Issafe Ugd en
Issafe Ugd en
Issafe Ugd en
User Guide
ISSAFE230400-UGD-EN-1
OpenText™ EnCase™ SAFE
User Guide
ISSAFE230400-UGD-EN-1
Rev.: 2023-Nov-15
This documentation has been created for OpenText™ EnCase™ SAFE 23.4.
It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product,
on an OpenText website, or by any other means.
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
Table of Contents
1 SAFE Introduction ..................................................................... 7
1.1 The SAFE server .............................................................................. 7
1.2 Interacting with the SAFE .................................................................. 8
1.3 SAFE configuration and management ................................................ 9
1.4 Product licensing ............................................................................... 9
1.5 System requirements ...................................................................... 10
The SAFE (Secure Authentication for Enterprise) is a central component for users of
OpenText EnCase security, forensic, and information assurance products. The SAFE
enables network-based collection, analysis, and investigation via desktop and web-
based clients. The SAFE server administers access rights, provides for secure data
transmission, and brokers communications between endpoints across your network
and EnCase products. Multiple SAFE servers can be installed within an organization
based on factors such as geography, network topology, network speed, redundancy,
and type of endpoint.
This user guide is written for SAFE administrators responsible for the following
tasks:
For information about OpenText products that use the SAFE, see the user or
administrative guide for the corresponding product from OpenText My Support
(https://support.opentext.com).
Refer to the product release notes for specific compatibility details, supported
operating systems, and additional information on third party software.
• Encrypted communication – The SAFE uses 128-bit and 256-bit AES encrypted
data streams to protect inter-component and SAFE-endpoint communication.
• Role-based access controls – The SAFE server uses role-based permissions to
control access and ensure policy enforcement as well as role-based permissions
to control investigative functions, such as acquisitions and image viewing. User-
based permissions apply to administrative functions, such as the ability to add
other users and modify the network. The SAFE administrator can view all rights
for each user, their assigned roles, and all network devices the user can access.
See “Setting up roles” on page 53 and “Setting up user accounts and
permissions” on page 63.
• Logging – Logs are generated for transactions conducted on a particular SAFE
server. These logs can be used to establish an initial chain of custody by
indicating the date and time that a certain network device was previewed or
acquired. The logging also provides security auditing to allow the administrators
of a SAFE server to easily determine how particular investigators have used the
system. See “Accessing event logs” on page 90.
• Job queuing and endpoint queries – EnCase Agent Management, a component
of the SAFE, queues jobs for endpoints and permits administrators to view the
status of endpoints on the network.
• EnCase Endpoint Investigator users interact with the SAFE via web or desktop
clients.
• EnCase Information Assurance and EnCase Endpoint Security users primarily
use a web client to interact with the SAFE.
For EnCase Endpoint Investigator users, the desktop client is installed on a user’s
primary workstation. It uses a secure virtual connection to communicate with target
machines across the network. The number of concurrent connections determines the
number of machines that can be analyzed simultaneously.
When paired with a SAFE, the desktop client enables you to:
The desktop investigative client uses the agent installed on a specific node to
remotely discover, preview, and acquire data.
See “Configuring SAFE settings for desktop clients” on page 116 to configure the
desktop client to perform investigations across the network and to enable access to
the SAFE.
A valid license is required to use the OpenText EnCase products. Physical security
keys, electronic licenses, License Manager, and CodeMeter licenses can be used for
product licensing. For more information about product licensing, see “Product
licensing” on page 9.
For web-based EnCase application users, SAFE access is usually configured by the
SAFE administrator using EnCase Endpoint Investigator or via a standard web
browser.
If your user account is enabled with administrative access to the SAFE, you can
perform numerous administrative tasks either via EnCase Endpoint Investigator or a
standard web browser. The web-based SAFE management module is a component
of the SAFE. It can perform all administrative functions found in EnCase Endpoint
Investigator.
The transition in product licensing to CodeMeter license server began with release
21.1. License Manager, the legacy product licensing mechanism for EnCase
products, will be deprecated in a future release. Documentation for License Manager
that was previously found in the SAFE 20.4 User Guide has been removed from the
SAFE 21.1 User Guide and later versions. For information about License Manager,
refer to the SAFE 20.4 User Guide.
The SAFE web server is automatically installed with the SAFE. It includes the
EnCase Agent Management module and SAFE configuration module and requires
additional disk storage, as noted below.
System Requirements
Class Desktop or server class hardware (64-bit)
Operating System • Windows Server 2016
• Windows Server 2019
• Windows Server 2022
Processor (CPU) • Intel® Core i5, i7, i9
• AMD Ryzen or Epyc
Memory (RAM) 16 GB or more
Hard Drive Capacity 3 GB free space on system volume required for installation
Check the current Release Notes for your product to determine the compatible
version number of the SAFE.
– For the SAFE, the default value for the TCP port is 4445.
• If you intend to use SAFE mirroring and are installing one or more secondary
SAFEs, see “Configuring and managing a SAFE mirror set” on page 111 for a list
of prerequisite steps.
• For the SAFE, if you intend to use features that rely on check-in functionality, the
destination computer must have a public-facing IP address.
Note: If you only use EnCase Forensic, you do not need to install the SAFE.
2.1.1 CodeMeter
As of release 21.4, SAFE does not require a CodeMeter license. CodeMeter runtime is
still installed and used by the SAFE for internal application use. While CodeMeter is
not used by SAFE for licensing, it is used for licensing in other EnCase products.
Refer to product-specific documentