.11


You can migrate to SAFE version 20.2 or later from SAFE versions a.01 through a.11
using the SAFE installer. If the SAFE installation wizard identifies an earlier version
of SAFE, the Migrate data from an existing Guidance SAFE option will be available
during installation. Select this option to migrate older SAFE data to the new SAFE.

Note: A quick update on SAFE version 20.2 or later is not possible unless you
have performed a fresh install of SAFE version 20.2 or later or have previously
used the migrate data option described here first.

To migrate data to SAFE version 20.2 or later fromSAFE versions a.01 through
a.11:

1. Run the SAFE installation wizard. The OpenText SAFE page appears.

2. Accept the default install path (C:\Program Files\OpenText\SAFE) or select a


new location.

3. Click Next. The End-User License page appears.

4. Accept the license agreement and click Next. The SAFE Private Key page
appears.

26 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

5. Select Migrate data from an existing Guidance SAFE.

6. Click Next to complete the installation.

The SAFE installer then performs the following actions:

• Installs the OpenText SAFE in the folder specified in the first wizard page.
• Migrates the Guidance SAFE registry values into 'HKLM\SOFTWARE\OpenText\
SAFE'.

• Migrates the Guidance SAFE configuration data into the OpenText SAFE install
folder.
• Unregisters the Guidance SAFE service and registers the OpenText SAFE service.

2.3.5 SAFE text logging


The SAFE supports text logging. Text logs can be used to analyze or troubleshoot the
SAFE. Text logs can also be integrated with third party applications such as Splunk.
With the text logging feature enabled, logs are written as unencrypted plain text files
to the TextLogs subfolder relative to the SAFE installation folder. By default, this
location is: C:\Program Files\OpenText\SAFE\TextLogs. Log files use the following
name convention: SafeLog[DATE_TIME].log.

Enable text logging by running the SAFE installation wizard. The Enable Text
Logging check box is found on the Options page.

ISSAFE230400-UGD-EN-1 User Guide 27


Chapter 2 Installing the SAFE

Text logging is enabled once SAFE installation is complete.

You can also configure text logging parameters by editing the Windows registry. To
configure text logging parameters, use a Windows registry editor and go to the
following registry location:

KEY_LOCAL_MACHINE\SOFTWARE\OpenText\SAFE

The following registry parameters can be modified:

Windows Registry Entry Description


REG_DWORD LogTextDeleteAfterDays The SAFE can delete old log files after a
Default=0 (disabled) certain number of days. This feature is
disabled by default.
REG_DWORD LogTextEnabled Default=0 After enabling text logging via the
(disabled) SAFE installer, you can disable text logging
without rerunning the SAFE installer.
REG_DWORD LogTextLimitKB Default= Set the maximum size of a text log before the
0x0400 (1 MB) SAFE creates a new log file. The default size
is 1 MB.
REG_DWORD LogWindowsEventEnabled Enable to add Windows event logs to
Default=0 (disabled) SAFE text logging. This feature is disabled by
default.

If you use Splunk for security information and event management, you can import
the text logs generated by the SAFE into Splunk.

To import text log files to Splunk:

1. Start Splunk and go to the dashboard.


2. Select Add Data > Monitor > Files & Directories.
3. Use the location selector to navigate to the SAFE TextLogs folder and select the
folder.

Splunk is now configured to read from the SAFE text logs.

28 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

2.3.6 EnCase Agent Management logging


You can enable multiple logging options for the EnCase Agent Management
component of the SAFE. EnCase Agent Management is also referred to as the Agent
Management Platform (AMP). The debug logging can help troubleshoot issues with
remote check-in collection jobs. There are two types of debug logging for use with
the EnCase Agent Management component:

• HTTP Request/Response
• Connection

Logging can be temporarily enabled and disabled as needed. Log files can be found
here: C:\ProgramData\OpenText\AMP\LogFiles

To toggle http request/response logging:

• To enable http logging, enter the following in your browser: https://<AMP


Host>:8443/Configuration/EnableHttpLog, substituting the hostname for <AMP
Host>.

• Navigate to EnCase Agent Management page (https://<AMP Host>:8443/) to


view endpoints.
• After enabling logging, go to https://<AMP Host>:8443/httplog to view log
entries.
• To disable http request/response logging, enter the following in your browser:
https://<AMP Host>:8443/Configuration/DisableHttpLog, substituting the
hostname for <AMP Host>.

To toggle connection logging:

• To enable connection logging, use this URL in browser: https://<AMP Host>:


8443/Configuration/EnableKestrelLog. Connection Log entries go to C:
\ProgramData\OpenText\AMP\LogFiles.

• After enabling logging, go to https://<AMP Host>:8443/httplog to view log


entries.

Note: The log file should show details about the connection made to the
SAFE (AMP server) from the EnCase product when a remote check-in
collection job is run, including cipher suite. The log should have between
seven and eight “AMPService” information entries for that time the request
is submitted from the EnCase application. An entry should have details
about each step in the connection process. If you don’t see any entry after
enabling connection logging, it means the request did not make it to the
server.
• To disable connection logging, enter the following in your browser: https://<AMP
Host>:8443/Configuration/DisableKestrelLog

ISSAFE230400-UGD-EN-1 User Guide 29


Chapter 2 Installing the SAFE

2.3.7 Advanced SAFE installation command line options


You can configure advanced installation functionality for the SAFE using command
line prompts when running the SAFE installer.

Append the following options to the SAFE executable in the command line (for
example, <installer-filename>.exe -update "SAFEName") to perform additional
functions:

Option Description Requires


Argument
/x Install the SAFE in interactive mode with no
UI prompts.
/u Uninstall the SAFE in interactive mode with no
UI prompts.
-cert Install the SAFE with certificate authentication no
instead of a machine key. A Certificate button is
displayed during installation so the user can
install a certificate.
* Install the SAFE and create a file, token.txt, no
that contains MAC address information for the
local machine.
-update Perform quick update of the local SAFE yes
[SAFE service installation indicated by [SAFE service name].
name]

-drop Install the SAFE agents. no


-opt Install the SAFE in interactive mode with UI no
prompts, and enable the Alternate File Properties
button on the Check In Options page. When used,
the installer displays the Alternate File Properties
dialog box which allows the administrator to
change the Product Name, File Description, Legal
Copyright text, and Company Name file
properties of the agent installer. When the
standard and enhanced agents are pushed to and
installed on endpoints, the custom fields are used,
and the default agent identity is obscured.
-uninstall “Silent uninstall” of the SAFE with no UI no
interaction. Unregisters the OpenText SAFE
service (registry entry: 'HKLM\SOFTWARE\
OpenText\SAFE').

30 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

Option Description Requires


Argument
-frombackup Install the SAFE from the specified SAFE backup yes
[backup file file into the specified target folder. The target
path] folder is created if it does not exist. The resulting
-targetfolder SAFE installation is a copy of the SAFE used to
[install folder create the backup. The SAFE backup file contains
path] the SAFE machine and setup files and private
key. The backup file can only be used to restore a
SAFE onto the same machine as the SAFE used to
create the backup file unless the SAFE was
installed using the certificate option.

2.3.8 Preparing a hardware independent SAFE


You can install the SAFE with a certificate instead of a machine key. This installation
method is typically used for virtual machines and cloud servers. For more
information, see “Installing a hardware independent SAFE” on page 32.

Note: A SAFE installation based on a certificate is not interchangeable with


machine key SAFE installations, and certificate-based SAFE installations are
not compatible with earlier versions of the SAFE installer.

2.3.8.1 Certificate requirements


The hardware independent SAFE uses public key infrastructure (PKI) to link the
SAFE service to an X.509 certificate, rather than the hardware of a machine. Once a
certificate has been generated and added to the certificate store on the local machine,
the certificate becomes available during installation. To view certificates installed on
your machine, use the Microsoft Management Console (MMC).

Contact your local system administrator to generate a PKI certificate. The certificate
must meet the following requirements:

• The certificate is available in the personal store of Local System or the user
running the service.
• The certificate has a private key.
• The certificate is trusted by the operating system.

ISSAFE230400-UGD-EN-1 User Guide 31


Chapter 2 Installing the SAFE

2.3.9 Installing a hardware independent SAFE


Before you begin, verify that your SAFE machine has been prepared for hardware
independent SAFE installation. See “Preparing a hardware independent SAFE”
on page 31.

To install a SAFE bound to a certificate instead of a machine key:

Follow the workflow from “Installing the SAFE” on page 12, except for the
following:

1. You must run the SAFE installer using the command line and append the -cert
flag as follows:
<installer-filename>.exe -cert

Note: The option to install a certificate is only visible if the installer is run
with the -cert flag. See “Advanced SAFE installation command line
options” on page 30 for details about using this and other flags.

2. At step 7 of the install procedure, where the Options page appears, a Certificate
button will be visible.

3. After completing the first part of the page, click the Certificate button to enter
user credentials to be used by the SAFE service. The User Credentials for
Service dialog box opens.

32 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.3. Installing the SAFE

4. Select where you want the imported certificate to go.

• Local System account – Use this option to import the certificate into the
current admin user’s cert store and the Local Machine cert store.
• This account – Use this option to import the certificate into the specified
user’s cert store and the current admin user’s cert store.

Note: If the current admin user is manually importing certs for a SAFE
that will run as Local System, then the cert should be imported into the
Local Machine cert store, not the Local System account’s personal store.
The cert should also be imported into the current admin’s personal cert
store. To support backward compatibility, the SAFE service will still run if
the cert is present in the Local System account’s personal cert store. If the
current admin user is manually importing certs for a SAFE that will run as
another user, then you should import the cert in the other user’s personal
cert store and the current admin’s personal cert store.

5. Enter Domain Name, User Name, and Password of the certificate holder to be
used by the SAFE service account for authentication.

• The selected user must have the “Log on as a service“ permission to


continue. The user must also have read/write access for the SAFE installation
folder and sub-folders.
• If you are manually importing certs for a SAFE that will run as Local System,
then the cert should be imported into the Local Machine cert store, not the
Local System account’s personal store. Additionally, the cert should also be
imported into the current admin’s personal cert store. For backwards
compatibility, the SAFE service will still run if the cert is present in the Local
System account’s personal cert store.

ISSAFE230400-UGD-EN-1 User Guide 33


Chapter 2 Installing the SAFE

• If you are manually importing certs for a SAFE that will run as another user,
then you should import the cert in the other user’s personal cert store and
the current admin’s personal cert store.

6. Click OK. The Windows Security dialog box opens.

7. Select a certificate and click OK to return to the SAFE installer Options page.

8. Click OK to move to the next page. The remaining installation steps are the
same as found in “Installing the SAFE” on page 12.

Your SAFE is now running and ready for use.

2.4 Installing the SAFE Configuration Tool


With the SAFE 23.2 release, SAFE configuration can now be accomplished via a web
browser. The SAFE web server is automatically installed during SAFE installation.
SAFE configuration via the web matches the functionality of the SAFE Configuration
Tool. The SAFE Configuration Tool is deprecated as of SAFE 23.2 and will be
discontinued in a future release. If you choose to use the SAFE Configuration Tool,
directions for installing it are included below.

When you install the SAFE on a machine, the SAFE Configuration Tool is
automatically placed with the SAFE files. If you do not have EnCase Endpoint
Investigator, the SAFE Configuration Tool can be used to set up and administer your
SAFE.

To install the SAFE Configuration Tool:

1. Navigate to the SAFE Configuration Tool folder (default location: C:\Program


Files\OpenText\SAFE\SAFE Configuration Tool).

2. Double-click on the SAFE Configuration Tool to open the installation wizard.


The SAFE Configuration Tool page appears.

3. Select the check box to agree to the terms of the license agreement.

4. Click Install to install to the default location (C:\Program Files


(x86)\OpenText\SAFE Configuration Tool) or click Customize Installation to
change the installation location.
The application is installed and a link to it is placed on the desktop.

5. A dialog box opens to indicate that indicates the installation was successful.
Click Close.

34 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.5. SAFE mirroring

2.5 SAFE mirroring


SAFE Mirroring is a feature that enables an administrator to create a set of SAFEs
that all automatically keep their SAFE configuration in sync. One SAFE is
designated as the Primary. The other SAFEs within the mirror set are assigned the
role of Secondary SAFE. Changes to the SAFE configuration can only be made with
the Primary SAFE. The Secondary SAFEs are automatically updated with
configuration changes when they periodically poll the Primary SAFE for updates.
The polling rate is configurable.

Installations that use SAFE mirroring and agent check-in can see improved check-in
performance.

Once Primary and Secondary SAFEs are installed, they can be managed via a web
browser or EnCase Endpoint Investigator. The SAFE installer can also be used to
perform some mirror set management functions.

What is kept in sync?

The following SAFE configuration values are kept in sync between all members of a
mirror set:

• Network
• Roles
• Users
• Network Plugin Repository
• SAFE Check-in settings
• Most SAFE registry settings
• Keymaster Key/AD keymaster SID
• Additional Keymaster security settings

2.5.1 Creating a mirror set


To create a mirror set you first install a SAFE following the standard SAFE
installation procedure. This will be the Primary SAFE for your mirror set. While no
mirroring settings are set during installation of this SAFE, some resources will be
needed to set up Secondary SAFEs. While you can install any number of Secondary
SAFEs to mirror the configuration settings of the primary SAFE, performance
degradation is possible with an extremely large mirror set of hundreds of secondary
SAFEs.

Installing secondary SAFEs

Before you install a Secondary SAFE, collect resources from the Primary SAFE
installation:

• The Primary SAFE SAFE Backup.spvk file

ISSAFE230400-UGD-EN-1 User Guide 35


Chapter 2 Installing the SAFE

• The SAFE Backup Token password


• The Primary SAFE Keymaster public/private key pair (needed if used for
primary keymaster authentication)
• The SAFE.ini file from the Primary SAFE (needed if you use Active Directory for
primary keymaster authentication)

Once you have these, use the SAFE installation procedure below. At least one
Secondary SAFE is required to create a mirror set.

1. On the machine where you want to install a Secondary SAFE, create an


installation folder. Copy the Primary SAFE SAFE Backup.spvk file to this
location. Copy the keymaster public/private key pair to your Secondary SAFE
machine. OpenText recommends installing the key pair in a central location,
like C:\Keys\ folder.
2. Run the SAFE installer on the Secondary SAFE machine. Go through the steps
of the installation wizard until the SAFE Private Key page appears.

• If using a public/private key pair for keymaster authentication, select Read


key from backup token, enter the path to the keymaster private key, and
enter the keymaster password.
• If you use an Active Directory account as the primary keymaster
authentication method on the Primary SAFE, you will also need to copy the
SAFE.ini file into the Secondary SAFE installation folder. Select Read key
from backup token and enter the password.
3. Step through the installation wizard until the Options page appears. Complete
initial options and move on to the Mirror Settings box.

• Add the Primary SAFE name or FQDN in the Primary SAFE Host field in
the box. IP addresses cannot be used.
• Enter the Port used by the Primary SAFE if it differs from the default 4445.
• Accept the default Update Poll Rate of 5 minutes or adjust to a different
number.
• Click Next. If the Primary SAFE is successfully contacted, the installer moves
on to the next step.
4. On the Generate Keymaster Keys step, enter the keymaster information
according to your primary keymaster authentication method.

• If you are using keymaster key pair for primary keymaster authentication,
select Use Keymaster Key Pair option and enter the path to the Primary
SAFE Keymaster public key in the Keymaster Key Path field.
• If you are using AD authentication for primary keymaster authentication,
select Use Active Directory Login option and enter the AD keymaster
account in the Active Directory Keymaster field.
5. Continue with the installation. Some later options will be greyed out because
they are not allowed when creating a Secondary SAFE. When installation is

36 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


2.6. SAFE configuration

complete and the new SAFE starts up it will contact its Primary SAFE and sync
down the latest SAFE configuration.

2.6 SAFE configuration


After the SAFE has been installed, follow these steps to configure the SAFE for your
organization:

• Configure the desktop client machines. See “Configuring SAFE settings for
desktop clients” on page 116
• Log on to the SAFE. See “Logging onto SAFE configuration via the web”
on page 39
• Set up the network tree. See “Setting up the network tree” on page 46.
• Set up roles and associate the network tree with the roles as needed. See “Setting
up roles” on page 53
• Set up users and associate roles with users as needed. See “Setting up user
accounts and permissions” on page 63
• Deploy agents. See “Deploying and managing agents“ on page 125

For troubleshooting information, see “Performing a service diagnostic” on page 174

ISSAFE230400-UGD-EN-1 User Guide 37


Chapter 3
Configuring the SAFE

Once you have installed the SAFE you are ready to configure your it for use.

This chapter covers the following SAFE configuration topics:

• define and manage your network topology for use by the SAFE
• create, define, and manage roles
• create, define, and manage user accounts
• manage and view events and logs
• manage network plugins
• generate encryption keys

SAFE configuration in this chapter is primarily described using the SAFE web
interface. EnCase Endpoint Investigator users can also use the application’s built-in
SAFE configuration tools. EnCase Endpoint Investigator workflows are similar to
those found in the web interface, and differences are documented where they exist.

3.1 Logging onto SAFE configuration via the web


Log onto the SAFE configuration page of the SAFE server as keymaster to configure
your SAFE. While the keymaster account is used initially because it has the full
access needed to configure and administer the SAFE, additional administrator
accounts can be set up to delegate SAFE administration to others in the future. To
log onto the SAFE via EnCase Endpoint Investigator, see Logging onto SAFE
configuration via EnCase Endpoint Investigator.

To log on to the SAFE:

1. Direct your browser to the SAFE server configured during installation:


https:// SAFEname:port/safeconfig/

Where <SAFEname> is the name or IP address of the SAFE and <port> is the port
number of the SAFE you want to configure. The SAFE Sign in page and SAFE
User Login box are displayed.

ISSAFE230400-UGD-EN-1 User Guide 39


Chapter 3 Configuring the SAFE

2. Sign in via the default SAFE User Login method, or click the Sign In link in the
top right of the window to select a different sign in authentication method from
the drop-down list.

• Login - SAFE User Login is the default SAFE authentication method and
requires the user Private Key file, username, and password.
• Active Directory Login - This authentication method requires username and
domain for the Username field and password.
• RSA SecurID Login - This authentication method requires the username for
the RSA SecurID User field.

Note: Sign in via the Smart Card authentication method is not supported
via a web browser.

a. For SAFE User Login, click the Choose File button to open a file chooser
dialog box.
b. Navigate to the location of your keymaster.privatekey or other user file.
Select it and enter OK. The file chooser closes, and the private key file and
username are inserted into the corresponding fields of the SAFE User Login
box.

40 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.1. Logging onto SAFE configuration via the web

c. Enter the password and click Login to access the SAFE configuration page.
The SAFE configuration home page displays SAFE details and current
logged in user.

When the keymaster or administrative user is successfully signed in to the SAFE, all
SAFE configuration options are available from the menu. SAFE configuration
options will not be visible to other users.

ISSAFE230400-UGD-EN-1 User Guide 41


Chapter 3 Configuring the SAFE

3.2 Logging onto SAFE configuration via Endpoint


Investigator
You can use EnCase Endpoint Investigator to configure the SAFE. To set up and
administer the SAFE, log on as the keymaster. You can create additional
administrator accounts for later use, but it is the keymaster account that has the full
access needed to configure and administer the SAFE. To log onto the SAFE via the
web, see Logging onto SAFE configuration via the web.

To log on to the SAFE:

1. Open EnCase Endpoint Investigator. The home page is displayed.

2. Click the Logon to SAFE button in the SAFE box of the home page. The Logon
dialog box opens.

42 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.2. Logging onto SAFE configuration via Endpoint Investigator

If no users are displayed, or to select different users, right-click Users and select
Change Root Path from the context menu. Navigate to the current encryption
key location for users and keymaster.

3. Select the desired user and enter the password for that user. Click Next.
If no SAFEs are displayed or to log onto another SAFE, right-click SAFEs and
select Change Root Path from the context menu. Navigate to the location of the
desired .SAFE file.

4. Right-click the SAFE for which you want to set the options and select Edit. The
SAFE Options dialog box opens.

ISSAFE230400-UGD-EN-1 User Guide 43


Chapter 3 Configuring the SAFE

• Machine Name is the machine name or IP address of the SAFE machine.


• The Port selector enables you to change ports from the default 4445.

Note: This port must match the port you want your agents to
communicate on.
• If the SAFE resides outside your firewall, select Remote SAFE.

– Remote SAFE determines if communications with the node are routed


through the SAFE, so the SAFE stands between the client and the node.
– When using a remote SAFE, select the Inbound Port that should be used
when communicating with the remote SAFE.
• Select Enable Nagle if you have a slow or bad connection and have
problems updating the agent. The Nagle algorithm improves the efficiency
of TCP/IP networks, although it increases latency. This selection applies to
all connections to nodes through this connection to the SAFE.
• Attempt Direct Connection options determine what kind of connection is
made to the specified SAFE:

– Select None when the target system cannot establish a connection with a
client. All traffic is redirected through the SAFE server to increase
communication times. It also provides the investigator the ability to
obtain data otherwise not available.
– Enable Client to Node (Local) when the client (desktop application) and
the node (agent) reside on the same network, and the SAFE resides on a
different network. This allows data to transfer directly from the node to

44 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.2. Logging onto SAFE configuration via Endpoint Investigator

the client, after the client successfully authenticates through the SAFE.
Note that the client uses the IP address that the node believes it has,
rather than the IP address the SAFE has for the node. In this
configuration, design the network so that all the company’s employees
are located on the corporate desktop network, and employ routing and
Network Address Translation (NAT).
– Client to Node (SAFE) enables Network Address Translation (NAT),
where a private IP address is mapped to a public IP address. Typically,
the SAFE and node reside on the same subnet, and the client on another.
This allows data to transfer directly from the node to the client, after the
client successfully authenticates through the SAFE. The client also uses
the IP address that the SAFE believes the node has, rather than the IP
address the node reports it has, to allow a direct connection between the
client and node machine. This option is enabled by default.
– Node to Client is similar to the Client to Node (SAFE), except that the
node attempts the direct connection to the client. Use this option when
you want direct data transfer between the node and the client, and where
NAT or a firewall prohibits the node from sending data directly to the
local IP or default port of the client. Once you check this option, the client
return address configuration box and port selector become available to
enter the NAT IP address and custom port.
• Priority raises or lowers an agent’s resource usage for the thread that
controls the connection conducting a preview, acquisition, or sweep. Note
that this does not affect the agent process itself. This feature is useful for
investigating machines when the examination is very sensitive, or with
production servers constantly running CPU-intensive processes.
• Client Return and Port are disabled by default.

5. Click Finish to log on to the SAFE.


In the SAFE box of the EnCase Endpoint Investigator home page, the SAFE
name, user, Logoff button, and SAFE configuration button are displayed.

ISSAFE230400-UGD-EN-1 User Guide 45


Chapter 3 Configuring the SAFE

3.3 Logout
To log out of the current SAFE via a web browser:
1. Click the username in the top right corner of any SAFE web page. A log out
option is displayed.
2. Click Logout.

You are logged out of the selected SAFE.

To log out of the current SAFE via EnCase Endpoint Investigator:


• Click the Logout button in the SAFE box of the application.

You are logged out of the selected SAFE.

3.4 Setting up the network tree


The network tree is the sum of machines that have agents deployed on them.
Organize the network tree within the SAFE in the manner that best suits your
organization, for instance, by physical location, company department, IP address
ranges, operating system, or other organizing principle. Setting up the network tree
involves creating a tree structure that contains and your organization’s machines.
Investigators access this tree when looking for a machine to investigate.

Before you set up your network tree, compile a list of the IP addresses or machine
names of all nodes where agents have been or will be deployed. Use folders to
organize your network tree.

To add an entry to your network tree:


1. Log on to the SAFE via a web browser. Use a keymaster user account to view
the SAFE Configuration home page.
Click SAFE Configuration > Network from the drop down menu . The
Network page appears.

46 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.4. Setting up the network tree

2. Click an existing parent folder and the New Folder button to create a child
folder of the parent, or select Network to create a new parent folder at the top
level.

3. Click a parent folder and Create to add nodes or IP ranges to that folder. The
Create New Network page is displayed.

• Name – When naming a node, an IP address, host name, or DNS name can
be used. IP addresses can be expressed using CIDR notation. IPv4 and IPv6
formats are supported. When naming a range, certain characters are not
permitted in this field.
• Comment – Use this field to distinguish machines and ranges when viewing
the network tree.
• Keep the default value in the Port box to use the default SAFE port number.
Otherwise, manually select another port number.
• To manually enter an IP range with start and stop IP addresses, click the IP
Range check box and specify the start and stop IP addresses. IPv4 and IPv6
format are supported.

ISSAFE230400-UGD-EN-1 User Guide 47


Chapter 3 Configuring the SAFE

4. Click OK.

The node or range is added to the network tree.

You can also use the SAFE web configuration interface to import a list of individual
targets or IP ranges into your network tree. Import targets from a text file in a
standard tab-separated format. Your user account must have the Edit Network
Layout permission.

To import a list to your network tree:

1. Log onto the SAFE via a web browser and navigate to the SAFE Configuration
home page.
Click SAFE Configuration > Network from the drop down menu . The
Network page appears.

Note: You can pre-select the import location on the Network page or
advance to the Import Network List from a File page and set the location
there.

2. Click Import. The Import Network List form a File page appears.

48 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.4. Setting up the network tree

Note: You can also directly access the Import Network List from a File
page directly from the SAFE Configuration web menu.

3. In the File to Import box, click the Choose File button in the Import File
Location field. Navigate to and select the import file. Click Open to select the
file.

4. In the Select a Folder box, select a location for your import list. Accept the
default top-level Network location or navigate to a subfolder to import the list
there.

5. Click OK.

The list is imported.

Import list requirements:

Prior to import, compile a list of individual IP addresses or machine names or IP


ranges to add to your network and create a tab-delimited text file according to the
following guidelines:

• Two tab-delimited fields are permitted


• The first field can be either an IP address or IP Address plus a port (#.#.#.# or
#.#.#.#:port#). Machine names can also be used.

• The second field is imported to the Comment field


• Use CIDR notation for ranges
• Comment lines start with a # character

ISSAFE230400-UGD-EN-1 User Guide 49


Chapter 3 Configuring the SAFE

Note: Entries that fail validation are skipped. Machine name, cannot be greater
than 49 characters and may not contain any disallowed characters like slashes,
commas, and spaces. The comment field has maximum length of 150
characters.

Import file example:


#Comment lines are ignored during import
#The following represent a range of different entries
#cidr-notation example in the following 2 lines(with and without port number)
10.111.111.0:4450/24
10.111.112.0/24
#tab delimited ip example
10.111.121.222:4446 entry-08-example1
10.111.122.0 entry-09-example2
#tab delimited machine name example
is-testvm-01 Client Test Machine
es-vm-0001 Second Test Machine

3.4.1 Setting up the network tree with EnCase Endpoint


Investigator
In addition to using the SAFE web interface, EnCase Endpoint Investigator users can
also access the SAFE and set up the network tree within the application. Before you
set up your network tree, compile a list of the IP addresses or machine names of all
nodes where agents have been or will be deployed.

To add individual folders, nodes, and ranges to your network with EnCase
Endpoint Investigator:

1. Open EnCase Endpoint Investigator and log on to the SAFE.


2. Click SAFE > Network from the menu. The Network tab is displayed.

The Tree pane displays the network. The Table pane displays the contents
selected in the Tree pane.

50 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.4. Setting up the network tree

3. Create parent folders in the Tree-Table view.

a. Select View > Choose a viewing mode > Tree-Table.


b. Right-click Network in the Tree pane and select New Folder from the
context menu to add a folder to your network tree.
4. Add new machines or ranges to child folders.

a. Click a folder in the Tree pane or double-click a folder in the Table pane to
add to that folder.
b. Click New from the Network tab or Table pane. The New Machine
dialog box opens.

• Machine Name – When naming a node, an IP address, host name, or DNS


name can be used. IP addresses can be expressed using CIDR notation, and
IPv4 and IPv6 formats are supported. When naming a range, certain
characters are not permitted in this field.
• Comment – Use this field to distinguish machines and ranges when viewing
the network tree.

ISSAFE230400-UGD-EN-1 User Guide 51


Chapter 3 Configuring the SAFE

• Select Default if you used the default port number (4445) when installing
your SAFE. Otherwise, manually select another port number.
• To manually enter an IP range with start and stop IP addresses, click the IP
Range check box and specify the start and stop IP addresses. IPv4 and IPv6
format are supported.

5. Click OK.

The node or range is added to the network tree.

3.4.2 Export and import targets using EnCase Endpoint


Investigator
You can use EnCase Endpoint Investigator to import and export target lists to
manage your network tree; however, target lists created or used by the application
are not text files and cannot be read by the web-based SAFE network target list
importer. Only EnCase Endpoint Investigator can read export files by EnCase
Endpoint Investigator.

To export a target list to a file using EnCase Endpoint Investigator:

1. Open EnCase Endpoint Investigator and log on to the SAFE as keymaster or


other user with the Edit Network Layout permission.

2. Select SAFE > Network. The Network table is displayed in the table pane.

3. Select > Export. The Export dialog box opens.

4. Select the Only Checked Rows check box if desired. Enter the name of the
output file. Select the browse button to navigate to a location to save the file.

5. Click Finish to export the network target list to a file.

To import a target list from a file using EnCase Endpoint Investigator:

1. Open EnCase Endpoint Investigator and log on to the SAFE as keymaster or


user with the Edit Network Layout permission.

2. Select SAFE > Network. The Network table is displayed in the table pane.

3. Select > Import > Open.

4. Select a previously exported network target list file or Open to navigate to a


network target list file.

The network target list is imported.

Note: EnCase Endpoint Investigator can only import a network target list file
that it exported.

52 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.5. Setting up roles

3.5 Setting up roles


A role is a grouping of connections, permissions, and access rights to certain
machines in the network tree. The SAFE administrator creates roles with various
permissions, then assigns roles during account setup. A user can have multiple
roles. A user then chooses the desired role when starting a new case. The
SAFE administrator logs on to the SAFE via a web browser to set up and configure
roles.

Roles can be nested within a hierarchical folder structure, with child roles inheriting
the attributes of parent roles. The SAFE administrator must set up and assign roles
before users can perform any SAFE tasks.

1. Log on to the SAFE via a web browser. Use a keymaster or administrator user
account to view the SAFE Configuration home page.
Click SAFE Configuration > Roles from the View section of the dropdown
menu. The SAFE Roles page is displayed.

2. Select Create. The Role tab of the Create New Role page is displayed.

• Enter the role Name.

• Optional – Enter a Comment.

• Optional – Assign the minimum number of Connections Allocations to the


role. This ensures that the total number of connections allowed by the SAFE
is distributed appropriately.

ISSAFE230400-UGD-EN-1 User Guide 53


Chapter 3 Configuring the SAFE

– Any connections not allocated fall into a pool on a first come, first served
policy.
– Each child role has only the number of connections allocated to the
parent.
– If the number of connections allocated to the child roles exceeds that of
the parent role, all connections in the parent role fall into the pool.
– Any allocations of the child role can be taken by the parent role.

You can see the current number of connections for each role in the SAFE Roles
table.

3. Click Next to advance to the Permissions tab.


All available role permissions are displayed in the table.

4. Click the row of any permission to select. Click Add or Remove to add that
permission. A dot in the Selected column indicates the role permission is part of
the role.
The Add All and Remove All buttons add or remove all available permissions
at once.
The Revert All button returns permissions to the state when the tab was
opened.

54 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.5. Setting up roles

• Acquire Image gives the investigator the ability to acquire network devices
while assigned to this role. If this permission is not given, the user can only
preview network devices associated with the role.
• View Pictures activates pictures displayed in the Doc tab in the View pane.
• Browse File Structure displays the file structure in the Tree pane. A user
with this permission can also expand and contract folders within the file
structure.
• View File Contents gives the user the ability to see file content in the View
pane. If this is the only permission given, the View pane is the only active
pane.
• Copy Files gives the user the ability to copy folders from the Tree pane and
copy/unerase files from the Table and View panes. It also enables the user to
use external viewers.
• Keyword Search allows the user to conduct only a keyword search or index
a case. Results are not displayed if this is the only permission selected. The
search button is the only active button.
• Allow Script File Access allows use of EnScript programs while previewing
network devices.
• Snapshot Information allows the snapshot function to access the dynamic
data.
• Allow Registry Value Access allows the snapshot function to access registry
values.
• Allow Registry List Access allows the snapshot function to access registry
lists.
• Edit Registry allows EnScript programs to edit the target registry (available
only if your SAFE is enabled for remediation).
• Terminate Process allows EnScript programs to terminate a process on a
target machine (available only if your SAFE is enabled for remediation).
• Run Process allows EnScript programs to run a process on a target machine
(available only if your SAFE is enabled for remediation).
• Edit Files allows EnScript programs to edit files on a target machine
(available only if your SAFE is enabled for remediation).

Note: Edit Registry, Terminate Process, Run Process, and Edit Files
permissions require remediation. To check if your SAFE is
remediation-enabled, navigate to the SAFE installation directory and
run the command safe -diag from the Windows command line.
Remediation status is one of the flags displayed.
• Read Memory grants the user access to physical and process memory on
any computer accessible to that role. Administrators should be aware that
users in this role potentially have access to security information, such as
passwords and other credentials on the computer they are examining, to the

ISSAFE230400-UGD-EN-1 User Guide 55


Chapter 3 Configuring the SAFE

same extent they would have if logged on as a local administrator. Allowing


a user read memory access to any computer containing secure information,
such as the SAFE or network servers, should be done with caution.

• Deploy Agents enables users assigned this role to deploy agents


automatically to endpoints. Using configurable control scripts, the SAFE
automatically installs agents on targets that do not have agents currently
installed. For automatic deployment, the SAFE user must have this
permission, control scripts must be configured, and the Deploy Agent check
box must be selected when processing devices from a SAFE network
preview or during a Sweep Enterprise job.

• Undeploy Agents enables users assigned this role to undeploy agents from
endpoints. A deployed agent cannot be automatically removed if the user
does not have this permission.

• Snapshot Scanner enables the user to create targets from IP ranges in


EnCase Endpoint Security and EnCase Information Assurance.

• Queue Endpoint Jobs enables the SAFE user to queue new jobs to
endpoints. For a SAFE user to queue new jobs they must be assigned a role
that has been granted the Queue Endpoint Jobs permission. The Role must
also be granted access to the target machine the job will run on and the
plugin the job uses.

5. Optional – Select Edit Permission on any row to open the Time Frame dialog
box to further control the permissions by time.
Start Date/Time and Stop Date/Time can be defined, as can a weekly schedule.
Select OK to accept the schedule or Close to cancel and close the dialog box.

6. Click Next to advance to the Network tab. The Network table is displayed.

56 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.5. Setting up roles

The Network table displays Name (machine name or network range name),
Start and Stop addresses (for ranges), and State.

• Machines (or nodes) are always in one of three states: Included, Excluded, or
Neutral.
• Machines can have different states for different roles.
• When you add a machine, it is by default in a Neutral state, neither
specifically included or excluded.
• Select a row to enable the Add, Subtract, and Clear buttons.

– Add sets the selected machine or range to the Included state.


– Subtract sets the selected machine or range to the Excluded state.
– Clear returns the selected machine or range to the Neutral state.
Use Add All, Subtract All, and Clear All to apply the action to all items
in the tree.
Revert All returns permissions to the state when the tab was opened.
• Permissions are inherited:

– The state of a parent machine propagates down through the tree to its
children.
– If you exclude a parent folder but leave an individual machine within
that folder in the Neutral state, the machine is excluded.
– Parent inheritance can be overridden by explicitly granting (or denying)
permission to a machine at the child level.
– A parent role must have a machine included before you can create a child
node.
• A machine must be Included for an investigator to preview it. Subsequent
nodes that refer to the same machine are Included for access if they are left
in a Neutral state.
• If a network range is left Neutral for security purposes, no machine in this
range can be accessed unless explicitly set to be included in the network tree.
• If you have conflicting states for the same machine within the same role,
then access is denied. For example, if you allow access for 192.168.2.100, but
deny access to the range 192.168.2.1-192.168.2.200 within the same role, then
access to that node will be denied.
• If a permissions conflict arises, denying access takes precedence over
granting access.

7. Click Next to advance to the Enhanced Agent tab. The available agent plugins
are displayed.

ISSAFE230400-UGD-EN-1 User Guide 57


Chapter 3 Configuring the SAFE

• Select a plugin, and click Allow or Deny to control access to the plugin from
the role. Revert All returns permissions to the state when the tab was
opened.
An Allow icon in the plugin Name field indicates access to the plugin is
allowed.
A Deny icon in the plugin Name field indicates access to the plugin will
be denied.
To add an Enhanced Agent plugin, see Network Plugin Repository.

8. Click Finish to save all changes and create the role.

3.5.1 Setting up roles using EnCase Endpoint Investigator


Setting up and assigning roles must be done before a user can perform any task. If
you have EnCase Endpoint Investigator, you can use it to set up roles instead of
doing so via a web browser.

1. From the View menu, select Roles. The Roles tab is displayed.

2. Right-click the desired parent role in the Tree pane and click New. The Role
dialog box opens.

58 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.5. Setting up roles

• Enter the name of the role.


• Enter optional comments.
• Assign the minimum number of connections allocated to each role so that
the total number of connections allowed by the SAFE is distributed
appropriately.

– Any connections not allocated fall into a pool with a first come, first
served policy.
– Each child role has only the number of connections allocated to the
parent.
– If the number of connections allocated to the children roles exceeds that
of the parent role, all connections in the parent role fall into the pool.
– Pools of parent roles can be accessed by children roles.
– Any allocations of the child role can be taken by the parent role.
• You can see the current number of connections for each role in the Table
view.

3. Click Next. The Permission dialog box opens.

ISSAFE230400-UGD-EN-1 User Guide 59


Chapter 3 Configuring the SAFE

4. Click New to select permissions to add to the new role. The New Permission
dialog box opens.

• Acquire Image gives the investigator the ability to acquire network devices
while assigned to this role. If this permission is not given, the user can only
preview network devices associated with the role.
• View Pictures activates pictures displayed in the Doc tab in the View pane.
• Browse File Structure displays the file structure in the Tree pane. A user
with this permission can also expand and contract folders within the file
structure.

60 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.5. Setting up roles

• View File Contents gives the user the ability to see file content in the View
pane. If this is the only permission given, the View pane is the only active
pane.
• Copy Files gives the user the ability to copy folders from the Tree pane and
copy/unerase files from the Table and View panes. It also enables the user to
use external viewers.
• Keyword Search allows the user to conduct only a keyword search or index
a case. Results are not displayed if this is the only permission selected. The
Search button is the only active button.
• Allow Script File Access allows use of EnScript programs while previewing
network devices.
• Snapshot Information allows the snapshot function to access the dynamic
data.
• Allow Registry Value Access allows the snapshot function to access registry
values.
• Allow Registry List Access allows the snapshot function to access registry
lists.
• Edit Registry allows EnScript programs to edit the target registry (available
only if your SAFE is enabled for remediation).
• Terminate Process allows EnScript programs to terminate a process on a
target machine (available only if your SAFE is enabled for remediation).
• Run Process allows EnScript programs to run a process on a target machine
(available only if your SAFE is enabled for remediation).
• Edit Files allows EnScript programs to edit files on a target machine
(available only if your SAFE is enabled for remediation).

Note: Edit Registry, Terminate Process, Run Process, and Edit Files
permissions require remediation. To check if your SAFE is
remediation-enabled, navigate to the SAFE installation directory and
run the command safe -diag from the Windows command line.
Remediation status is one of the flags displayed.
• Read Memory grants the user access to physical and process memory on
any computer with access to that role. Administrators should be aware that
users in this role potentially have access to security information such as
passwords and other credentials on the computer they are examining, to the
same extent they would have if logged on as a local administrator. Allowing
a user read memory access to any computer containing secure information,
such as the SAFE or network servers, should be done with caution.
• Deploy Agents enables users assigned this role to deploy agents
automatically to endpoints. Using configurable control scripts, the SAFE
automatically installs agents on targets that do not have agents currently
installed. For automatic deployment, the SAFE user must have this
permission, control scripts must be configured, and the Deploy Agent check

ISSAFE230400-UGD-EN-1 User Guide 61


Chapter 3 Configuring the SAFE

box must be selected when processing devices from a SAFE network


preview or during a Sweep Enterprise job.
• Undeploy Agents enables users assigned this role to undeploy agents from
endpoints. A deployed agent cannot be automatically removed if the user
does not have this permission.
• Snapshot Scanner enables the user to create targets from IP ranges in
EnCase Endpoint Security and EnCase Information Assurance.
• Queue Endpoint Jobs enables the SAFE user to queue new jobs to
endpoints. For a SAFE user to queue new jobs they must be assigned a role
that has been granted the Queue Endpoint Jobs permission. The Role must
also be granted access to the target machine the job will run on and the
plugin the job uses.
5. Open the Time Frame tab to further control the permissions by time.
6. Click Next. The Network dialog box displays a selection of machines to access.

• Machines (or nodes) are always in one of three states: Included, Excluded, or
Neutral.
• Machines can have different states for different roles.
• When you add a machine, it is by default in a Neutral state, neither
specifically included or excluded.
• Select a machine to enable the change state buttons.
• Add Selected Items sets the selected machines to the Included state.
• Subtract Select Items sets the selected machines to the Excluded state.
• Clear Selected items returns the selected machines to the Neutral state.
• Permissions are inherited:

62 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

– The state of a parent machine propagates down through the tree to its
children.
– If you exclude a parent folder but leave an individual machine within
that folder in Neutral state, the machine is excluded.
– A parent role must have a machine included before you can create a child
node.
• A machine must be Included for an investigator to preview it. Subsequent
nodes that refer to the same machine are Included for access if they are left
in a Neutral state.
• If a network range is left Neutral for security purposes, no machine in this
range can be accessed unless explicitly set to be included in the network tree.
• If you have conflicting states for the same machine within the same role,
then access is denied. For example, if you allow access for 192.168.2.100, but
deny access to the range 192.168.2.1-192.168.2.200 within the same role, then
access to that node will be denied.
• If a permissions conflict arises, denying access takes precedence over
granting access.
7. Click Finish to save all changes and create the role.

3.6 Setting up user accounts and permissions


User accounts must be created for users to access and use the SAFE. Multiple
authentication method are available to users, including the default SAFE
authentication method, which uses encryption key pairs for user accounts. The SAFE
administrator can create key pairs on behalf of users, or users can generate them.
The administrator adds the user username.PublicKey file so the user can access the
SAFE. Other authentication methods (Active Directory, RSA SecurID, or Smart
Card) are available and can be added by the SAFE administrator.

Permissions are rules determining whether or not a user can perform specific
functions. Two kinds of permissions control the ability of users to perform certain
actions or view certain elements:

• Role-based permissions control access and ensure proper enforcement of policies.


These permissions control investigative functions such as acquisitions and image
viewing.
• User-based permissions apply to administrative functions, such as the ability to
add other users and modify the network.

Special administrative user accounts

There are two special administrative user accounts that are central to the SAFE: the
keymaster role and the SAFE administrator role.

The keymaster is the super administrator for a SAFE server. The primary duties of
the keymaster:

ISSAFE230400-UGD-EN-1 User Guide 63


Chapter 3 Configuring the SAFE

• Create roles
• Create user accounts
• Create the network tree

The keymaster account is unique in several ways:

• The keymaster can delegate responsibilities to another user


• One keymaster account can be used for multiple SAFE servers
• After installation, the keymaster is the only person who can log on to the SAFE
server until other user accounts are created
• The keymaster account is restricted from performing any previews or
acquisitions through the SAFE
• The keymaster account acts solely as an administrator; it cannot perform any
actual work with agents installed on nodes

Because of the power that the keymaster has over the system, OpenText
recommends the keymaster not be a regular user of the SAFE server. Instead, the
keymaster account should be held by a person within the company who meets the
following criteria:

• C-level (CEO, CFO, CIO, CTO, COO, CISO, CSO) or senior executive
• Not likely to leave the company
• Has corporate liability

If the keymaster password is lost or the keymaster keys become corrupted, there is
no way to recover a lost password or keypair. Please maintain backup copies of the
keymaster key pair and take steps to ensure the keymaster password is not
irretrievably lost. If the keymaster key pair require replacement, go to the OpenText
My Support portal at https://support.opentext.com and retrieve the knowledge base
article on replacing the keymaster key.

The SAFE administrator, created by the keymaster, is in charge of the daily


administration of the SAFE server, and should report to the keymaster. This account
usually performs these tasks:

• Maintaining user accounts


• Maintaining roles
• Maintaining the network tree
• Maintaining the SAFE events
• Updating the SAFE as new versions become available

Use web-based SAFE configuration to create and manage user accounts and
configure the authentication method a user must use to log on to the SAFE. There
are four primary authentication methods: SAFE Logon, Active Directory Logon,
Smart Card Logon, and RSA SecurID Logon. If you configure the user with

64 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

SAFE Logon as the primary authentication method, you can optionally select a
secondary authentication method for additional security. When logging on to the
SAFE with secondary authentication enabled, the user first enters the password
associated with their public key, and then authenticates with the secondary
authentication method selected by the administrator, before access is granted to the
SAFE.

To add a SAFE user with SAFE Logon as the primary authentication method:

1. Direct your browser to the SAFE web server and log on as keymaster or
administrator.

2. Select SAFE Configuration > Users from the menu bar. The SAFE Users page
displays a table of all SAFE users.

3. Click Create to add a child user to the default keymaster parent account, or click
an existing parent row to create a child user to that parent.

Expand a parent user by clicking next to the parent name. Collapse a parent
user by clicking next to the parent name.
The Enterprise User tab of the Create New User page is displayed.

ISSAFE230400-UGD-EN-1 User Guide 65


Chapter 3 Configuring the SAFE

4. Select SAFE Logon from the Authentication Type box.

5. Click the Choose File button and select the user’s public key file. The Public
Key and Username boxes are updated with the public key name and user name.

6. Enter an optional note in the Comment box.

7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.

Note: With this feature enabled, the EnCase Endpoint Investigator user
can log on to the SAFE only if all open and active cases contain a case
number. If the user has unsaved cases, SAFE login will fail and an error
message is displayed until all cases are saved. Saved cases are recorded in
the SAFE event log.

8. To skip secondary user authentication, accept the default None in the


Secondary Authentication drop-down list.
To require secondary user authentication, select an authentication method from
the Secondary Authentication box and complete additional steps.

• Select Active Directory Authentication to require the user’s Active


Directory credentials to log onto the SAFE. The Domain Trustee box is
added to the workflow.

– Add the domain trustee in the format, domain\user or user@domain.

– Click Next to advance to the Permission/Role tab.

66 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

• Select Additional Password in the Secondary Authentication drop-down


list to require the user to enter a second password not tied to their
encryption key password.

– The user is prompted to enter the additional password during


SAFE logon.
– The administrator cannot view the additional password, but can reset or
disable it.
– Click Next to advance to the Permission/Role tab.
• Select RSA SecurID Authentication from the Secondary Authentication
drop-down list to use RSA SecurID credentials. The RSA SecurID Username
box is added to the workflow.

– Enter the RSA Username to associate with the user account.


To use RSA SecurID, you must have configured the SAFE to
communicate with RSA SecurID Authentication Manager during
SAFE installation.
– Click Next to advance to the Permission/Role tab.
• Select Smart Card Authentication from the Secondary Authentication
drop-down list to require the user’s smart card credentials to log on to the
SAFE.

– Click Choose File to open a file chooser and import the certificate from a
file. Two formats are supported: DER encoded X.509 and Base-64
encoded X.509. Select the user’s certificate file and click OK.
On successful import of the certificate, the certificate is displayed in the
Smart Card Certificate box.
– Click Card to read the certificate directly from the card. The dialog box
displays available certificates. Navigate to the certificate, select it, and
click OK.
On successful import, the certificate is displayed in the Smart Card
Certificate box.
– Click Next to advance to the Permission/Role tab.

9. Assign permissions and roles to the user.

ISSAFE230400-UGD-EN-1 User Guide 67


Chapter 3 Configuring the SAFE

Click the row of any permission or role to select. Click Add or Remove to add
or remove that permission or role. A dot in the Selected column indicates the
role permission is included for the user. A dot in the IsRole column indicates the
role is active for the user.
The Revert All button returns permissions and roles to the state when the tab
was opened.
The following permissions are available:

• Create Users lets the user create other users.


• Create Roles lets the user create and define roles.
• Edit Network Layout lets the user edit the network on the Network page
(for example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, the View Logs permission is

68 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

automatically added. When these two permissions are active, you cannot
have any other permissions set.
• Administer Users grants the user administrative access over user accounts.
This permission is only visible when signed in as keymaster. Selecting this
permission automatically adds Create Users, Create Roles, and Access
EnCase Agent Management permissions.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy enhanced agents to
nodes on the network.
• Access EnCase Agent Management grants the user access to the SAFE web
server, which contains data about agents deployed on endpoints across the
network. The SAFE user with this permission can view the current endpoint
jobs that are running or queued up, but cannot queue new jobs. To queue
new jobs the SAFE user must have the Queue Endpoint Jobs role permission.

Users must be assigned at least one role to perform tasks that use the SAFE.
Optional: Click the Edit Permission icon on any row to open the Time Frame
dialog box to further control the permissions.
Start Date/Time and Stop Date/Time can be defined, as can a weekly schedule.
Select OK to accept the schedule or Close to cancel and close the dialog box.

10. Click Submit to add the user.

To add a SAFEuser with Active Directory, RSA SecurID, or Smart Card Logon
as the primary authentication method:

1. Select SAFE Configuration > Users from the menu bar. The SAFE Users page
displays a table of all SAFE users.

2. Click Create to add a child user to the default keymaster parent account. The
Enterprise tab of the Create New User page is displayed. You can also click an
existing parent row to create a child user to that parent.

3. Select a logon method in the Authentication Type box.

• Select Active Directory Logon to require the user’s Active Directory


credentials to log on to the SAFE.

ISSAFE230400-UGD-EN-1 User Guide 69


Chapter 3 Configuring the SAFE

– Enter the user name in the Username box.


– Enter an optional note in the Comment box.
– Select the Require Case Information check box to require the EnCase
Endpoint Investigator user to enter case information when creating a
new case.
– Enter a user and domain in the Domain Trustee box in the format,
domain\user or user@domain.

– Enter the user or group.


– When you finish, click OK. The dialog box closes, and the user or group
is displayed in the Domain Trustee box.
– Click Next to advance to the Permission/Role tab.
• Select RSA SecurID Authentication from the Authentication Type drop-
down list to use RSA SecurID credentials. The RSA SecurID Username box
is added to the workflow.

– Enter the RSA Username to associate with the user account.


To use RSA SecurID, you must have configured the SAFE to
communicate with RSA SecurID Authentication Manager during
SAFE installation.
– Click Next to advance to the Permission/Role tab.
• Select Smart Card Logon from the Authentication Type drop-down list to
require the user’s smart card credentials to log onto the SAFE. The
Username and Smart Card Certificate boxes are added to the workflow.

70 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

– Enter the user name in the Username box.


– Enter an optional note in the Comment box.
– Select the Require Case Information check box to require EnCase
Endpoint Investigator users to enter case information when creating a
new case.
– Click Choose File to open a file chooser and import the certificate from a
file. Two formats are supported: DER encoded X.509 and Base-64
encoded X.509. Select the user’s certificate file and click OK.
On successful import of the certificate, the certificate is displayed in the
Smart Card Certificate box.
– Click Card to read the certificate directly from the card. The dialog box
displays available certificates. Navigate to the certificate, select it, and
click OK.
On successful import, the certificate is displayed in the Smart Card
Certificate box.
– Click Next to advance to the Permission/Role tab.

4. Assign permissions and roles to the user.

Click the row of any permission or role to select. Click Add or Remove to add
or remove that permission or role. A dot in the Selected column indicates the
role permission is included for the user. A dot in the IsRole column indicates the
role is active for the user.
Revert All returns permissions and roles to the state when the tab was opened.

ISSAFE230400-UGD-EN-1 User Guide 71


Chapter 3 Configuring the SAFE

The following permissions are available:

• Create Users lets the user create other users.


• Create Roles lets the user create and define roles.
• Edit Network Layout lets the user edit the network on the Network page
(for example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, the View Logs permission is
automatically added. When these two permissions are active, you cannot
have any other permissions set.
• Administer Users grants the user administrative access over user accounts.
This permission is only visible when signed in as keymaster. Selecting this
permission automatically adds Create Users, Create Roles, and Access
EnCase Agent Management permissions.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy enhanced agents to
nodes on the network.
• Access EnCase Agent Management grants the user access to the SAFE web
server, which contains data about agents deployed on endpoints across the
network. The SAFE user with this permission can view the current endpoint
jobs that are running or queued up, but cannot queue new jobs. To queue
new jobs the SAFE user must have the Queue Endpoint Jobs role permission.

Users must be assigned at least one role to access endpoints.


Optional: Click the Edit Permission icon on any row to open the Time Frame
dialog box to further control the permissions.
Start Date/Time and Stop Date/Time can be defined, as can a weekly schedule.
Select OK to accept the schedule or Close to cancel and close the dialog box.

5. Click Submit to add the user.

72 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

3.6.1 Setting up user accounts using EnCase Endpoint


Investigator
User accounts must be added to the SAFE before the user can access the SAFE. The
administrator creates user accounts and determines the authentication method the
user will use to access the SAFE. The administrator also adds user permissions and
roles.

To set up a user account, the administrator must first set up a primary


authentication method for each user. The following authentication methods can be
associated with a user account:

• SAFE Logon
• Microsoft Active Directory Logon
• Smart Card Logon
• RSA SecurID Logon

While the procedure for selecting and configuring the user’s authentication method
is different depending on the method chosen, configuring the user permissions and
roles is identical regardless of authentication method used. Select the setup
procedure that corresponds with the user authentication method you want to set up:

• Add a SAFE user account with SAFE authentication


• Add a SAFE user account with Microsoft Active Directory as primary
authentication
• Add a SAFE user account with a smart card as primary authentication
• Add a SAFE user account with RSA SecurID as primary authentication

Secondary authentication can also be added to a user account if the primary


authentication method is SAFE Logon. Options to use secondary SAFE
authentication can be found in the following workflow.

To add a SAFE user account with SAFE authentication:

1. Launch the desktop application, and log on to the SAFE as keymaster or


administrator.

2. From the menu bar, select SAFE > Users. The Users tab is displayed.

3. Click New. The User dialog box opens.

ISSAFE230400-UGD-EN-1 User Guide 73


Chapter 3 Configuring the SAFE

4. Enter or browse to the location of the user’s public key file.

5. Enter an optional note in the General Information Comment box.

6. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.

7. Select a secondary authentication option, or None to continue without


secondary authentication.

• Select Active Directory Authentication to use Active Directory


authentication. A Domain Trustee text box and browse button display.

– Click the Domain Trustee browse button. The Select User or Group
dialog box opens.
– Enter an Active Directory user name. Click OK.
• Select Additional Password to require the user to enter an additional
password to authenticate access to the SAFE. A check box is displayed
indicating that the user must set a new password at next logon.

– The user creates the password the next time logging onto the SAFE.
– The administrator cannot view the additional password, but can reset or
disable it.
• Select Smart Card Authentication to require the user to authenticate to the
SAFE using their smart card. A smart card certificate text box and card and
file browse buttons display.

– Click Card to read the certificate directly from the card. The Windows
Security dialog displays available certificates. Select one and click OK.

74 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

– Click File to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the
user’s certificate file and click OK.
– On successful import of the certificate, the certificate is displayed in the
Smart Card Certificate text box.
• Select RSA SecurID Authentication to use RSA SecurID credentials.

– Enter the RSA SecurID Username to associate with the account.


To use RSA SecurID, you must have configured the RSA SecurID during
the Options step of SAFE installation.
8. Click Next. The Permission/Role dialog box opens. The top pane displays
available roles. The bottom pane displays the time frame the roles are available
for the user.

9. Select the user permissions/roles.

• Create Users lets the user create other users.


• Create Roles lets the user create and define roles.
• Edit Network Layout lets the user edit the network in the Network tab (for
example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE Server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.

ISSAFE230400-UGD-EN-1 User Guide 75


Chapter 3 Configuring the SAFE

• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, you must also set the View Logs
permission. When these two permissions are active, you cannot have any
other permissions set.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy the enhanced agent to
nodes on the network.

10. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.

Note: To create a new role, see Setting up roles with EnCase Endpoint
Investigator.

11. Select the Time Frame tab to view and modify time frame values.

76 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

12. Click OK.

13. Click Finish to complete creation of the user account.

To add a SAFE user account with Microsoft Active Directory as primary


authentication:

1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.

2. From the menu bar, select SAFE > Users. The Users tab is displayed.

3. Click New. The User page opens.

ISSAFE230400-UGD-EN-1 User Guide 77


Chapter 3 Configuring the SAFE

4. For Authentication Type, select Active Directory Logon.

5. Enter the user name in the General Information Name box.

6. Enter an optional note in the General Information Comment box.

7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.

8. Click the Domain Trustee browse button. The Select User or Group dialog box
opens.

• Enter the required information for the user or group. Click OK.

9. Click Next. The Permission/Role dialog box opens.

• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.

78 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

10. Select the user permissions/roles.

• Create Users lets the user create other users.


• Create Roles lets the user create and define roles.
• Edit Network Layout lets the user edit the network in the Network tab (for
example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE Server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, you must also set the View Logs
permission. When these two permissions are active, you cannot have any
other permissions set.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy the enhanced agent to
nodes on the network.
11. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.

Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.

ISSAFE230400-UGD-EN-1 User Guide 79


Chapter 3 Configuring the SAFE

12. Select the Time Frame tab to modify time frame values.

80 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

13. Click OK.

14. Click Finish to complete creation of the user account.

To add a SAFE user account with a smart card as primary authentication:

1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.

2. From the menu bar, select SAFE > Users. The Users tab is displayed.

3. Click New. The User dialog box opens.

ISSAFE230400-UGD-EN-1 User Guide 81


Chapter 3 Configuring the SAFE

4. For Authentication Type, select Smart Card Logon.

5. Enter the user name in the General Information Name field.

6. Enter an optional note in the General Information Comment field.

7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.

8. Add the user’s smart card certificate by reading the card or importing the
certificate file.

• Click Card to read the certificate directly from the card. The Select a
Certificate dialog displays available certificates. Select one and click OK.
• Click File to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the user’s
certificate file and click OK.

82 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

• On successful import of the certificate, the certificate is displayed in the


Smart Card Certificate box.

Note: A valid certificate is required, and an error message is displayed


if the certificate is not imported successfully.

9. Click Next. The Permission/Role dialog box opens.

• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.

10. Select the user permissions/roles.

• Create Users lets the user create other users.

ISSAFE230400-UGD-EN-1 User Guide 83


Chapter 3 Configuring the SAFE

• Create Roles lets the user create and define roles.


• Edit Network Layout lets the user edit the network in the Network tab (for
example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE Server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, you must also set the View Logs
permission. When these two permissions are active, you cannot have any
other permissions set.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy the enhanced agent to
nodes on the network.

11. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.

Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.

84 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

12. Select the Time Frame tab to modify time frame values.

ISSAFE230400-UGD-EN-1 User Guide 85


Chapter 3 Configuring the SAFE

13. Click OK.

14. Click Finish to complete creation of the user account.

To add a SAFE user account with RSA SecurID as primary authentication:

1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.

2. From the menu bar, select SAFE > Users. The Users tab is displayed.

3. Click New. The User dialog box opens.

86 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

4. For Authentication Type, select RSA SecurID Logon.

5. Enter the user name in the General Information Name field.


6. Enter an optional note in the General Information Comment field.

7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.

8. Enter the user name in the RSA SecurID Username field.

Note: The SAFE and RSA SecurID Authentication Manager both require
configuration in order to use RSA SecurID for SAFE user authentication.
See RSA SecurID steps in the Installing the SAFE workflow.

9. Click Next. The Permission/Role dialog box opens.

• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.

ISSAFE230400-UGD-EN-1 User Guide 87


Chapter 3 Configuring the SAFE

10. Select the user permissions/roles.

• Create Users lets the user create other users.


• Create Roles lets the user create and define roles.
• Edit Network Layout lets the user edit the network in the Network tab (for
example adding, moving, and removing nodes and folders and scanning
selected nodes).
• View Logs lets the user view the logs of child users and roles.
• Remote Logon determines whether a user can remotely log on to a SAFE
Server. Remote is defined as the user’s location being outside the corporate
network infrastructure with a publicly accessible IP address.
• Allow Remote Logon enables manual authentication of remote logons for a
particular SAFE Server by establishing an outbound connection. A user with
this permission must be logged on locally to allow a remote connection.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, you must also set the View Logs
permission. When these two permissions are active, you cannot have any
other permissions set.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy the enhanced agent to
nodes on the network.
11. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.

Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.

88 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.6. Setting up user accounts and permissions

12. Select the Time Frame tab to modify time frame values.

ISSAFE230400-UGD-EN-1 User Guide 89


Chapter 3 Configuring the SAFE

13. Click OK.

14. Click Finish to complete creation of the user account.

3.7 Accessing event logs


Use SAFE web configuration to view and export event log files for logon, system,
role, administration, windows authentication, and job status events. Your user
account must have SAFE access with View Logs (for user and child logs) or View All
Logs (for all logs the keymaster can view) permission to read event logs.

To view event logs via the web:

1. Log on to your SAFE with a user account that has log access.

2. Click SAFE Configuration > Event Logs. The SAFE Event Logs page displays a
table of selected log events. The table is empty when no log events selected.

90 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.7. Accessing event logs

3. Click Read Logs to open the Event Log Search dialog. A table of event type
categories are listed in the Log Codes tab. Use this tab to select logs to display in
the SAFE Event Logs table.

ISSAFE230400-UGD-EN-1 User Guide 91


Chapter 3 Configuring the SAFE

• Expand a category by clicking next to the category name. Collapse a


category by clicking next to the category name.
• Click anywhere else in a row to select. Clicking a parent to toggle between
selecting/deselecting all children. Clicking a child selects/deselects only that
item. The Selected column indicated whether or not a row is selected.
• Use Select All and Deselect All to toggle between selecting all available
logs.

4. The Users tab filters event logs by user. Click to expand a parent or to
collapse.

The Roles tab filters event logs according to a user’s SAFE role. Click to
expand a parent or to collapse.

92 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.7. Accessing event logs

The Time Frame tab filters an event activity by time. The Start Date and Stop
Date selections are independent of each other. If Any Time is selected for Start
Date, a specific date and time or Never can be selected for Stop Date

5. Click Submit to close the Event Log Search, return to the SAFE Event Logs
table, and display your selections.

ISSAFE230400-UGD-EN-1 User Guide 93


Chapter 3 Configuring the SAFE

6. Click in a column header to apply an ascending sort, and again to apply a


descending sort. Hold down CTRL and click another column to retain the sort
order of the first column and apply a sort to the second column.

Click the Export to CVS icon to create a CVS file of the log entry data. The file
is placed in your browser’s download folder.

3.7.1 Access event logs with EnCase Endpoint Investigator


EnCase Endpoint Investigator can access SAFE event logs as well as view and export
event log files for logon, system, role, administration, windows authentication, and
job status events. Your user account must have SAFE access with View Logs (for
user and child logs) or View All Logs (for all logs the keymaster can view)
permission to read event logs.

1. Click SAFE > Events. The Events tab is displayed.

2. In the Table tab, click Read Logs. The Read Logs dialog box opens.

3. The Event Types tab shows event folders and the individual event names
contained in the selected folder.

94 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.7. Accessing event logs

The Users tab filters event logs by user. When expanded, the left pane shows all
users, while the right pane shows the children of the left pane selection.

The Roles tab filters event logs according to a user’s SAFE identification role.
The left pane shows established access rights, while the right pane shows the
peers of the item selected in the left pane.

ISSAFE230400-UGD-EN-1 User Guide 95


Chapter 3 Configuring the SAFE

The Time Frame tab filters an event activity by time. The Start Date and Stop
Date selections are independent of each other. If Any Time is selected in one, a
specific date and time can be selected in the other.

4. Click OK to return to the main window.

Logs in the selected folder display in the right pane.

96 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.7. Accessing event logs

3.7.2 Printing or exporting event logs with EnCase Endpoint


Investigator
After obtaining the event logs for Users, Roles, and Time Frame, you can export to a
simple text file.

To export event logs to a file:

1. Select the desired records in the Table pane you want to save.

2. Click the options button in the right corner of the Table tab, then click Save
As in the drop-down menu. The Save As dialog box opens.

ISSAFE230400-UGD-EN-1 User Guide 97


Chapter 3 Configuring the SAFE

• Select the fields to export.


• Select the row numbers to start and stop with. The default is the entire range
of rows.

– If specific rows are selected, you can also opt to export Only Checked
Rows and Show Folders.
• Specify the output Format (Tab delimited, RTF, web page, XML, or Review).
• Designate a location for the saved file.
• Select Open file if you want the file to open after saving.

3. When done, click OK.

98 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.8. Configuring the Network Plugin Repository

3.8 Configuring the Network Plugin Repository


You can push advanced functionality to standard EnCase agents on your network
using enhanced agent plugins installed in the SAFE Network Plugin Repository.
When an agent on your network is updated with a plugin, it acts as an enhanced
agent for the product it was created for.

The Network Plugin Repository can hold plugins for multiple applications that use
the SAFE. EnCase products can use a combination of standard and enhanced agents
across a network. The enhanced agent can be deployed to endpoints running
Windows and macOS. Agent functionality differs depending on operating system.

New functions are added to the enhanced agent periodically, and functionality
varies between products:

• EnCase Endpoint Investigator and EnCase Information Assurance use the


enhanced agent for remote data acquisition.
• EnCase Endpoint Security runs continuous, asynchronous anomaly scans on
endpoints to detect and alert users to anomalies on their network.

Refer to the release notes of a product to view the latest changes to its plugin.

To update and deploy the enhanced agent to endpoints on your network:

1. Open SAFE configuration in a web browser and log on to the SAFE with an
account that has the Manage Network Plugin Repository permission.
2. Click SAFE Configuration > Network Plugin Repository. The SAFE Network
Plugin Repository page displays a table of plugins added to the repository. The
table will be empty if no plugins have been added.

3. Click Create to add a new plugin. The Enhanced Agent Plugin tab of the Create
Network Plugin Repository page appears.

• If you are upgrading an existing enhanced agent instead of creating a new


plugin, select the existing network plugin for your product and click Edit.
The Edit Network Plugin Repository page for the selected plugin will appear
instead of the Create Network Plugin Repository page, and all options are
the same.
4. In the Source Path field, click Choose File, navigate to the current installation
location for your product, and select the enhanced agent .cab or .zip file. The

ISSAFE230400-UGD-EN-1 User Guide 99


Chapter 3 Configuring the SAFE

enhanced agent file is distributed with your product application when you run
the installer. The file is located in the following default directory: C:\Program
Files\[product name]\lib\EnCaseEA. Information for the selected enhanced
agent plugin is displayed.

Notes

• The Network Plugin Repository can hold enhanced agent plugins for
multiple EnCase products. If you use a SAFE with more than one
product, the plugin corresponding with each product must be installed
to use that product’s enhanced agent functionality.
• EnCase Endpoint Investigator ships with two enhanced agents:
EnCaseEA.cab and plugin.zip. The EnCaseEA.cab is used exclusively
with Windows OS machines. The plugin.zip is cross-platform and
works with Windows OS and macOS machines. OpenText recommends
installing both enhanced agents on the same SAFE to increase collection
flexibility. See the EnCase Endpoint Investigator User Guide for details
about using each enhanced agent.
5. Accept or modify the default settings as appropriate for the product plugin you
are adding:

• For EnCase Endpoint Investigator or EnCase Information Assurance:

100 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.8. Configuring the Network Plugin Repository

– Select Disk Space Quota (%) to allocate disk space as a percentage of


total disk space available, or enter zero (0) to activate Disk Space Quota
(MB) and select disk space available to the enhanced agent by MB.
– Select Memory Quota (%) to allocate memory space as a percentage of
total memory available, or enter zero (0) to activate Memory Quota (MB)
and select memory allocation available to the enhanced agent by MB.
– Select Timeout (hours) to indicate how many hours a job will sit on the
target machine. If the job is not finished or if the results have not been
retrieved, the job is deleted from the target.
– The Persistent check box describes a feature of the agent. If supported,
the Persistent check box is selected for the SAFE plugin to indicate the
enhanced agent starts and loads the plugin when the machine is powered
on. This check box is not user-selectable.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.
• For EnCase Endpoint Security:

– Accept the default Disk Space Quota, Memory Quota, and Timeout
settings.
– The Persistent check box describes an attribute of the agent. The
Persistent check box is selected for the SAFE plugin to indicate the agent
starts when the machine is powered on and continues to run as long as
the machine is on.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.

6. Click Next to advance to the Network tab.


Use the Network tab to define the nodes or network ranges to be included or
excluded for network plugin access.
Select nodes or IP ranges to be allowed to run the enhanced agent and click Add
to push the plugin to agents to the selected nodes or ranges. Click Subtract to
exclude the selected nodes or IP ranges from pushing the plugin to agents. Click
Clear to assign a neutral state to the plugin. The Add All, Subtract All, and
Clear All buttons can be used to change the state of all items in the table. The
State column indicates an included, excluded, or neutral status for all table
entries.

ISSAFE230400-UGD-EN-1 User Guide 101


Chapter 3 Configuring the SAFE

7. Click Submit to add the plugin to the repository.

3.8.1 Configuring the Network Plugin Repository with EnCase


Endpoint Investigator
EnCase Endpoint Investigator users can configure and manage the Network Plugin
Repository directly from the application or from the web.

To update and deploy the enhanced agent to endpoints on your network using
EnCase Endpoint Investigator:

1. Open EnCase Endpoint Investigator and log on to the SAFE with an account
that has the Manage Network Plugin Repository permission.

2. Select SAFE > Network Plugin Repository from the menu bar. The Network
Plugin Repository tab is displayed.

3. If you are upgrading the enhanced agent, select the existing network plugin for
your product.

Click Delete on the table menu bar, and click Yes in the confirmation dialog.

4. Select New on the table menu bar. The Enhanced Agent Plugin dialog box
opens.

102 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.8. Configuring the Network Plugin Repository

5. In the Source Path field, navigate to your current installation location for your
product and select the enhanced agent .cab or .zip file. The enhanced agent file
is distributed with your product application when you run the installer. The file
is located in the following default directory: C:\Program Files\[product name]
\Desktop Client\Lib\. Information for the selected enhanced agent plugin is
displayed.

ISSAFE230400-UGD-EN-1 User Guide 103


Chapter 3 Configuring the SAFE

EnCase Endpoint Investigator ships with two enhanced agents: EnCaseEA.cab


and plugin.zip. The EnCaseEA.cab is used exclusively with Windows OS
machines. The plugin.zip is cross-platform and works with Windows OS,
macOS, and Linux machines. Both enhanced agents can be installed on the same
SAFE. See the EnCase Endpoint Investigator User Guide for details about use and
limitations of each enhanced agent.

Note: The Network Plugin Repository can hold enhanced agent plugins
for multiple EnCase products. If you use a SAFE with more than one
product, the plugin corresponding with each product must be installed to
use that product’s enhanced agent functionality.

6. Accept or modify the default settings as appropriate for the product plugin you
are adding:

• For EnCase Endpoint Investigator or EnCase Information Assurance:

– Select Disk Space Quota (Percent) to allocate disk space as a percentage


of total disk space available, or enter zero (0) to activate Disk Space
Quota (MB) and select disk space available to the enhanced agent by MB.

104 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.8. Configuring the Network Plugin Repository

– Select Memory Quota (Percent) to allocate memory space as a percentage


of total memory available, or enter zero (0) to activate Memory Quota
(MB) and select memory allocation available to the enhanced agent by
MB.
– Select Timeout (hours) to indicate how many hours a job will sit on the
target machine. If the job is not finished or if the results have not been
retrieved, the job is deleted from the target.
– The Persistence check box is cleared and not applicable to these
products.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.
• For EnCase Endpoint Security:

– Accept the default Disk Space Quota, Memory Quota, and Timeout
settings.
– The Persistence check box describes an attribute of the agent. It cannot be
altered. Persistence is checked for the SAFE plugin to indicate the
enhanced agent starts and loads the plugin when the machine is powered
on.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.
7. Click Next. The Network dialog box opens.
8. Select agent machines or IP ranges to be allowed to run the enhanced agent and
click Add Selected Items. A plus sign is displayed over the icons of the selected
machines.
9. Click Finish to close the dialog.
10. Select SAFE > Roles from the menu. The Roles tab is displayed.
11. Select the role you want to add enhanced agent product functionality to and
click Edit. The Role tab of the Edit role window is displayed.
12. Click the Enhanced Agent Plugins tab.

ISSAFE230400-UGD-EN-1 User Guide 105


Chapter 3 Configuring the SAFE

13. Select the enhanced agent plugin for your product and click Allow.

14. Click Finish.

3.9 Generating encryption keys


The SAFE uses a public and private key encryption system to authenticate users.
Keys are generated by users or the system administrator, authorized by the
keymaster, and then distributed to enable users to log on to the SAFE.

Encryption keys are created for two purposes:

1. To create a keymaster account, which is required to install a SAFE server

2. To create user accounts, which are added to the SAFE by the keymaster or a
user with the Administer Users role

Note: Any user who has the Administer Users permission cannot have
any other roles. This account can be used to administer users only. It
cannot be used to acquire data from agent nodes.

• Users cannot log on to the SAFE until their respective accounts have been
added to the SAFE and assigned a role. See Setting up user accounts and
permissions and Setting up user roles.

• Secondary authentication methods can be added to a user account if the


primary authentication method is SAFE Logon. See Setting up user accounts
and permissions.

The SAFE installer can generate keymaster keys. To generate other encryption keys,
use the SAFE web application or the desktop investigation application.

3.9.1 Generating encryption keys using the SAFE web


application
Generate keymaster and user key pairs with the SAFE web application.

1. Open SAFE configuration in a web browser and log on to the SAFE with an
account that has the Administer Users role.

2. Click SAFE Configuration > Generate Encryption Key. The Generate


Encryption Key page is displayed.

3. Enter a Name, New Password, Confirm Password and click Generate Key.
A public and private key set is generated, placed in a zip file, and added to your
browser download folder.

106 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.9. Generating encryption keys

3.9.2 Generating encryption keys using EnCase Endpoint


Investigator
Generate the keymaster encryption key pair and user key pairs with EnCase
Endpoint Investigator.

1. Launch the desktop application.

2. Click Tools > Generate Encryption Key from the menu bar. The Generate
Encryption Key dialog box opens.

3. Click Next to generate a new key. A progress bar is displayed. When the key is
generated, the Password dialog box opens.

• In the Name field:

– If you are creating a keymaster encryption key pair, enter keymaster.


– If you are creating a user encryption key pair, enter the user name.
• Enter and confirm a password. The Password Quality bar turns green when
you enter a password with sufficient complexity.
• Keep the password in a secure location. You must provide it when you log
on to the SAFE.

– If you lose the keymaster password, you must perform the installation
again.

4. Click Finish to complete the key generation process. The Copy Public Key File
dialog box opens.

5. Accept the default location, or browse to another location, then click Save. The
public and private keys are saved to the specified location.

ISSAFE230400-UGD-EN-1 User Guide 107


Chapter 3 Configuring the SAFE

• If the account is shared by multiple users, we recommend saving the key


pair to a folder that these users have permission to access, such as a folder
named C:\EnCase Keys.

• If you use a network share folder to distribute keys, make sure that keys are
copied locally for the most stable performance.

3.10 Backing up the SAFE


The keymaster or admin user can use the SAFE web application to make a single
backup of the SAFE. The keymaster can create automatic backups according to a
schedule defined by the keymaster.

To create a single backup of the SAFE:

1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.

2. Click SAFE Configuration > Backup. A Backup SAFE dialog asks you to
confirm download of a SAFE backup file.

3. Click OK.

A SAFE Backup file (.sbk) is prepared and added to your browser download folder.

To create a SAFE backup schedule:

1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.

2. Click SAFE Configuration > Auto Backup. The Backup Configuration dialog
box opens.

• Select the number of backup files to retain


• Select the time the backup should occur

• Select the days of the week you want to create a backup

3. Click OK to save your changes.

SAFE Backup files (.sbk) are saved locally.

To modify a SAFE backup schedule:

1. Click SAFE Configuration > Auto Backup. The Backup Configuration dialog
box opens.

2. Adjust the schedule and click OK to save your changes.

108 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.11. SAFE configuration package

3.11 SAFE configuration package


The keymaster and admin user can create a file to transfer the configuration of one
SAFE to another. This is useful for establishing disaster recovery plans.

• The SAFE uses the same private key and works with all the agents used by
previous implementations of the SAFE.
• A SAFE keymaster is the only user who can create this package.
• Machine specific information (specifically, SAFE setup) is not replicated.

Prerequisites

Installation of the SAFE must be done with the SAFE configuration file (using
the .sdt extension), the keymaster key file, and the keymaster password.

SAFE Configuration Items

SAFE configuration items include:

• Users
• Config
• Keymaster public
• Network tree
• Role tree
• SAFE Backup Key
• Licenses
• Certs
• Deployment scripts

3.11.1 Creating a SAFE configuration package


To create a SAFE configuration package using SAFE web configuration:

1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.

2. Click SAFE Configuration > SAFE Configuration Package. A SAFE


Configuration Package dialog asks you to confirm download of a SAFE
configuration file.

3. Click OK.

A SAFE Configuration file (.sdt) is prepared and added to your browser download
folder.

ISSAFE230400-UGD-EN-1 User Guide 109


Chapter 3 Configuring the SAFE

3.11.2 Installing a SAFE using a SAFE configuration package


To install a SAFE using a SAFE Configuration Package:

1. Initiate the SAFE installation process and advance to the SAFE Private Key
page.

2. Select Install using existing SAFE Configuration Package.

3. Select a SAFE Transfer file (.sdt) in the SAFE Transfer File box.

4. Select a keymaster private key file in the Keymaster Private Key box.

Note: The correct keymaster private key must be used when installing
with a SAFE config package, otherwise the “Decryption key is not the
same” error message will be displayed to indicate the wrong keymaster
private key was used.

5. Enter your keymaster password in the Password box.

6. Click Next and complete the installation workflow.

110 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.12. Configuring and managing a SAFE mirror set

3.12 Configuring and managing a SAFE mirror set


Once a SAFE has been added to a mirror set, administrators can configure and
manage the SAFE mirror set from either the EnCase Endpoint Investigator
application or the SAFE Configuration web application. Only a user logged on to the
primary SAFE as keymaster is permitted to change SAFE configuration settings.
Only a user logged on to a SAFE in a mirror set (or configured to be part of a mirror
set) as a keymaster can make changes to a SAFE’s mirror set status. Non-keymaster
users can view SAFEs in the mirror set but cannot modify the mirror set.

3.12.1 Viewing the mirror set


You can view the SAFE mirror set from the web SAFE Configuration application or
via EnCase Endpoint Investigator.

From web SAFE configuration:

1. Direct your browser to the web server of a SAFE that is a member of a mirror set,
and log on to the SAFE as keymaster.
2. Select SAFE > Mirror Settings. The SAFE Mirror page is displayed.

Name, Port, and Primary/Secondary status, and Version of all SAFEs in the mirror
set are listed in the table. The Primary SAFE is identified with a dot in the Primary
column. This column is empty for Secondary SAFEs.

From EnCase Endpoint Investigator:

1. Log into any SAFE that is a member of a mirror set.


2. Select SAFE > Mirror Set from the main menu. The Mirror Set tab is displayed.

Name, Port, and Primary/Secondary status of all SAFEs in the mirror set are listed in
the table. The Primary SAFE is identified with a dot in the Primary column. This
column is empty for Secondary SAFEs.

3.12.2 Adding a SAFE to a mirror set


A stand-alone SAFE can be added to a mirror set in one of three ways:

• during new SAFE installation


• using the SAFE configuration web application
• using the EnCase Endpoint Investigator application

The primary SAFE must already be set up before adding a secondary SAFE to a
mirror set. The secondary SAFE must be also installed using the Primary SAFE
Backup.spvk file and the Primary SAFE's keymaster public/private keypair or
keymaster AD authentication according to the instructions in Creating a mirror set.
As long as the SAFE is not currently a member of the mirror set the keymaser can
add it to the mirror set.

ISSAFE230400-UGD-EN-1 User Guide 111


Chapter 3 Configuring the SAFE

From a secondary SAFE, using web SAFE configuration:

1. Direct your browser to the SAFE web server of a non-primary SAFE and log on
to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.
3. Click Change Settings. The Join Mirror dialog box opens.

4. Enter the Primary SAFE Host and accept the Default (SAFE Port) or enter a port
number into the Port field and click Join Mirror. Only hostname and FQDN are
valid values for the Primary SAFE Host box.
5. A dialog box opens asking to confirm joining the secondary SAFE to the Primary
SAFE as a member of the mirror set. Click OK.

The secondary SAFE is added to the mirror set.

From the EnCase Endpoint Investigator application:

1. Log on to the SAFE as keymaster.


2. Select SAFE > Mirror Settings from the main menu. The Join Mirror Set dialog
box opens.
3. Enter the Primary SAFE Host and accept the Default (SAFE Port) or enter a port
number into the Port field and click OK. Only hostname and FQDN are valid
values for the Primary SAFE Host box.

112 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.12. Configuring and managing a SAFE mirror set

3.12.3 Removing a secondary SAFE from a mirror set


You can remove a secondary SAFE from a mirror set either from the secondary
SAFE or the primary SAFE. OpenText recommends initiating the removal of a
secondary SAFE from a mirror set from the secondary SAFE rather than the primary
SAFE.

From the secondary SAFE, using web SAFE configuration:

1. Direct your browser to the web server of the secondary SAFE in the mirror set,
and log on to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.
3. Click Change Settings to open the Promote/Leave Mirror page.

The page displays the secondary SAFE hostname, port, and two options:
Promote to Primary SAFE and Leave Mirror Set.
4. Select Leave Mirror Set to remove the secondary SAFE from the mirror set.
5. A dialog box opens asking to confirm removal of the secondary SAFE. Click OK.

The secondary SAFE is removed from the mirror set.

Using the primary SAFE to remove a secondary SAFE:

You can remove a secondary SAFE from the mirror set by logging on to the primary
SAFE and removing it there. This option should only be used if the secondary SAFE
crashes beyond repair. Once the affected secondary SAFE is removed from the
mirror set via the primary SAFE, the change will propagate across the mirror set;

ISSAFE230400-UGD-EN-1 User Guide 113


Chapter 3 Configuring the SAFE

however, if the Secondary SAFE were to come back online, it would see it was
removed from the mirror set and add itself back in.

From the primary SAFE, using web SAFE configuration:

1. Direct your browser to the web server of the primary SAFE in the mirror set, and
log on to the SAFE as keymaster.

2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set. Secondary SAFEs have a Remove
link in the final column of the table.

3. Click Remove in the row of the secondary SAFE you want to remove.

4. A dialog box opens asking to confirm removal of the secondary SAFE. Click OK.

The secondary SAFE is removed from the mirror set.

From EnCase Endpoint Investigator:

1. Log on to the Secondary SAFE as keymaster.

2. Select SAFE > Mirror Settings from the main menu. The Secondary SAFE Mirror
Set dialog box opens.

3. Select the Remove SAFE from Mirror Set radio button in the Mirror Set Action
box and click OK.

The Secondary SAFE is removed from the mirror set.

To remove the secondary SAFE via this method, log onto the primary SAFE, select
the secondary SAFE from the Mirror Set tab and click the Delete button in the tab
header. The secondary SAFE will be removed from the mirror set and the change
will be propagated to all other Secondary SAFEs.

3.12.4 Promoting a secondary SAFE to primary SAFE


A secondary SAFE can be promoted to a primary SAFE in the mirror set via the web
or the EnCase Endpoint Investigator application. This feature might be used if the
administrator is performing maintenance on the Primary SAFE or if the Primary
SAFE machine has crashed.

Promote a secondary SAFE using web SAFE configuration:

1. Direct your browser to the web server of the secondary SAFE in the mirror set,
and log on to the SAFE as keymaster.

2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.

3. Click Change Settings to open the Promote/Leave Mirror page.

114 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.12. Configuring and managing a SAFE mirror set

The page displays the secondary SAFE hostname, port, and two options:
Promote to Primary SAFE and Leave Mirror Set.
4. Select Promote to Primary SAFE to promote the secondary SAFE to primary.
5. A dialog box opens. Click OK to confirm promotion of the SAFE to primary.

The secondary SAFE is promoted to primary SAFE.

Promoting a secondary SAFE using EnCase Endpoint Investigator:

1. Log on to the Secondary SAFE as keymaster.


2. Select SAFE > Mirror Settings from the main menu. The Secondary SAFE Mirror
Set dialog box opens.
3. Select the Promote to Primary SAFE radio button in the Mirror Set Action box
and click OK.

The secondary SAFE becomes the new primary SAFE for the mirror set. If it is
online, the old primary SAFE is demoted to secondary SAFE status. If the old
primary SAFE is offline when the promotion takes place, it is removed from the
mirror set and must be manually added back as a secondary SAFE. To do this, delete
the mirror.edt file from the old primary SAFE installation folder and restart the
SAFE service. It will come up as a stand-alone SAFE. You can then log on to it and
add it in as a Secondary SAFE according to the the instructions here: “Adding a
SAFE to a mirror set” on page 111.

ISSAFE230400-UGD-EN-1 User Guide 115


Chapter 3 Configuring the SAFE

3.13 Configuring SAFE settings for desktop clients


Before EnCase Endpoint Investigator users log on to the SAFE, review and confirm
the default configuration options for the workstations that will access the SAFE.

From the EnCase Endpoint Investigator application:

1. Click Tools > Options. The Global tab opens by default.

2. Select the default SAFE authentication method the application will prompt the
user to use when logging onto the SAFE:

• SAFE User uses the user’s public key credentials associated with their
SAFE user account.
• Current Windows User uses Microsoft Active Directory authentication of
the current logged in Windows user.
• Windows prompt prompts the user to authenticate using their Microsoft
Active Directory credentials.
• Smart Card User authenticates using the user’s smart card and PIN.
• RSA SecurID User logs on to the SAFE using RSA SecurID authentication.

116 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.13. Configuring SAFE settings for desktop clients

3. Click the Endpoint Investigator tab to review and modify Private Key Caching,
Auto Reconnect Attempts and Auto Reconnect Interval settings.

• Private Key Caching is the length of time the desktop client keeps the
private key password in memory. This allows you to log on and off of the
SAFE without having to re-enter passwords for the specified time period.

– Closing the desktop application clears the cache, so you need to enter
your password again when you open the application.

– The value is set in minutes

– A value of 0 denotes no caching

– A value of -1 allows for infinite key caching

– The value is set to 60 by default

• Auto Reconnect Attempts is the number of times the desktop client tries to
reconnect to an agent node, if the connection between the two is lost, before
giving an error message. If you change the default setting:

– A connection must be established before a device can be added to a case.

ISSAFE230400-UGD-EN-1 User Guide 117


Chapter 3 Configuring the SAFE

– A connection must be maintained throughout a preview or acquisition.


Otherwise, the machine being added, previewed, or acquired is
unavailable.
• Auto Reconnect Intervals is the time, in seconds, that the desktop client
waits between each reconnect attempt if the connection is lost to the agent
node.

4. When you finish, click OK.

5. Copy the [SAFEname].safe file from the SAFE machine to each of the machines
that will access the SAFE. The default location of the [SAFEname].safe file and
all user keys is \EnCase\Keys in the installation folder (typically in your
documents and settings or documents folder). You can also save to a network
share drive, if desired.

3.14 Configure the SAFE and agents for off-net


collection
Off-net collection is a feature used by EnCase Endpoint Investigator and EnCase
Information Assurance. In order to use this feature, you must do the following:

• Use a SAFE with an IP address that is accessible from the Internet.


• Run the SAFE installer and add the SAFE to the SAFE list on the Check In
Information dialog box.
• Add the network plugin appropriate to your product in the SAFE Network
Plugin Repository. See “Configuring the Network Plugin Repository”
on page 99.
• Enable check-in functionality of the agents on the machines where want to
perform off-net collections.

To set up a SAFE and agents for off-net collections via the SAFE installer:

1. Run the SAFE installation wizard on a publicly accessible machine.

Note: See the full SAFE installation procedure at Installing the SAFE.

2. Advance to the Check In Information page.

118 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.14. Configure the SAFE and agents for off-net collection

3. In the SAFE list box, identify a SAFE with the fully-qualified domain machine
name or IP address and port number. Node machines use this to locate the
SAFE during check-in. There can be more than one machine name or IP address
for the SAFE machine, depending on the setup of the network. A publicly facing
IP address must be used for off-net collection. Use the format:
[IP Address/Machine Name]:[Port]

Where multiple SAFEs are included on the SAFE list, agents check in to SAFEs
in the order in which they are listed. Select the Round Robin SAFE check box to
enable round robin (random) check-in: the agent will be randomly assigned a
SAFE from the list and a check-in is attempted to that SAFE. The list is followed
sequentially after that. If the check box is cleared, check-in occurs sequentially,
starting from the first SAFE on the list.

4. Advance through the remaining installer steps and complete installation.

5. For Windows targets, deploy the Windows agent to the machines you want to
enable off-net collection for using the following command:
setup.exe -c

For other operating systems targets, see related entries in “Deploying and
managing agents“ on page 125.

Your SAFE and agents are ready for off-net collection.

ISSAFE230400-UGD-EN-1 User Guide 119


Chapter 3 Configuring the SAFE

3.14.1 Agent check-in configuration and management


There are several tools available to configure, manage and troubleshoot SAFE/agent
check-in. EnCase Endpoint Investigator and web SAFE configuration can both be
used to modify check-in settings. The agent on target machines can also be accessed
directly to do things like collecting diagnostic information and forcing an agent
check-in. Check-in resources are available for Windows and macOS machines.

Changing and pushing check-in settings from the SAFE

From web SAFE configuration:

1. Log on to the SAFE as keymaster or other administrative user with permission


to modify check-in settings.
2. Select SAFE Configuration > CheckIn Settings. The Check In Information page
appears.

Modify check-in settings as needed.

• Select Push new settings at next Check-In to push any settings to agents
when they next check in. This is selected by default.
• Select Push Plugins at Check-In to push relevant plugins in the SAFE
Network Plugin Repository to agents when they next check in.
• Modify or keep the existing IPs or Machine names list of SAFEs. Only IP
addresses or machine names may be used. The port is required.
• Modify or keep the existing check-in Interval.
• When the Round Robin SAFE setting is selected, the agent check-in will first
be assigned in to a SAFE from the IPs or Machine names list on a Round
Robin (random) basis, and then go through the list sequentially. If this check
box is not selected, the SAFE is assigned in the order it appears on the list.

120 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.14. Configure the SAFE and agents for off-net collection

Note: Volatile Artifacts Storage Settings are used solely for EnCase
Endpoint Security only and should not be enabled for or used by other
products.

From EnCase Endpoint Investigator:

1. Log on to the SAFE as keymaster or other administrative user with permission


to modify check-in settings.

2. Select SAFE > Check in Settings from the main menu. The Check In
Information dialog box opens.

Modify check-in settings as needed.

• Select Push new settings at next Check-In to push any settings to agents
when they next check in. This is selected by default.
• Select Push Plugins at Check-In to push relevant plugins in the SAFE
Network Plugin Repository to agents when they next check in.
• Modify or keep the existing IPs or Machine names list of SAFEs. Only IP
addresses or machine names may be used. The port is required.
• Modify or keep the existing check-in Interval.
• When the Round Robin SAFE setting is selected, the agent check-in will first
be assigned in to a SAFE from the IPs or Machine names list on a Round

ISSAFE230400-UGD-EN-1 User Guide 121


Chapter 3 Configuring the SAFE

Robin (random) basis, and then go through the list sequentially. If this check
box is not selected, the SAFE is assigned in the order it appears on the list.

Note: Volatile Artifacts Storage Settings are used for EnCase Endpoint
Security only and should not be enabled for or used by other products.

You can also push check-in settings to agents via the Network Target Using SAFE
Agent workflow in EnCase Endpoint Investigator.

Pushing check-in settings via the network target Using SAFE agent workflow

1. For EnCase Endpoint Investigator users, log on to the SAFE as an


administrative user with permission to modify check-in settings.

2. Within a case, select Add Evidence > Preview > Network Target Using SAFE
Agent from the main menu. A dialog displays network targets.

3. Select targets from the table or click the Add Text List button to enter a list of
targets.

4. Press the Push Check-In settings button.

The SAFE attempts to immediately push check-in settings to selected machines.

The command line can also be used on Windows machines to force agent check-in.
Other administrative and diagnostic commands are available. See “Deploying
Windows agents” on page 129.

Agent diagnostic and other commands can be run with agents on other operating
systems, including macOS and *NIX variants. See “Deploying and managing
agents“ on page 125.

122 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


3.15. Configuring EnCase Agent Management

3.15 Configuring EnCase Agent Management


EnCase Agent Management (EAM) is a component of the SAFE application and is
installed during SAFE installation. The AMP Service is part of EAM and is also
installed during SAFE installation. The AMP Service runs jobs and collects data for
the SAFE. It also acts as the web server for the EnCase Agent Management module
and SAFE configuration and administration module.

Run the SAFE installer to change SAFE server settings, including:

• AMP web server name and location


• Job and user data storage location
• AMP service port and log listener port
• AMP SAFE user authentication

The EnCase Agent Management module stores jobs and user data on the SAFE
machine in the following default folder location:

C:\ProgramData\OpenText\AMP

Note: In order to store the job output in a network folder, the AMP Service
must be running as an Active Directory user with write permission to the
specified network folder.

ISSAFE230400-UGD-EN-1 User Guide 123


Chapter 4

Deploying and managing agents

The SAFE uses agents installed on individual machines across the network as a
secure way to communicate with and gather information from these machines.
These agents are verified with the SAFE using private/public key encryption and
appear as running services on the target machines.

Once an agent is deployed on the network machine, or node, it runs as a process or


service with administrative privileges and provides full access to the machine. After
the SAFE server authenticates and verifies a command from the examiner, the agent
executes it on the node machine.

To verify agent deployment, see “Verifying agent deployment” on page 163.

To stop or remove agents, see “Stopping and removing agents” on page 165.

4.1 Port configuration


By default, the agent service uses port 4445 to listen for commands from the SAFE
server.

• You can specify a different port as part of the SAFE installation.


• If the SAFE port number and the device port number do not match, you should
specify the agent port number when configuring the SAFE and adding the
machine to the network tab.
• You can specify non-default port numbers:

– Navigate to Add Evidence > Add Network Preview and click Add Text List
at the top of the Add Network Preview dialog.
– Enter the machine name or IP address in this dialog as [machine name or IP]:
[Port number].

• We suggest that machines running on a non-standard port be individually


defined on the Network and Role tabs. By defining the machine on these tabs, the
port information is saved in the network tree, eliminating the need to type it in
the Add Text List dialog each time you connect to the node.
• Verify that the address of the device is specified, either individually or within a
range, in the Network tab.
• You must also define permissions for that machine in the user role.

You must specify the agent port number when connecting. You can install the agent
using the -l switch to specify a different port number.

ISSAFE230400-UGD-EN-1 User Guide 125


Chapter 4 Deploying and managing agents

4.2 Variables
The following variables are used in this chapter to refer to the specifics of your
installation.

Variable Description
<node> Node machine name
<deploy path> Path where the agent will be installed. The following
locations are used:
• Linux: /usr/local/encase
• Solaris: /var/spool/pkg
• AIX: /opt
• macOS: /usr/local/encase (if using xinetd) or /
Library/Startupitems (if using launchd)

<host path> Path on the SAFE machine where the agent resides
(typically C:\Program Files\EnCase SAFE\Agents)
<agent name> Name of the agent or package for Solaris and AIX nodes

Each agent has unique command line switches.

4.3 Deploying agents


Deploying agents consists of using enterprise push technology to install the agent on
a remote machine. All enterprise push technologies require an agent running on the
target systems to deploy and execute files.

The steps for deployment and execution depend on the file used and the method by
which the agent is executed.

You can deploy and execute agents in a variety of ways:

• Deploy an agent as a service.


• Deploy the executable file only and execute it when needed.
• Execute an agent via inetd or xinetd.
• Execute an agent via an initialization script.
• Configure the SAFE so it automatically deploys agents when it encounters a
target that does not already have an agent installed. See “Automatically
deploying agents” on page 127.

Some operating systems write to the registry or other parts of the system when an
executable is launched. To prevent writing to the file system, execute the agent from
other media such as a DVD, although some operating systems do not support
operating the agent from removable media. See “Running Windows agents as a
service or as a process” on page 131.

126 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.4. Automatically deploying agents

If you execute an agent from another device, you must manually place the media
containing the agent in the appropriate location prior to executing it. For example, if
a DVD containing the agent is placed into a system’s optical DVD drive, you must
know its drive letter before you can execute the agent remotely.

When deploying agents, these files are used:

• The Agent file contains the code to be executed on each network node. The name
of the agent depends on the operating system.
• The Agent Setup file, used on Windows operating systems only, contains
multiple agents and automatically detects which agent to install when you run
the setup file. Its file name is either setup.exe or setup.msi.
• The Agent Package file used on AIX machines contain multiple agents for
multiple versions of the operating systems. The file name is encase.agent.rte.
bff.

• The Agent Configuration file, used for the check-in agent exclusively on *nix
machines, contains the information used to check in what is otherwise contained
in the Windows Registry for Windows machines.

4.4 Automatically deploying agents


You can configure the SAFE to automatically deploy agents if a target does not
already have an agent installed.

These are the requirements to automatically deploy agents:

• You must set up the SAFE service to run under a privileged account with access
to the target machine. Generally, this is a domain account with administrative
access on the target.
• The SAFE user needs to be assigned a role that is configured with the Deploy
Agents permission.
• A master control script creates the agent on the target machine. See “Modifying
control scripts for automatic deployment of agents” on page 128.
• You must select the Deploy agents option.

ISSAFE230400-UGD-EN-1 User Guide 127


Chapter 4 Deploying and managing agents

4.4.1 Modifying control scripts for automatic deployment of


agents
Control scripts are text files that can be modified as desired for the automatic
deployment of agents. These sample scripts are not intended to be executed in a
production environment and should be tailored to operate within your own
environment, depending on the deployment strategy that best suits your specific
needs.

You can modify control scripts using a basic text editor.

All scripts are stored in the [SAFE installation]\Deployments folder.

4.4.1.1 Deployment.wsf
The SAFE uses deployment.wsf to deploy agents. Prior to use, rename
DeploymentExample.wsf to Deployment.wsf and modify it as needed using a text
editor.

Even though the SAFE only uses this single script to deploy the agent, the
Deployment.wsf script can invoke multiple scripts to create whatever deployment
strategy you require. Modify the GetScript() function to run additional scripts
from the deployment.wsf file.

4.4.1.2 Additional control scripts


Several additional sample control scripts are installed in the [SAFE installation]
\Deployments folder. The following control scripts are included to facilitate the
creation of your customized deployment strategy. You can always create additional
control scripts as needed for your specific environment.

• Psexec.wsf

– Psexec is a popular utility you can download from Microsoft free of charge.
– Within psexec.wsf, search for the "psexecpath=" function to point to the
correct location of the tool.
• Wmi.wsf

– This strategy uses the Windows Management Instrumentation infrastructure


built into the Windows operating system.
– No additional script editing is required to use this strategy,
– If WMI is not accessible, this script does not work.
• Ssh.wsf

– This script is used primarily for deployment to UNIX hosts.


– This script automatically determines which UNIX operating system is being
used on the target machine and runs the corresponding installer.

128 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

– If using this script, an SSH client utility is required to be installed on the SAFE
machine.

○ PuTTY is an SSH client utility for Windows you can download for free
from http://www.putty.org/.
○ Plink.exe is a command-line version of the PuTTY utility and is also
available for download at http://www.putty.org//
– In Ssh.wsf, search for the "sshexec.path=" function to point to the correct
SSH client utility.
• Java.wsf

– This script opens java.exe using the following command line: java.exe
-DservletPath="<AgentPath>" -DIPAddress="<IPAddress>"
-DMachineName="<MachineName>" -jar"<JarFileName.jar>".

– In Java.wsf, search for fname to specify a user-provided jar file that executes
the agent deployment process.
– The jar file must be located in the same folder as the Java.wsf file.

4.4.1.3 Testing control scripts


Assuming you have appropriate permissions for a target, you can use the following
command line to test the control scripts on a target machine:

cscript /NoLogo "<ScriptName.wsf>" /ServletPath:"<Path to Agents>"


/IPAddress:"<IPAddress>" /MachineName:"<MachineName>"

• ServletPath is the full local path for the agent’s location


• IPAddress is the address of the target machine for deployment
• Agents are stored in the <SAFE installation>\Agents\<Operating System>
\<Installer or Agents>\<File> folder

If the command line instructions successfully install an agent on a target machine


configured according to your parameters, then automatic deployment works as well.

4.5 Deploying Windows agents


The Windows agent names are enstart.exe and enstart64.exe. All Windows agent
files are incorporated into a single executable, setup.exe. The setup.msi file can also
be used for installation. This file deploys the agent using Active Directory. For
information about running the Windows ARM agent, see “Running agents on
Windows IoT Core for ARM” on page 140.

The Windows agent includes a snapshot kernel driver integral to the agent, and it is
used when providing snapshot data. This file is named enstart64.sys. It is
automatically dropped into %windir%\system32\ when installing using setup.exe.
If enstart64.exe is manually deployed or running as a process, then this driver file
is not included and memory acquisitions and snapshots are not possible.

ISSAFE230400-UGD-EN-1 User Guide 129


Chapter 4 Deploying and managing agents

The Windows agent is fully compliant with Windows Credential Guard. The
Windows agent is also supported in Device Guard - Enforced mode.

The following case-sensitive options are used with enstart.exe and enstart64.exe:

Option Description
-l <port> Specifies the port where the agent listens.
-diag Returns the following diagnostic codes:
• 0: Status OK
• 1: No Node Certificate
• 2: No Security Key
• 4: No Serv (a problem exists with the service)
• 8: No Port (unable to bind to port, port already in use)

Output to console:
• Agent version
• Checkin configuration: Enabled/Disabled, Round Robin
(True/False), Interval in minutes, Volatile Storage and list of
SAFEs
-f 192.168.0.0:4445 Force check in to the specified SAFE. IP address or machine
name is optional; however, if either is used, the port must be
included. The SAFE IP address or machine name must be on the
list of SAFEs. The command must be issued in the command line
as an administrator for the force check-in to succeed.
-c Starts the server in the console (32-bit agents only).
-h Displays a help message.
-R Reset the Universally Unique ID (UUID) value associated with
the endpoint. For example, enstart64.exe -R.
-run Runs the server in the console.
-U <tag> Set a user defined tag value associated with the endpoint. For
example, enstart.exe -U 112233ad.

The following case-sensitive options are used with setup.exe and setup.msi:

Option Description
-drop Drops this agent to the local directory.
-p <path> Sets the path for installing the agent binaries. The default is
%systemroot%\system32.

-n <name> Sets the name of the agent binary and the service name. The
default is enstart.exe for the binary and enstart for the
Windows Service Name.
-r Removes the service, the registry entry, and the binary. This does
not remove the directory where the binary resides.

130 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

Option Description
-s Starts the agent in stealth mode, hiding it from the Task Manager
(32-bit agents only).
-l <port> Specifies the port where the agent listens.
-h Displays a help message.
-c Enables check-in. Adds the automatic snapshot interval and
backlog values to the agent. These values are set in the
SAFE installer.

With setup.msi, use this command line:

Msiexec.exe /I setup.msi /quiet ENSTCMDLINE=-c

You can use several methods to deploy agents to Windows machines:

• Active Directory
• Domain Push
• PsTools
• IPC$ and PsExec
• Removable Media and PsExec

The method you use depends on your network configuration and user account/
password policy.

4.5.1 Running Windows agents as a service or as a process


When deploying agents on Windows machines you must determine whether to run
the agent as a service or as a process.

• When running as a service the agent runs every time the network node is
restarted. This method requires making registry entries to the system.
• Running as a process runs the agent once. If the node is restarted, it no longer
runs the agent. Running the agent as a process does not allow memory
acquisitions or snapshots.

ISSAFE230400-UGD-EN-1 User Guide 131


Chapter 4 Deploying and managing agents

4.5.1.1 Running Windows agents as a service


Installing the agent to run as a service requires the setup.exe file. This file identifies
the version of the operating system and installs the correct agent.

Before deploying agents to remote nodes as a service:

• Configure the following Windows Administration tool settings to:

– Enable these Windows services:

○ Remote Procedure Call (RPC)


○ DCOM Server Process Launcher
○ WMI Performance Adapter
– Disable these Windows services:

○ Windows Firewall (or add it to the rules to allow incoming port)


○ In Vista, disable the Windows Firewall service and add it to the rules to
allow incoming port
– Synchronize the Local Security Policy between the remote node and the
deploying machine.

○ Navigate to Administration tools Local Security Policy > Local Policies >
Security Options > Network access: Sharing and security model for local
accounts.
○ Set to Classic.
• Verify you have a SAFE installed and running on your network.

To run your agent as a service:

1. Copy setup.exe or setup.msi from C:\Program Files\EnCase SAFE onto the


node using any push technologies described in this chapter.

2. From the command line, execute one of the following commands:

• For the executable agent, execute setup.exe -<options>.


• For the msi agent, execute msiexec.exe /i setup.msi /quiet ENSTCMDLINE=
"<options>".

– ENSTCMDLINE is case sensitive.


– See additional notes on using the msi agent in this section.

The setup file automatically determines the operating system version and installs the
correct agent.

132 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

To use the msi agent:

1. If you run the msiexec command on a machine that already has the msi and
agent installed, it uninstalls the msi, but not the agent. Running it again
reinstalls the msi, but it does not affect the agent.

Note: To remove the msi, you must use the /x switch with msiexec.

2. To uninstall the agent and msi using the msi, the only way is to create a batch
file and execute it on the remote system in the same directory that setup.msi is
located. Here is an example of the batch file required:
@echo off
:Uninstall msi package (using /x switch)
Msiexec.exe /x setup.msi /quiet
:Install msi, but feed agent setup file a '-r' to uninstall agent
Msiexec.exe /I setup.msi /quiet ENSTCMDLINE='-r'
:Uninstall msi package (again)
Msiexec.exe /x setup.msi /quiet

If you have a problem feeding the command line options to the msi, you can edit the
msi:

1. Set a Property with a name of ENSTCMDLINE.


2. Set a Value of the command line options, such as -nABCDE_INFOSEC_Svc -c.

Note: If you edit the msi database using tools such as Orca, and set the
above property in the msi, you do not need to send the command line to
the remote system.

4.5.1.2 Running Windows agents as a process


Ensure that you have a SAFE installed and running on your network.

To run an agent as a process:

1. Copy the enstart executable file from C:\Program Files\EnCase SAFE\Agents


onto the node using any push technology. Use enstart.exe for 32–bit systems
or enstart64.exe for 64–bit systems.

Note: If you have not previously run the installer at least once on the
node, copy the setup.exe or setup.msi installer file to the node and
execute it before running the enstart executable.

2. From the command line, execute enstart.exe -run -<options> or enstart64.


exe -run -<options>.

ISSAFE230400-UGD-EN-1 User Guide 133


Chapter 4 Deploying and managing agents

4.5.2 Deploying Windows agents with Active Directory


To deploy agents using Microsoft Active Directory:

1. Identify target systems and users. Make an inventory of the platforms in use
and determine if all target systems are members of the Active Directory.

2. Create a central distribution point. Select a central location where you want to
deploy or initiate agent installation. The target systems must be able to see this
location.

3. Place setup.exe or setup.msi, generated during SAFE installation, in the


central location.

4. Create a push script. This is a custom script that installs the agent from the
central distribution point onto the target system and runs when a user logs in.
This section contains an example of a push script.

5. Deploy the Push Script:

a. Place the script in your Active Directory controller so it runs at login.

b. Place the push script in the location containing the agents.

c. Configure your domain so the script executes each time a user logs on.

d. Place the script on the Active Directory controller under C:\%systemroot%


\sysvol\domain\scripts.

e. Add the script to the Domain Users Properties box under the Profile tab.

f. Logging on to a target system opens and runs a dialog showing enpush.


bat.

4.5.3 Deploying Windows agents using a domain push


If you do not use Active Directory, you can push the agents using your domain.

Verify that you created a push script as described in “Deploying Windows agents
with Active Directory” on page 134.

1. Deploy the push script to a central location on the domain controller.

2. Using User Manager, add a user or group profile pointing to the location of
your push script.

3. Specify in the user’s profile that the agent is installed via the push script when
the user authenticates.

134 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

4.5.4 Deploying Windows agents using PsTools


The PsExec tool in the PsTools Suite can be used to manually deploy the agent from
a Windows examiner to a Windows NT and Windows 2000 target machine, saving
deployment time when copying files to and deleting from the remote machine and
starting and stopping services throughout the deployment process.

The PsTools suite is available at the Microsoft TechNet Internet site at https://
technet.microsoft.com/en-us/sysinternals/pstools.aspx.

4.5.4.1 Using PsTools to deploy agents to a single machine


Prerequisites for installing PsTools include:

• Knowing the IP address of the node for installing the agent.


• Having an administrative account and password to the node.
• Knowing the absolute path to the agent.

1. Open a command shell on your examiner machine.

2. Execute this command: psexec \\<targetIP> -u <administrative_account> -p


<password> -s -c <absolute_path_to_agent>.

Note: If you do not use the -p option (to allow a password) in the
command line, you must enter it later. When using the -p option, the
administrative level password is displayed in plain text on the screen.

Even though PsExec returns an error, it completes with an error code of zero.
Running net start on the remote machine verifies that enstart is running.

Note: The PsExec utility transmits the password across the network in
plain text, which can cause problems if intercepted by an unauthorized
person using a packet sniffer.

4.5.4.2 Using PsTools to deploy agents to multiple machines


To deploy to multiple machines using PsTools, prepare a text file including the IP
addresses of all of the nodes where you want to deploy the agent.

Also required:

• An administrative account and password to the node


• The absolute path to the agent

1. Open a command shell on your Examiner machine.

2. Execute this command: psexec @e:\deploy\export.txt -u <administrative_


account> -p <password> -s -c <absolute_path_to_agent>.

ISSAFE230400-UGD-EN-1 User Guide 135


Chapter 4 Deploying and managing agents

If the -p option (to allow a password) is not used in the command line, you are
prompted to enter it later. With the -p option used, the administrative level
password is displayed in plain text on the screen. Do not use this option if there are
others you do not want to share this password with.

Note: The PsExec utility transmits the password across the network in plain
text, which can cause problems if intercepted by an unauthorized person using
a packet sniffer.

Even though PsExec returns several errors, it completes each node with an error
code of zero. Running net start on any of the successful remote machines verifies
that enstart is running.

4.5.5 Creating a text file of nodes


When creating the list of nodes where you want to deploy the agent, you can add all
nodes to the network tree, then export the list of machines to a text file. You can then
use this text file to quickly input the list of nodes.

1. Create all the nodes in the Network tab.

2. From the Add Evidence box, select Add Network Preview. The Add Network
Preview dialog box opens.

3. Select the folder containing the nodes to add. To create a partial list of nodes,
blue check the nodes you want to include.

4. Click the Option icon on the far right of the Add Network Preview dialog
and select Save As. The Save As dialog box opens.

• Select Only Checked Rows to include the machines you have blue checked
in the current view only.
• Set the Stop row to the maximum number of rows for EnCase to include in
the export file. To include all machines in the view, set this equal to the last
row number. You must assign this value even if you are exporting only
checked rows.
• Select the Name field only from the list of available fields.
• Keep the Output Format default of Tab Delimited.
• Specify the export path and file name.

5. When you finish, click OK to export the list.

6. In the output file, you must remove the line numbers and column header fields
before PsExec can use the file. You can remove the information by any desired
method. Two suggested methods are:

• Drag and drop the exported file into a blank Excel spreadsheet. Excel
automatically formats the data into two columns. You can delete the first
column and first row for clarity. Alternately, you can copy and paste the list

136 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

of machines starting on row 2 into a text editor such as Notepad. If the


machine names contain any leading spaces, you can remove them by
performing a find and replace in Excel or Notepad. Set the find value to a
space character, and replace it with nothing.

• Use a text editor capable of selecting columns (such as Notepad++) to


highlight and delete unnecessary information.

4.5.6 Deploying Windows agents using IPC$ and PsExec


To use IPC$ in conjunction with PsExec when deploying agents, you must first map
an IPC$ connection.

You can disable the ability to map an IPC$ connection on the target system, or deny
it through network permissions. You must create the IPC$ connection only if the
account used to log into the client system is not a member of the local administrator
group on the target system(s), or a member of the domain administrator group. You
must have administrator credentials to deploy agents.

4.5.6.1 Creating IPC$ connections


To create multiple specific IPC$ connections, you must create a text file containing
the names of each node.

If you are creating multiple IPC$ connections (specific or all nodes on a subnet),
every node machine must have one common user name.

1. Open a command shell on the examiner machine.

2. Execute one of these commands:

• For a single node: net use \\<node name>\ipc$/u:<username> <password>.

• For multiple, specific nodes: for /f %1 in (<node list>) do net use \\%1\
ipc$/u:%1\<username> <password>.

• For all nodes on a subnet: for /L %1 in (1,1,254) do net use \\<A.B.C>.


%1\ipc$ <username> <password>.

Parameter Description
<node list> Text file containing the list of node names. The default name
is export.txt.
<node name> Name of the node with the IPC$ connection.
<A.B.C> First three octets of the IP address subnet where you want to
deploy (for example, 10.0.0).
<username> Common user name on all systems where you want to
deploy.

ISSAFE230400-UGD-EN-1 User Guide 137


Chapter 4 Deploying and managing agents

Parameter Description
<password> Common password on all systems where you want to
deploy. If you want to be prompted for the password, use
an asterisk (*).

3. If prompted, enter the password for the node and press Enter.

4. Confirm the IPC$ connection by executing the command net use.

After IPC$ is connected, you can deploy by copying the agent to the nodes.

4.5.6.2 Copying the agent using xcopy


After you map an IPC$ connection, do the following to copy the agent to your
nodes:

1. Open a command shell on your examiner machine.

2. Execute one of these commands:

• To copy to a single node: xcopy /v <agent> \\<node name>\c$.


• To copy to multiple specific nodes: for /f %1 in (<node list>) do xcopy /v
/y <agent> \\%1\c$.

• To copy to an entire subnet: for /L %1 in (1,1,254) do xcopy /v /y


<agent> \\<A.B.C>.%1\c$.

Parameter Description
<agent> Name of the agent: usually setup.exe for running
as a service, and enstart.exe for running as a
process.
<node name> Name of the node for the IPC$ connection.
<node list> Text file containing the list of node names. The
default is export.txt.
<A.B.C.> The first three octets of the IP address subnet
where you want to deploy (for example, 10.0.0.).

After copying the agent to the node, you must execute the agent. See “Executing the
agent using psexec” on page 139.

138 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.5. Deploying Windows agents

4.5.6.3 Executing the agent using psexec


To execute the agent using PsExec, set up the following:

• IPC$ connection established with node


• Agent copied to node
• To execute the agent on multiple specific nodes, you need a text file containing
the names of each node

To execute the agent using PsExec:

1. Open a command shell on your examiner machine.

2. Execute one of these commands:

• To execute an agent on a single node: psexec \\<node name> -s <agent>


<agent options>.

• To execute an agent on multiple specific nodes: for /f %1 in (<node list>)


do psexec \\%1 -s <agent> <agent options>.

• To execute every agent on a subnet: for /L %1 in (1,1,254) do psexec \


\<A.B.C>.%1 -s <agent> <agent options>.

Parameter Description
<node list> Text file containing the list of node names. The
default name is export.txt.
<node name> Name of the node with the IPC$ connection.
<A.B.C.> First three octets of the IP address subnet where
you want to deploy (for example, 10.0.0).
<agent> Name of the agent: usually setup.exe for running
as a service, and enstart.exe for running as a
process.
<agent options> Any agent options you want to use.

Running net start on the remote machine verifies that enstart is running.

ISSAFE230400-UGD-EN-1 User Guide 139


Chapter 4 Deploying and managing agents

4.5.7 Deploying Windows agents using removable media and


psexec
To deploy an agent without copying it to a node, it is best to deploy using removable
media and psexec.

1. Copy your agent to removable media. The agent is typically enstart.exe. Do


not use setup.exe, as it creates a copy of itself on the node machine.

2. Insert the removable media into the node machine.

3. Open a command shell on your examiner machine.


4. Execute the command psexec \\<node name> -s <agent path> -r.

Parameter Description
<node name> Name of the node with the IPC$ connection.
<agent path> Location and path of the agent, usually enstart.exe
for running as a process, or setup.exe for running as a
service.

Running net start on the remote machine verifies that enstart is running.

4.5.8 Running agents on Windows IoT Core for ARM


The Windows ARM agent allows you to perform remote investigations on endpoints
running Windows 10 IoT Core for ARM, with the following limitations:

• The Windows ARM agent does not have an installer, so it must be run as a
process on the target machine.
• Enhanced agent functionality is not supported.

To run the Windows ARM agent as a process:

1. Copy the enstartarm.exe file from C:\Program Files\EnCase SAFE\Agents\


windows\agent\ onto the node using any push technology.

2. From the command line, execute enstartarm.exe -run -<options>.

140 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.6. Deploying *NIX agents

4.6 Deploying *NIX agents


Because of the number of different distributions in Unix, there is no setup file.
Instead, the agent is provided for you to install as your distribution permits.

The following case-sensitive shell command options are used with all *NIX agents:

Option Description
-d Runs the agent as a daemon.
-diag Output to console:
• Agent version
• Check in configuration: Enabled/Disabled, Round Robin
(True/False), Interval in min, Volatile Storage and list of
SAFEs
-f Force an agent to check in.

To check in to all SAFEs, run command as root: sudo ./enmacos


-f.

To check in to one SAFE, both the SAFE IP address and the port
must be included: sudo ./enmacos -f SAFEIP:PORT.

For AIX, the –p (path) option is required: sudo /usr/local/


encase/enaix64 -p /usr/local/encase -f to check in to
all SAFEs or sudo ./enaix64 -p /usr/local/encase -f
SAFEIP:PORT to check in to a specific SAFE.

-h Displays a help message.


-i Uses stdin/out (inetd or xinetd).
-l <port> Specifies the port where the agent listens.
-p <path> The *NIX agent start location is automatically detected; however,
this command can optionally be used to specify a path that
overrides the auto-detected path. Do not use when running from
read-only media. Do not include the agent itself with the -p
option; instead, provide the path where it resides.

Note: The -p option is required for the AIX agent.

-R Reset the Universal Unique ID (UUID) value associated with the


endpoint. For example, sudo ./enmacos -R.

Note: AIX requires inclusion of the -p option and path to


the file holding the UUID. For example, sudo /usr/
local/encase/enaix64 -p /usr/local/encase -R

ISSAFE230400-UGD-EN-1 User Guide 141


Chapter 4 Deploying and managing agents

Option Description
-U <tag> Set a user-defined tag value associated with the endpoint. For
example, sudo ./enmacos -U 112233ad.

Note: AIX requires inclusion of the -p option and path to


the file holding the user tag.

You can copy the agent to the nodes using one of the following:

• Removable media. See “Deploying *NIX agents using removable media”


on page 142.
• SSH and SCP. See “Deploying *NIX agents using SSH and SCP” on page 143.
• Telnet and FTP. See “Deploying *NIX agents using telnet and FTP” on page 144.

4.6.1 Deploying *NIX agents using removable media


Deploying your agent using removable media offers an extra layer of security
because you do not open a command shell across the network.

To copy the agent using removable media, verify the following:

• Make sure your removable media contains enough storage space to fit the agent
and any additional agent configuration files.
• You must have physical access to the machine where you want to deploy the
agent.
• You must know the specific instructions for mounting the removable media for
your distribution.

To deploy *NIX agents using removable media:

1. Insert media into your SAFE computer or another computer that contains the
agent and agent configuration files.

2. Copy the agent and the agent configuration file to the removable media. The
agent and agent configuration file is usually located at C:\Program Files\
EnCase SAFE\Agents on your SAFE.

3. Remove the media and insert into the machine where you want to copy the
agent.

4. Mount the device using the instructions specified in your operating system
documentation.
For example, this command mounts a floppy drive on a Linux system: mount –F
pcfs /dev/diskette /floppy.

Note: If you are using Solaris, you may need to use the command
volcheck before the mount command, if the mount command generates an
error.

142 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.6. Deploying *NIX agents

5. Create a destination folder using the command mkdir -p <deploy path>.


6. Copy the agent using the command cp <mount point>/<agent name> <deploy
path>.

If you want to use the check-in feature, follow these steps.

1. Copy the agent configuration file using the command cp <mount point>/
nixcheckin <deploy path>.

2. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.

3. Make the agent executable using the chmod command chmod 700 <deploy
path>.

4.6.2 Deploying *NIX agents using SSH and SCP


Secure Shell (SSH) and Secure Copy (SCP) are recommended over other methods
because they offer an added layer of security.

From a machine containing the agent or installation package:

1. Establish a connection: execute the command ssh2 root@<node>.

2. Enter the password for the root account.

3. Create a destination folder using the command mkdir -p <deploy path>.

4. If you are copying to a location that is not yet mounted (such as a network
share), mount it now.

5. Copy the agent using the command scp2 <host path>\<agent name>
root@<node>:<deploy path>.

6. Enter the password for the root account. The transfer starts.

If you want to use the check-in feature:

1. Copy the agent configuration file using the command scp2 <host path>
\nixcheckin root@<node>:<deploy path>.

2. Enter the password for the root account. The transfer starts.

3. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.

4. Make the agent executable using the command chmod 700 <deploy path>.

ISSAFE230400-UGD-EN-1 User Guide 143


Chapter 4 Deploying and managing agents

4.6.3 Deploying *NIX agents using telnet and FTP


If your node machine does not have Secure Shell (SSH) or Secure Copy (SCP)
installed, you can telnet into the machine and use the File Transfer Protocol (FTP).

To deploy *NIX agents using telnet and FTP:

1. Connect to your node using the command ftp <node>.

2. Enter your user name and password.

3. Enter bin to set the file transfer mode to binary.

4. Transfer the file using the command put <host path>/<agent name> <deploy
path>/<agent name>.

5. If you want to use the check-in feature, transfer the agent configuration file
using the command put <host path>/nixchekin <deploy path>/.<agent name>.

Note: This command transfers and renames the nixcheckin file to a file
with the same name as your agent, preceded by a dot.

6. Enter quit to exit FTP.

7. Make the agent executable using the command chmod 700 <deploy path>.

4.7 Deploying Linux agents


The Linux agent can be installed on x86, x64, ARM, ARM64, and IBM-Z systems.
The 32-bit x86 Linux agent is named enlinuxpc. The x64 Linux agent is named
enlinuxpc64. The 32-bit ARM agent is named enlinuxarm. The IBM-Z agent is
named enibmz64.The agent supports Linux versions that meet or exceed these
criteria:

• The kernel is 2.6.4.


• The operating system uses the Process File System (procfs).
• The C++ standard library is installed.

The Linux agent uses dynamic linking to shared libraries when executed. If the
shared libraries are not installed on the target system, the agent reports an error
upon execution. Execute the command corresponding to your processor version to
list all shared libraries required for the agent to run on your version of Linux.

• ldd ./enlinuxarm
• ldd ./enlinuxarm64
• ldd ./enlinuxpc
• ldd ./enlinuxpc64
• ldd ./enibmz64

144 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.7. Deploying Linux agents

When using auto-update with a Linux agent, you must execute the agent with a -p
parameter specifying a path to the agent.

To deploy a Linux agent:

1. Copy the agent using removable media, SSH, SCP, Telnet, FTP, etc.

2. Determine how you want to deploy the Linux agent. If running the agent as a
service your answer will be dictated by your system’s current INIT software.
Methods include:

• Deploying the Linux agent as a process


• Deployment using the RPM package
• Deploying the Linux agent as a service utilizing SysV
• Deploying the Linux agent as a service utilizing systemd
• Deploying the Linux agent as a service utilizing upstart

After deployment, verify the agent is connected using one of the methods discussed
in “Verifying agent deployment” on page 163.

4.7.1 Deploying the Linux agent as a process


An agent running as a process on an endpoint will not persist through system
restarts.

To deploy and start the agent as a process:

1. Use WinSCP or another deployment tool to copy the Linux agent file
(enlinuxarm, enlinuxpc or enlinuxpc64) from the [SAFE Installation
Directory]/Agents/Linux on the SAFE machine into /usr/bin/ on the target
machine.

Note: The recommended path is /usr/bin/. If you are using a different


path, you must modify the path in all references below.

2. Change the agent permissions to allow eXecute:


chmod 755 /usr/bin/enlinuxpc64

3. Change the file ownership to root:


chown root:root /usr/bin/enlinuxpc64

4. Install the agent with a daemon -d parameter. Because the agent start location is
auto-detected, -p check-in and auto-update path parameter is optional. If using
-p, the path would be /usr/bin/ if the agent is located at /usr/-bin/
enlinuxpc64. Do not include the agent in the specified path. Optional: specify a
port with a -l parameter, the default port value is 4445.
Format

ISSAFE230400-UGD-EN-1 User Guide 145


Chapter 4 Deploying and managing agents

[Literal/Agent/Location] -d -l [Port#] -p [Path/To/Directory/


Containing/Agent]

Example
Install without check-in/auto-update path: /usr/bin/enlinuxpc64 -d
Install with check-in path: /usr/bin/enlinuxpc64 -d -p /usr/bin/
Install with a non-default port: /usr/bin/enlinuxpc64 -d -l 1337 -p /usr/
bin/

5. If done correctly, the agent should now be listening on port 4445:


netstat -an | grep 0.0.0.0:4445

Note: In certain Linux and Unix distributions the netstat command may
require alteration to return a LISTENING process result, parameters other
than -an may be required, for instance, -e, -ef, -A.

4.7.2 Deploy the Linux agent using the RPM package


You can use the Linux RPM package to deploy the 64-bit agent to Linux systems.
The RPM package is included with the SAFE and can be found at the following
location:

<SAFE install path>\Agents\linux\installer

The following Linux distributions are supported:

• Red Hat 7.x


• Red Hat 8.x
• Red Hat 9.x

Installation

To install, copy the package from your SAFE installation to the Linux machine and
run the following command corresponding to your agent’s version:

sudo rpm -ivh enlinuxpc64-23.4.0-1.el9.x86_64.rpm

Note: After installation is complete service will be enabled and started


automatically.

Files deployed

Full path Description


/usr/lib/systemd/system/ Service that runs the agent after startup
enlinuxpc64.service

/usr/local/sbin/.enlinuxpc64 Checkin configuration (optional)


/usr/local/sbin/enlinuxpc64 Linux agent

146 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.7. Deploying Linux agents

Note: After installation is complete the enlinuxpc64 service will be enabled and
started automatically.

Other useful commands

Command Description
sudo rpm -Uvh enlinuxpc64-23.4. upgrade the agent
0-1.el9.x86_64.rpm

sudo rpm -e enlinuxpc64 uninstall the agent


sudo rpm -qi enlinuxpc64 get information about the agent (version, install
date, etc.)
sudo rpm -qi enlinuxpc64-23.4. get information about the agent before it is
0-1.el9.x86_64.rpm installed
sudo rpm -ql enlinuxpc64-23.4. get list of files to be installed and installation
0-1.el9.x86_64.rpm location

Limitations

• The RPM package is 64-bit. There is no 32-bit version available.


• The RPM package can only upgrade agents that were installed from an RPM
package. Older agents that were installed by other means must be manually
uninstalled before attempting to install an agent from an RPM package.
• You can only upgrade to an agent with a new version number. If you run
the rpm command with a new package that has the same version number (for
example, re-installed SAFE to change port number), you will get a “{package
name} is already installed” error. You have to use rpm to first uninstall the
running agent before you can install the agent that uses a different port.
• Downgrade is not supported as a single step. The running agent must first be
uninstalled using the sudo rpm -e command. The older agent can then be
installed using the sudo rpm -ivh command.

4.7.3 Enabling the Linux agent for check-in


To enable check-in, the agent must have been deployed with a check-in/auto-update
path via the -p parameter.

To enable the agent for check-in:

1. Copy the nixcheckin file from the SAFE installation directory into /usr/bin/.

Note: The nixcheckin file will not exist if check-in was not enabled in the
SAFE at the time of install.

2. Rename nixcheckin to .enlinuxarm, .enlinuxpc64 or .enlinuxpc depending


on your system:
ARM: mv /usr/bin/nixcheckin /usr/bin/.enlinuxarm

ISSAFE230400-UGD-EN-1 User Guide 147


Chapter 4 Deploying and managing agents

x64: mv /usr/bin/nixcheckin /usr/bin/.enlinuxpc64


x86: mv /usr/bin/nixcheckin /usr/bin/.enlinuxpc

Note: Files preceded by a period are hidden from view by default, but can
still be used and modified. View hidden files with: ls -a [directory]

4.7.4 Deploying the Linux agent with SysV


You can use SysV to deploy and start an agent that persists after a reboot. Deploying
the Linux agent with SysV is recommended only for Linux distributions that don’t
support services.

To deploy and start the agent as a service using sysv:

1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.

2. Using vim or another editing tool, create a service file in the machine’s */init.d
directory.
vi /etc/init.d/enlinuxpc64

Note: This file should be placed in the machine’s */init.d directory. The
exact location varies from build to build. You can locate your
active .service files to find this directory.

As displayed above, the service script can be named enlinuxpc64. An extension


is not necessary.

Note: The following script runs the x64 agent controlled by a service. The
x86 version of the script is identical to the x64 agent as a service, but
references to 64 are removed. Name the script enlinuxpc, and modify all
references in the script below. Modify the ARM version of the script in a
similar way: remove references to 64, name the script enlinuxarm, and
modify all references in the script.

Populate the file with the following:


#!/bin/bash
#
# description: enlinuxpc64
#
PID=`ps -e | grep enlinuxpc | sed -e 's/^ *//' -e 's/ .*//'`
case "$1" in
start)
/usr/bin/enlinuxpc64 -d -p /usr/bin/
echo "Agent LISTENING"
;;
stop)
if [ "${PID}" != "" ]
then
kill ${PID}
fi
status)

148 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.7. Deploying Linux agents

if [ "${PID}" != "" ]
then
echo "Agent processes running by PID:" && echo "$PID"
else
echo "No agent processes, agent not LISTENING"
fi
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 1
esac
exit 0

Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following
start).

3. Create a link file to the newly created script named S94enlinuxpc64 in /etc/
rc3.d (run level 3):

cd /etc/rc3.d

sudo ln -s /etc/init.d/enlinuxpc64 S94enlinuxpc64

4. Change permission and owner to allow eXecute for the new link file:
chmod 755 /etc/rc3.d/S94enlinuxpc64

chown root:root /etc/rc3.d/S94enlinuxpc64

5. Change permission and owner to allow eXecute for the original service file:
chmod 755 /etc/init.d/enlinuxpc64

chown root:root /etc/init.d/enlinuxpc64

6. Start the service:


/etc/init.d/enlinuxpc64 start

Port 4445 should now be listening and the init.d service status should show it as
active.

/etc/init.d/enlinuxpc64 status

Note: This service should persist following a reboot but can be killed as a
process via the command, pkill -9 enlinuxpc*.

Additional useful commands:

Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.

Stop the service and agent: /etc/init.d/enlinuxpc64 stop

Check the status of the enlinuxpc64 service: /etc/init.d/enlinuxpc64 status

Select the interface to listen on: enlinuxpc64 -e 172.10.10.1 -d

ISSAFE230400-UGD-EN-1 User Guide 149


Chapter 4 Deploying and managing agents

Note: The —d (run as daemon) command is required when selecting the


interface to listen on.

4.7.5 Deploying the Linux agent with systemd


You can use systemd to run the agent as a service that will persists through a reboot.

To deploy and start the agent as a service using systemd:

1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.

2. Using vim or another editing tool, create a service file in the machine’s */
systemd/system directory.

vi /etc/systemd/system/enlinuxpc64.service

Notes

• This service file should be placed in the machine’s */systemd/system


directory. The exact location varies from build to build. You can locate
your active .service files to find this directory.
• This script runs the x64 agent controlled by a service. The x86 version of
the script is identical to the x64 agent as a service, but references to 64
are removed. Name the script enlinuxpc, and modify all references in
the script below. Modify the ARM version of the script in a similar way:
remove references to 64, name the script enlinuxarm, and modify all
references in the script.

Populate the .service file with the following:


[Unit]
Description=enlinuxpc64
[Service]
Type=simple
ExecStart=/usr/bin/enlinuxpc64 -p /usr/bin/
Restart=always
[Install]
WantedBy=multi-user.target

Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following
ExecStart=.

3. Enable the service:


systemctl enable enlinuxpc64

4. Start the service:


systemctl start enlinuxpc64

5. Port 4445 should now be listening and a systemctl status should show it as
active.

150 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.7. Deploying Linux agents

Note: This service should persist following a reboot and cannot be killed
as a process due to the Restart=always parameter. To stop the service you
will need to use the systemctl command.

Additional useful commands:

Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.

Stop the service and agent: systemctl stop enlinuxpc64

Check the status of the enlinuxpc64.service: systemctl status enlinuxpc64

4.7.6 Deploying the Linux agent with Upstart


You can use Upstart to deploy the Linux agent as a service. The agent persists after
reboot.

To deploy and start the agent as a service using upstart:

1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.
2. Using vim or another editing tool, create a service file in the machine’s init
directory.
vi /etc/init/enlinuxpc64.conf

Notes

• This service file should be placed in the machine’s */init directory. The
exact location varies from build to build. You can locate your
active .conf files to find this directory.
• This script runs the x64 agent controlled by a service. The x86 version of
the script is identical to the x64 agent as a service, but references to 64
are removed. Name the script enlinuxpc, and modify all references in
the script below. Modify the ARM version of the script in a similar way:
remove references to 64, name the script enlinuxarm, and modify all
references in the script.

Populate the .conf file with the following:


description "enlinuxpc64"
start on startup
stop on shutdown
exec /usr/bin/enlinuxpc64 -p /usr/bin/
respawn

Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following exec.
3. Reload init configuration:

ISSAFE230400-UGD-EN-1 User Guide 151


Chapter 4 Deploying and managing agents

initctl reload-configuration

4. Start the service:


start enlinuxpc64

5. Port 4445 should now be listening and an initctl status enlinuxpc64 should
show it as active.

Note: This service should persist following a reboot and cannot be killed
as a process due to the respawn parameter. To stop the service use the
initctl command.

Additional useful commands:

Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.

Stop the service and agent: initctl stop enlinuxpc64

Check the status of the enlinuxpc64.service: initctl status enlinuxpc64

4.8 Deploying Solaris agents


4.8.1 Solaris agent files
Individual agent files are located on the SAFE machine in C:\Open Text\SAFE\
Agents. Solaris 10 and 11 are distributed as executable only, as no driver is needed.

The Solaris 10 and 11 agent differs from the Linux agent in that it has separate files
for each distribution, and it requires special drivers to function properly. The Solaris
agent names are ensolsparc10 and ensolsparc11.

4.8.2 Solaris version


To deploy the correct agent, you must identify the version of Solaris you are using.
After logging into Solaris, note the information you are given. The version is the
number immediately after the decimal point. For example:

Solaris 11: Oracle Corporation SunOS 5.11 11.0 September 2012

You can also get the version using the command: uname -a

The command gives you the Solaris version in a format such as:

Feb 13 10:07:06 soldev9-64x genunix: [ID 540533 kern.notice] ^MSunOS Release


5.9 Version Generic_112233-07 64-bit

152 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.8. Deploying Solaris agents

4.8.3 Check before deploying Solaris agents


1. Before deploying Solaris agents, check the following:

• Identify attributes of the target systems, such as DNS names, IP addresses,


and the operating systems.
• Verify that the machine the agent is deployed from has network connectivity
to all target systems.
• We recommend installing an SSH client with file transfer capabilities.
• We recommend running SSHD on the target systems.

Note: Solaris agents function only on SPARC architecture. Intel


architecture is not supported.

2. You must also determine properties for the node where you want to install the
agent.

• Solaris version
• Kernel version

3. Copy your agent to the Solaris node using removable media, SSH and SCP, or
Telnet and FTP.

4. Determine how you want to deploy the Solaris agent. Available methods
include:

• Running the agent as a process


• Deploying using inittab

Verify the agent is connected using one of the methods discussed in “Verifying
agent deployment” on page 163.

4.8.4 Installing the Solaris 11 agent


You must be logged in as root to install the Solaris 11 agent.

The installsol11.sh script helps install the Solaris 11 agent as a service. It will not
work with Solaris 10.

To install the agent:

• Transfer the agent file ensolsparc11 and the installsol11.sh file to the
machine where you want to set up the agent as a service. You can copy the
agent to the Solaris node using removable media, SSH and SCP, or Telnet and
FTP. The script must have executable permission. Both the script and the agent
should be in the same directory. Running the script will install the agent in /
usr/local/encase directory and will register it as a service.

ISSAFE230400-UGD-EN-1 User Guide 153


Chapter 4 Deploying and managing agents

4.8.5 Deploying Solaris agent as a process


You can deploy the Solaris agent as a process. This method works for both Solaris 10
and Solaris 11.

To deploy and start the Solaris agent as a process:

The ensolsparc11 is used in the following example. To deploy on Solaris 10,


substitute ensolsparc10 for ensolsparc11 below.

1. Solaris agents can be found in the SAFE installation directory on the machine
your SAFE was installed on. The default directory for the SAFE installation and
Solaris agent folder is C:\Program Files\OpenText\SAFE\Agents\solaris\
agent.

2. Using a tool like WinSCP, or another method, copy the Solaris agent file
matching the version of Solaris you're deploying to into /usr/bin on the target.
The /usr/bin/ location is an example and is not a required location.

3. Change permissions of the file to allow eXecute: chmod 755 /usr/bin/


ensolsparc11

4. Change the Solaris agent's file ownership to root: chown root:root /usr/bin/
ensolsparc11

5. Install/run the agent as a daemon and specify a check in path, The path should
be /usr/bin/ where the agent is located at /usr/bin/ensolsparc11, and should
not include the agent itself: /usr/bin/ensolsparc11 -d -p /usr/bin/

6. The agent should now be listening on port 4445 (if no port is specified), or the
port you specified. Run netstat -an | grep *.4445 to confirm.

Note: From this point you should be able to create a service manually in
the OS, or use service management software to modify the agent's
automated start up.

The above procedure installs the Solaris agent as a process that will not persist
through reboots. Once the agent runs as a process you can then create a service that
will run the agent the same way at an assigned run level during boot.

Additional information

To install with a non-default port: /usr/bin/ensolsparc11 -d -l 1337 -p /usr/


bin/

Syntax: [PathTo/Agent/Location] -d -l [Port#] -p [Path/To/Directory/


ContainingAgent]

To kill the agent process, use a process kill command: pkill -e -9 /usr/bin/
ensolsparc11

154 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.8. Deploying Solaris agents

4.8.6 Deploying in Solaris using inittab


You can deploy the Solaris agent via a script, having it executed by inittab at the
desired run level. In Solaris, the desired run level is two.

1. Establish a SSH session: execute ssh2 root@<node>

2. Create a script called <agent name> in the /etc/initd.d directory.

3. Using a text editor such as vi, insert this text into the file:
#!/bin/sh
#This script automatically starts and stops the ensolsparc11 agent
pid=`/usr/bin/ps -e | /usr/bin/grep <agent name> | /usr/bin/sed -e 's/^ *//' -e
's/ .*//'`
case $1 in
'start')
<deploy path>/<agent name> -d -p <deploy path>
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/<agent name> {start|stop}" ;;
Esac

4. Save the file.

5. To set permissions properly, execute:


chmod 744 /etc/init.d/<agent name>
chgrp sys /etc/init.d/<agent name>

6. You must place a symbolic link in the desired run level to call the script. The
best run level to use in Solaris is run level two. To set this run level, execute:
cd /etc/rc2.d
ln -s /etc/init.d/<agent name> S96<agent name>

To confirm the agent is running, see “Verifying agent deployment” on page 163.

For a list of shell commands for use with Solaris agents, see “Deploying *NIX
agents” on page 141.

ISSAFE230400-UGD-EN-1 User Guide 155


Chapter 4 Deploying and managing agents

4.9 Deploying AIX agents


AIX agents are similar to Solaris agents. The agent name is enaix64. All AIX agent
files are incorporated into a single package, called encase.agent.rte.bff, which can
be installed using the installp utility. The AIX agent requires the –p parameter.

Before deploying AIX agents:

1. Identify attributes of the target systems, such as DNS names, IP addresses and
operating systems.

2. Verify the machine the agent is deployed from has network connectivity to all
target systems.

3. Deploy the agent to the AIX node using removable media, SSH and SCP, or
Telnet and FTP.
We recommend an SSH client with file transfer capabilities and running SSHD
on the target systems.

4. Install the AIX package with the command installp -a -d /opt encase.
agent.rte. Do not enter the bff file extension when entering this command.

Note: You must be logged in as root in order to install the package.

The installer determines the correct agent to install and output information
regarding the install.

The installation finishes with the output encase.agent.rte 5.4.0.0 USR APPLY
SUCCESS.

Verify the agent is connected using one of the methods discussed in “Verifying
agent deployment” on page 163.

4.10 Deploying macOS agents


A single agent is used for macOS systems regardless of processor. The enmacos agent
is used for Mac computers based on Apple M1 and Intel platforms.

Refer to current release notes for your product for important information on agent
compatibility with platforms, operating systems and file systems.

156 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.10. Deploying macOS agents

4.10.1 SAFE version compatibility


The table below lists the minimum and recommended SAFE versions for recent
macOS versions. For best results, we recommend that you always use the latest
SAFE and agent.

macOS Version Minimum SAFE Version


13 (Ventura) 23.2
12 (Monterey) 21.1
11 (Big Sur) 22.1
10.15 (Catalina) a.11
10.14 (Mojave) a.09
10.13 (High Sierra) a.06.01
10.12 (Sierra) a.03

4.10.2 Adding macOS agents to the allow list during


deployment
Use Team ID and Bundle ID values with your mobile device management
application during agent deployment to seamlessly install on a macOS device
without prompts to the user. There are two sets of Team IDs and Bundle IDs: one is
used to install the agent. The other is used to install the driver. Deploying the agent
on macOS 11 (Big Sur) and later devices only requires the agent. The driver is not
used. Deploying the agent on macOS 10.12 (Sierra) through macOS 10.15 (Catalina)
devices requires installation of both agent and driver. Both Team IDs and Bundle
IDs are used when deploying the agent on these systems.

Agent deployment

Use the following Team ID with your mobile device management application to
deploy the OpenText EnCase agent on macOS devices:

Team ID: 4B9GHJ9X43

Bundle ID: com.opentext.encase.agent

Driver deployment

Use the following Team ID with your mobile device management application to
deploy the OpenText EnCase driver on macOS devices:

Team ID: PB77V4NAXJ

Bundle ID: com.GSI.kext.gsidrv

ISSAFE230400-UGD-EN-1 User Guide 157


Chapter 4 Deploying and managing agents

4.10.3 Deploying agents on macOS versions 10.12 and later


The macOS installer.zip and installer.sh files each include the installer.pkg
and .SAFEPublicKey files needed to deploy the agent.

For a list of shell commands for use with macOS agents, see “Deploying *NIX
agents” on page 141.

4.10.3.1 Agent installation with installer.zip


1. Navigate to the SAFE directory that contains the installer.zip file for macOS.

2. Copy the installer.zip file to the target macOS machine.

Note: When dropping the installer.zip file on a target machine running


macOS 10.15.4 or later, do not place the file in the target Download,
Documents, or Desktop folders as the EnCase agent installer is prevented
by the operating system from accessing them, and agent installation will
fail. Instead, place the installer.zip file in any other folder or /tmp folder
and unzip and install from there.

3. Run the following command to unzip the package:


unzip installer.zip

4. Run the following command to install and run the agent:


sudo installer -pkg ./installer.pkg -target /

4.10.3.2 Agent installation with installer.sh


1. Navigate to the SAFE directory that contains the installer.sh file for macOS.

2. Copy the installer.sh file to the target macOS machine.

Note: When dropping the installer.sh file on a target machine running


macOS 10.15.4 or later, do not place the file in the target Download,
Documents, or Desktop folders as the EnCase agent installer is prevented
by the operating system from accessing them, and agent installation will
fail. Instead, place the file in any other folder or /tmp folder and complete
the installation procedure there.

3. Run the following commands to grant the script permission and execute it:
chmod +x installer.sh

sudo ./installer.sh

The script extracts the installer.pkg and enmacos.SAFEPublicKey files and


runs the installer.

158 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.10. Deploying macOS agents

4.10.3.3 Removing the agent with terminal or SSH


To remove the agent, run the following commands in Terminal or create a script
including these commands:
sudo launchctl unload -w /Library/LaunchDaemons/com.GSI.Servlet.plist
sudo rm /Library/LaunchDaemons/com.GSI.Servlet.plist
sudo rm /usr/local/sbin/enmacos
sudo rm /usr/local/sbin/enmacos.SafePublicKey

If you are removing the agent from a machine with a macOS version prior to 11, you
can remove the driver by appending the following commands to the ones listed
above:
sudo kextunload -v /Library/extensions/gsidrv.kext
sudo rm -r /Library/extensions/gsidrv.kext

4.10.3.4 Verifying macOS agent deployment


To verify the macOS agent via kextstat:

1. Execute the command kextstat | grep GSI.


2. Verify that com.GSI.kext.gsidrv is loaded.

To verify the macOS agent via netstat:

1. Execute the command netstat -an | grep [port#], replacing [port#] with
your SAFE port.
2. Verify that your SAFE port is open and listening.

To verify the macOS agent via ps:

1. Execute the command ps -aef | grep macos.


2. Verify that /usr/local/sbin/enmacos is running.

4.10.4 Configuring the macOS agent to work with check-in


functionality
To configure the macOS agent to work with check-in functionality:

1. When installing your SAFE, in the Check In Information dialog, specify the IP
address and port of the SAFE.
2. From the SAFE installation directory, copy the nixcheckin file to the target
machine’s agent folder (where you installed the agent).
3. Rename the nixcheckin file to .enmacos (note the dot before the name).
4. Start and restart the agent.

To force check in a macOS agent, the standard -f force check-in command for *NIX
systems is used. See “Deploying *NIX agents” on page 141.

ISSAFE230400-UGD-EN-1 User Guide 159


Chapter 4 Deploying and managing agents

4.10.5 Enabling full disk access for macOS agents


It is important to enable full disk access for macOS agents in order to successfully
collect from all user folders of macOS machines. Enabling full disk access can be
done manually or via mobile device management systems like jamf. Install the
macOS agent prior to enabling full disk access.

To manually enable full disk access on a macOS machine:

1. On the target macOS system, go to System Preferences > Security & Privacy.
The Security & Privacy page opens.

2. Click the Full Disk Access folder from the list on the left.

3. Click the padlock icon. On the dialog that opens, enter a User Name and
Password to unlock Security & Privacy preferences. The padlock icon changes
to unlocked.

4. Scroll through the list on the right and select the enmacos agent.

a. If the enmacos agent is not on the list, click the plus + icon to open a Finder
window.
b. If the usr folder is not visible, press the Command + Shift + Period keys on
your keyboard to make the folder visible.
c. Navigate to: usr/local/sbin/enmacos
d. Select the enmacos application.

The enmacos agent is granted full disk access.

4.10.6 macOS troubleshooting


The following commands are useful when troubleshooting the macOS agent or
when gathering information requested by OpenText Support.

Action Command
Start the agent sudo launchctl load –w /Library/LaunchDaemons/
com.GSI.servlet.plist

Run the command (where port# is the SAFE port).


Stop the agent sudo launchctl unload /Library/LaunchDaemons/
com.GSI.servlet.plist

Load the driver sudo kextutil –v /Library/extensions/gsidrv.kext

Note: Run this command on macOS versions prior to


macOS 11. macOS 11 and later do not use a driver.
Unload the driver sudo kextunload –v /Library/extensions/gsidrv.
kext

160 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.11. McAfee ePolicy Orchestrator (ePO) integration

Action Command
Output diagnostic enmacos -diag
information about the agent
to console

4.10.6.1 Older macOS agents fail to upgrade


Versions 20.3 and earlier agents running on macOS 10.14.5 and above may fail to
automatically upgrade when connecting to a 20.4 SAFE. A workaround has been
identified and is detailed in OpenText My Support article, KB17026670.

4.11 McAfee ePolicy Orchestrator (ePO) integration


McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase agents to
ePO-managed nodes. Once installed, the EnCase agent communicates this
information to the ePO agent:

• Installation status
• Language of the machine
• Version of the EnCase agent ePO plugin
• Whether the agent is running
• Directory where the agent is installed
• Version of the installed agent

4.11.1 Checking In the ePO agent package


The SAFE installer creates a folder named ePO in the root of the EnCase SAFE
folder. The installer adds two files: S_EESERV7000.zip and
GuidanceServletExtension.zip to this ePO folder. Record these locations to assist
in checking in the agent package.

To check in the agent package:

1. Log on to McAfee ePO as administrator.

2. From the drop-down menu, select Software.

3. Select Master Repository. The Packages in Master Repository table is displayed.

4. Click Check in Package. The Check In Package dialog box opens.

5. Select Product or Update (.ZIP).

6. Browse to the location of the S_EESERV7000.zip file and click Next. The Package
Options tab displays package information.

7. Click Save to finish placing the package in ePO.

ISSAFE230400-UGD-EN-1 User Guide 161


Chapter 4 Deploying and managing agents

4.11.2 Installing the optional agent extension


Instead of displaying S_EESERV7000 in the McAfee Machine Info tab, you have the
option to install an extension package.

1. On the ePO home page, open the drop-down menu, mouse over Software, and
click Extensions.
2. In the lower left corner of the screen, click Install Extension. The Install
Extension dialog box opens.
3. Click Browse and navigate to the GuidanceServletExtension.zip file. This file
is part of the SAFE installation process, and is stored in the EnCase SAFE\ePO
folder.
4. Click Open. The Install Extension window displays details about the extension
package.
5. Click OK. The Configuration window shows the extension installed
successfully.

4.11.3 Creating an agent deployment task


You must create a client deployment task to deploy agents in ePO.

1. On the ePO home page, click Menu > Policy > Client Task Catalog.

Note: You can drag the Client Task Catalog option and drop it into the top
navigation bar for easier access.
2. The Client Task Catalog is displayed. From the Client Task Types list in the left
pane, select Product Deployment.
3. At the top of the window, click New Task.
4. For the task type, select Product Deployment.
5. Enter information in the appropriate fields:

• Task Name: Enter a task name of your choice.


• Enter a Description (optional).
• For Target Platforms, select Windows.
6. In Products and Components, open the product drop-down menu and select
EnCaseServlet <version>.

• Action: Select Install.


• Language: Select Neutral.
7. In the command line text box, provide the setup arguments needed to copy
setup.exe. Use the arguments listed below to tell ePO where to find the agent
and what agent options to use when deploying it.

162 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.12. Verifying agent deployment

• Enter -f "<UNC path to the agent setup.exe file>": This must be available
to the target via a network share. We recommend creating a \\share visible
to network targets (nodes) to contain the agent. Copy the current setup.exe
from the root directory of the SAFE to this share, and specify the share path
in the cmd switches when you check in the agent.
• When you update the SAFE, make sure to copy the new agent to the \\share
described above.
• Enter -u <username> .
• Enter -d <domain>.
• Enter -t <password>.
• Enter -o "<setup options>".

Note: -o "<setup options>" must be in quotes for it to be passed to the


agent setup program. For more information on setup.exe options, see
the table in “Deploying Windows agents” on page 129.
• Enter -v <agent version>. Use this option to notify previously installed
agents that an update is needed. It does not matter what specific version
number you enter. When a deployment task executes, ePO checks the client
registry for this version number. If the number in the deployment task is
greater than what exists on the client, then the agent is deployed to the node.

A complete example might look like this (note that the -o argument is not
required and includes optional agent options, which must be in quotes):
-f \\192.168.2.1\share\setup.exe -u john.doe -d mydomain.com -t
password -o "-n custom_agent_name -l 9999" -v 7001

8. Click Save. You can now create a client task assignment to deploy the agent via
individual client task operations or via agent wakeup calls.

Note: Any authentication errors are shown in the log file C:\Windows\Temp
\ServletSetupError.Log on the agent machine.

4.12 Verifying agent deployment


After pushing agents to the machines, check that they are running and
communicating with the SAFE and EnCase application.

Use these methods to verify agents are running properly:

• “Verifying agent deployment with net start command” on page 164


• “Verifying agent deployment with netstat command” on page 164
• “Verifying agent deployment using telnet” on page 164
• “Verifying AIX agent deployment” on page 165
• “Verifying macOS agent deployment” on page 159

ISSAFE230400-UGD-EN-1 User Guide 163


Chapter 4 Deploying and managing agents

You can also verify agent deployment using Sweep Enterprise.

4.12.1 Verifying agent deployment with net start command


To use the Net Start command method, you must have command line access to the
node you want to examine.

1. Open a command shell on the target machine.

2. At the command prompt, type net start and press Enter.

If the default name enstart or enstart64 process is not running, confirm that you
have not renamed the process to something else, or try reinstalling the agent on the
node.

4.12.2 Verifying agent deployment with netstat command


To use the Netstat command method, you must have command line access to your
client and SAFE.

1. Open a command shell on the client machine.

2. At the command prompt, type netstat -na | findstr 4445 and press Enter.

3. Confirm the machine is listening on the port number where your SAFE is
configured. The default port number is 4445.

Repeat steps 1-3 on your SAFE machine to verify it is also listening on the same port.

4.12.3 Verifying agent deployment using telnet


This test requires command shell access from both the SAFE and client machines.
You must turn on the telnet feature in Windows, since this feature is off by default.

1. Open a command shell on the client machine.

2. At the command prompt, type TELNET <IP> <port> and press Enter.

• The IP can be an IP address, host name, or DNS name of the SAFE.


• The port number is the port number the SAFE is listening on, typically 4445.
• If you see an error message, you know the SAFE is not listening on that port:

A successful telnet connection to the SAFE or agent results in a momentary pause


with no feedback in the Telnet window. Press Enter a few times for output to
display.

Repeat these steps on your SAFE machine. This confirms your SAFE can connect to
the client.

164 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.13. Stopping and removing agents

4.12.4 Verifying AIX agent deployment


You must be logged in as root in order to install the package.

To check the AIX agent:

1. Execute the command lslpp –l | grep encase.


The output is in the format <package name> <version> <status> <comment>.
For example: encase.agent.rte 5.4.0.0 COMMITTED encase AIX agent
2. Compare the status output to the information below to determine if the agent is
operating as expected.

• APPLIED: The specified fileset is installed on the system. The APPLIED


state means the fileset can be rejected with the installp command and the
previous level of the fileset restored. This state is only valid for Version 4
fileset updates and 3.2 migrated filesets.
• APPLYING: An attempt was made to apply the specified fileset, but it did
not complete successfully, and no cleanup was performed.
• BROKEN: The specified fileset or fileset update is broken and should be
reinstalled before being used.
• COMMITTED: The specified fileset is installed on the system. This means
that a commitment was made to this level of the software. A committed
fileset update cannot be rejected, but a committed fileset base level and its
updates (regardless of state) can be removed or reinstalled with the
installp command.

• COMMITTING: An attempt was made to commit the specified fileset, but it


did not complete successfully, and no cleanup was performed.
• REJECTING: An attempt was made to reject the specified fileset, but it did
not complete successfully, and no cleanup was performed.

4.13 Stopping and removing agents


In some circumstances you may want to stop or remove an agent from a node. There
are several ways to do this, depending on the operating system of the node.

ISSAFE230400-UGD-EN-1 User Guide 165


Chapter 4 Deploying and managing agents

4.13.1 Stopping an agent using PsTools


To stop the agent on a node machine using PsKill:

1. Open a command shell on the examiner computer.

2. Execute the command pskill \\<node name> <agent name> with these
parameters:

Parameter Description
<node name> The name of the node machine.
<agent name> The name of the agent, usually setup.exe for running as a
service, and enstart.exe for running as a process.

4.13.2 Removing check-in functionality


The method you use to remove check-in functionality depends on the operating
system of the node.

4.13.2.1 Removing the check-in agent from a Windows computer


You must have command line access on the machine and you must have a copy of
the agent to redeploy.

To remove the check-in functionality on a Windows machine:

• Open a command prompt on the machine. Remove the agent using the
command setup -r.

4.13.2.2 Removing the check-in agent from a Linux computer


Removing the check-in functionality from Linux-based differs from that of Windows
machines, because Linux machines do not have a registry. Removing the
functionality does not require removing and reinstalling the agent.

• From a command shell using either Telnet or SSH, delete the check-in
configuration file using the command rm .<agent name>.

After you delete the check-in configuration file, the agent resumes typical operation.

166 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.13. Stopping and removing agents

4.13.3 Removing the Windows agent


There are two ways to remove the agent from a Windows machine:

• An automated procedure using a CD at each node.


• A manual procedure you run in command mode at each node.

4.13.3.1 Removing the agent using an automated procedure


Before you start, make sure you have the following:

• You need access to each node machine.


• Each machine must have a removable media device, such as a floppy drive or
CD-ROM drive.
• You need the setup.exe file from your SAFE.

To remove the agent using an automated procedure:

1. Copy setup.exe from your SAFE to the removable media. The file is typically
located at C:\Program Files\EnCase SAFE.
2. Insert the media into the machine where you want to remove the agent. Open a
command window on the machine.
3. Execute the command setup.exe -r.

No output is returned. This stops the enstart service, deletes enstart.exe and
enstart_.sys (regardless of how they were named during installation), and
removes registry entries relating to the agent.

4.13.3.2 Removing the agent manually


To manually remove an agent from a machine, you must have access to the node.

1. Open a command window from the node machine.


2. Execute the command net stop <agent name>.
3. Delete <agent name>.exe and <agent name>_.sys. The files can be located in the
following locations, which vary according to the operating system.

Operating System Location


XP / 2003 C:\Windows\System 32
NT 4.0 / Windows 2000 C:\WINNT\System32

4. Remove the following registry keys using regedit.exe for Windows XP/2003
machines or regedit32.exe for all other machines:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
\LEGACY_ENSTART

ISSAFE230400-UGD-EN-1 User Guide 167


Chapter 4 Deploying and managing agents

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
\LEGACY_ENSTART
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root
\LEGACY_ENSTART

Remove C:\WINDOWS\System32\enstart.exe from the


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Setup key.

Notes

• To delete ~LEGACY_ENSTART keys, you must first change permission


to Full Control for Everyone using the appropriate registry editor listed
above.
• All the keys listed in this step may not exist on all machines.

5. Using the appropriate registry editor for your machine, search for and delete
any remaining values and keys that have enstart in the name.

4.13.4 Removing the agent from Linux or macOS


Unlike Windows, Linux does not provide an automatic method of removing agents.
Follow these procedures to manually remove the agent.

4.13.4.1 Determine how the agent is installed


This procedure uses default paths and agent names. If you changed the agent name,
port, or location of the agent, make the appropriate changes when following these
steps.

To perform these commands you must be logged as root or use SU.

1. Make sure the agent is not currently being accessed by EnCase Examiner.

2. Determine if the agent is running as a process. Execute the command:


netstat –an | grep 4445

If your results are similar to the output in this example, the agent is running as a
process:
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN

3. Determine the agent’s process ID (PID). Execute the command:


ps aux | grep <agent name> | grep -v grep

If your results are similar to the output in this example, the agent is running as a
process:

168 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


4.13. Stopping and removing agents

root 2360 0.0 0.1 1400 552 ? S Jun17 0:07 /usr/local/encase/enlinuxpc –d –


p /usr/local/encase

Note: 2360 is the PID on the machine used in this example. The PID on
your machine will differ.
4. If the output to the previous command returns nothing, the agent is probably
running using inetd or xinetd. Determine if the agent is running using xinetd:
look in the /etc/xinetd.d directory for a configuration file typically named
enlinuxpc for Linux or enosx for macOS. If you find the file, the agent is
running using xinetd.
5. If you are using Linux, determine if the agent is running using inetd, view the
contents of the /etc/inetd.conf file. If you find an uncommented line referring
to the agent as in this example, the agent is running using inetd:
enlinuxpc stream tcp6 wait root /usr/local/encase/enlinuxpc enlinuxpc -i
-p /usr/local/encase

6. If you are using macOS 10.4 or later, determine if the agent is launching during
startup: look for a folder called EnCase in the /Library/StartupItems folder.

4.13.4.2 If the agent is running as a process, stop the process


Determine if the agent is running as a process. If so, you must kill the process.

1. To kill the process, you must be logged on as root.


2. Kill the process for the agent: use the command kill -9 <PID number>. The
Process ID (PID) is the PID for your agent, as determined in step 3 above.

4.13.4.3 If the Agent is running as a service, stop the service


If the agent is running using xinetd or inetd, you must stop the service.

1. To stop the service, you must be logged on as root.


2. Stop the service by running the command:
/sbin/services <agent name> stop

4.13.4.4 Delete the agent and configuration files


To delete the agent you must be logged on as root.

1. Delete the agent: execute the command rm –R /usr/local/encase.


2. If the agent is running using xinetd, delete the configuration file: execute
rm /etc/xinetd.d/<agent name>

3. If you are using OS X 10.4 or later and the agent is running from launchd,
remove the directory containing the startup files: execute
rm –R /Library/StartupItems/EnCase

ISSAFE230400-UGD-EN-1 User Guide 169


Chapter 4 Deploying and managing agents

4. If the agent is running using inetd, open /etc/inetd.conf using a text editor
such as vi. Locate and delete (or comment out) the entries referring to your
agent. Save and close the configuration file. Some examples are:
enosx stream tcp6 wait root /usr/local/encase/enosx enlinuxpc -i -p
/usr/local/encase

5. If the agent is running using inetd or xinetd, open /etc/services and


comment out or delete the line referring to your agent.

6. Save and close the file.

4.13.5 Removing the AIX package


To remove the AIX agent package, you must be logged in as root.

1. Remove the AIX package with the command installp -u encase.agent.rte.

Note: Do not type the bff file extension when entering the command.

• The installer determines the correct agent to remove and outputs


information regarding the removal.
• The removal process finishes with the message:
encase.agent.rte 5.4.0.0 USR DEINSTALL SUCCESS

2. Remove the EnCase directory and any remnants with the command:
rm -R /usr/local/encase

170 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


Chapter 5
Troubleshooting

If you are installing the SAFE for the first time or are having trouble upgrading, a
section is included for these issues. For post-installation troubleshooting, validate
the following information:

• Check the SAFE status for logon or target connection problems.


• Check the agent status if you are having problems connecting to a computer
running an agent.
• Check the desktop client status if both the SAFE and agents are working, but you
are still experiencing problems.

You must check each component. This is because an error may appear as if the cause
is one component, when the actual source of the problem is in a different
component. Review the following troubleshooting items in the next topics to solve
common problems.

5.1 Resolving installation errors


The following issues may be encountered during installation, update, or downgrade:

Issue Description
SAFE certificate path must There are two causes for this error:
contain a valid path.
• The <SAFEName>.Setup file does not exist at the target
location.
• The <SAFEName>.Setup file is invalid.

See the “Installing the SAFE” on page 12 for steps to


properly generate this file.
Error creating service. Verify that the SAFE port is open and not used by another
Installation failed. process.

ISSAFE230400-UGD-EN-1 User Guide 171


Chapter 5 Troubleshooting

Issue Description
Decryption key is not the Three files are validated during SAFE setup:
same.
• SAFE Private Key.spvk
• <SAFEName>.Machine
• <SAFEName>.Setup

There are two common causes of this error: a file is used


from a different installation, or the hardware on the client
machine has changed.
• Verify the <SAFEName>.Machine file was generated on
the correct machine.
• Verify the SAFE machine has not changed. It is especially
common for virtual machines to change hardware
without direct intervention.
• Upload the files described in the “Installing the SAFE”
on page 12.
Quick update option does not Four files must be present in the SAFE installation directory
appear when running setup. to generate this option:
• <SAFEName>.SAFECert
• <SAFEName>.Machine
• <SAFEName>.Setup
• <SAFEName>.SAFE

Resource update error Installing the SAFE on a machine with anti-virus software
message during SAFE installed can result in a resource update error message. To
installation. resolve the issue, quit the installer and try running the
installer again or disable anti-virus software prior to SAFE
installation.
When performing a SAFE Performing a SAFE update will not properly update the
update, the update fails or Agent subfolders if a folder containing an agent is open in
the update process is Windows Explorer. OpenText recommends refraining from
incomplete. navigating to any of the SAFE installation folders while a
SAFE update is in progress.
Enhanced agents installed on In SAFE versions 21.2 and later, a user has the option to
targets with custom name install the SAFE with an -opt flag and specify custom
values can only be values for the enhanced agent name. Because this feature
uninstalled manually when was only introduced in version 21.2 of the SAFE, it cannot
downgrading to a SAFE be carried over to SAFE version 21.1 or earlier in a
version that does not support downgrade scenario. As a workaround, prior to
custom name values. downgrading to SAFE Version 21.1, any enhanced agents
with custom names must be manually uninstalled from
affected targets.
When downgrading from If you downgrade to SAFE 22.3.1 or earlier from SAFE 22.4
SAFE 22.4 or later to SAFE or later, you must manually delete the following files:
22.3.1 or earlier, downgrade dumpenc.rdb, appendonlyenc.aof. Both files are found in
fails. <ProgramData>\AMP\DB folder, then use the UI installer.
This is required due to a change in the database schema.

172 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


5.2. Checking the SAFE status

Issue Description
When downgrading to SAFE If you install the current version of the SAFE on a clean
20.3 or earlier, the cert cannot system, select the Local System account option, use the
be found. installer to import a cert, and then later downgrade to SAFE
20.3 or earlier, you must manually import the cert into the
Local System account's personal cert store. The reason is that
older versions of SAFE look for the cert there, but the 20.4
SAFE installer imports the cert to the Local Machine cert
store.

5.2 Checking the SAFE status


The SAFE service must be running and listening for a client to log on, or connect to
the computers running an agent.

Run services.msc from the Windows command line and locate the EnCase
SAFE service. The status column indicates if the service is running.

To check if the SAFE is listening for the clients, run netstat -na from the command
line. This screen shows that the SAFE service is listening on port 4445. If you
specified a different port number during the installation of the SAFE, then you
should see that port number.

If the SAFE is not started or listening, start the SAFE using the command net start
safe from the Windows command line.

You can also stop and restart the SAFE to refresh the service. To stop the SAFE, use
net stop safe from the Windows command line.

5.3 Stopping or starting the SAFE


To stop a SAFE:

1. Open a command shell on your SAFE machine.

2. Enter the command net stop safe and press Enter.

To manually start the SAFE again, use the command net start safe and press
Enter.

ISSAFE230400-UGD-EN-1 User Guide 173


Chapter 5 Troubleshooting

5.4 Performing a service diagnostic


A SAFE diagnostic outputs valuable information about the status and configuration
of the SAFE service.

1. Open a command prompt as administrator on the SAFE machine and change


directories to the folder where your SAFE is installed.

2. Enter the command safe -diag and press Enter.

The diagnostic output lists status information and configuration settings of the SAFE
service, including your SAFE Certificate expiration date (null for current SAFE
installations), the number of connections, remediation and snapshot flags, and other
information.

Term Action
SAFE Version This indicates the current version of the SAFE. Verify that the
version of the SAFE contains the features you are attempting
to use. Agent version is derived from the SAFE version.
Connections The maximum concurrent SAFE connections should be greater
than the concurrent nodes that you are attempting to access.
Remediation The flag is Y by default for the latest SAFE release. If you are
unable to remediate, verify that the permission is included in
the user role. See “Setting up user accounts and permissions”
on page 63.
Snapshot If the flag reads Y, but you are unable to snapshot, verify that
the permission is included in the user role. See “Setting up
user accounts and permissions” on page 63.
Invalid key data The system hardware no longer matches the
<SAFEName>.Machine file used to generate the SAFE. Back
or up the SAFE installation folder using the key from your
existing installation.
Invalid MAC ID

5.5 Checking the agent status


If you are unable to connect to a computer running an agent and your
troubleshooting determines that the SAFE is operating correctly, check the status of
the agent.

First, ensure that the problem is not related to network connectivity:

• Can the client computer ping the computer hosting the agent?
• Can the client ping the SAFE computer?
• Can the SAFE ping the computer hosting the agent?
• Have you disabled or added an exception for any firewalls?

174 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


5.6. Checking the desktop client status

For further agent troubleshooting steps, see the corresponding product user guide
for details.

5.6 Checking the desktop client status


If the SAFE and agents are operating correctly, check the desktop client status.

5.6.1 Licensing errors


Licensing is no longer used with the SAFE. If you are using an earlier version of
SAFE that still uses licensing, refer to the corresponding SAFE User Guide.

If you are experiencing licensing issues with your OpenText EnCase product, see the
installation and configuration section in the user guide of your product.

5.6.2 Errors logging on to the SAFE


There are several error messages you can receive when logging on to the SAFE:

Error Message Resolution


No roles are The keymaster or administrator must verify that a role has been
permitted at this created and assigned to this user. See “Setting up user accounts and
time permissions” on page 63.
Invalid username The user has not been added as a valid user on the SAFE, or the
<username>.publickey file associated with that user does not have
the same name as the user. The keymaster or administrator must
verify that the user key has been added to the SAFE. See “Setting up
user accounts and permissions” on page 63.
No SAFE or user The default path is located under the documents folder associated
keys are present with the profile of the user who is currently logged in. As a result,
different users on the same machine may not have the same files
present in this folder. Two solutions are generally preferred: copy the
keys to the folder under your profile, or create a folder under the root
directory called C:\EnCase Keys. The latter will allow any user to
easily locate the necessary keys. Once the keys have been moved,
perform the following steps for the desktop client:
1. Open the desktop client.
2. On the top toolbar, click SAFE > Logon.
3. Right-click in the white space under User and select Change Root
Path.
4. Browse to the folder where the keys are located and click OK.
5. Repeat this process for the SAFE selection window.
Connection closed The security key is not inserted into the SAFE. Perform the following
steps:
1. Insert the security key into the SAFE machine.
2. Stop the SAFE with the command net stop safe.
3. Restart the SAFE with the command net start safe.

ISSAFE230400-UGD-EN-1 User Guide 175


Chapter 5 Troubleshooting

Error Message Resolution


Node is not a SAFE The agent (or possibly another process) is using the SAFE port on the
SAFE machine. Perform the following steps:
or
1. Uninstall the agent from the SAFE, or stop and disable the service.
Invalid Command See “Stopping and removing agents” on page 165.
58 2. Stop the SAFE with the command net stop safe.
3. Restart the SAFE with the command net start safe.
Invalid SAFE Refer to the table below for more details.
public key

Invalid SAFE Issue Resolution


Public Key
Error Occurs
During
SAFE upgrade, Mismatch between SAFE public key Reinstall using the correct
migration, or and supplied keymaster key. associated keys.
installation
Backup / SAFE transfer file is not
associated with supplied keymaster
key.
SAFE -diag Failed install, wrong keys supplied Reinstall SAFE using the correct
command during installation, migration, or associated keys / files.
upgrade.
or
The SAFE certificate has expired. Reinstall SAFE using updated (non-
SAFE service expired) certificate.
fails to start
SAFE log on via The user keys may have become Reinstall SAFE using the correct
desktop client corrupted. associated keys / files.

or The user keys being used are not


associated with current SAFE.
SAFE log on via
web The .SAFE file has become
corrupted.
The .SAFE certificate has expired. Reinstall SAFE using an updated
(non-expired) certificate.

For additional troubleshooting resources, see the following OpenText My Support


Knowledge Base articles on OpenText My Support (https://support.opentext.com):

• KB0549299 – EnCase - The SAFE service is stopped and cannot be started


manually?
• KB0545915 – EnCase - Error message “Invalid Command 58” appears when
trying to logon to the SAFE

176 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


5.7. Viewing and exporting event log files

5.6.3 Desktop client errors connecting to a node


There are several error messages you can receive when connecting to a node:

Error Message Resolution


There are X of X forensic This message appears when the SAFE is using all available
connections available concurrent connections. See “Performing a service
diagnostic” on page 174 to determine how many concurrent
connections your SAFE allows.
Access to <IP address> or Verify that the specified IP or hostname is added to the
<hostname> is denied network and included in your role. The network status must
be set to Included. See “Setting up roles” on page 53.
None of the selected devices There are several possible causes for this error:
are available 1. An agent is not running on the node.
2. Network settings are preventing a connection. See
“Checking the agent status” on page 174.
3. The file system on the target is unsupported.
4. A timeout occurred.
5. The machine is off.
The command is not Role permissions are preventing the SAFE user from
permitted performing an action. See “Setting up roles” on page 53 or
“Setting up user accounts and permissions” on page 63.
SAFE data did not verify. The agent running on the node was not created from the
The SAFE might not be the SAFE that is running. Deploy an agent from the current
right one SAFE.

5.7 Viewing and exporting event log files


You can view and export log files for logon, system, role, administration, Active
Directory authentication, and job status events. The log ID and event messages are
listed below. See “Logon events” on page 177 for details about generating SAFE
logs.

5.7.1 Logon events

ID Event Message
20556 The command is not permitted
19276 Invalid key
20044 Invalid username
20309 User logged on
18005 User logged off

ISSAFE230400-UGD-EN-1 User Guide 177


Chapter 5 Troubleshooting

5.7.2 System events


ID Event Message
17996 Invalid logon packet format
17484 Invalid SAFE
21587 SAFE start
21331 SAFE stop
18003 SAFE startup failed
21071 Orphaned user

5.7.3 Role events


ID Event Message
20035 Connected
17220 Disconnected
17987 Connect failed
21843 Save user failed
21314 Start sweep
17730 Stop sweep
17747 Search
17729 Acquire
21061 EnScript
19541 User Defined Message
17988 Agent Deployment Failed
22340 Agent Deployment Successful

5.7.4 Administration events


ID Event Message
17237 User Created
17493 User Deleted
19797 User Modified
17234 Role Created
17490 Role Deleted
19780 Role Modified

178 OpenText™ EnCase™ SAFE ISSAFE230400-UGD-EN-1


5.7. Viewing and exporting event log files

5.7.5 Active Directory authentication events


ID Event Message
21335 Active Directory Authentication Succeeded
18007 Active Directory Authentication Failed

5.7.6 Job events


ID Event Message
21322 Start Remote Job

ISSAFE230400-UGD-EN-1 User Guide 179

You might also like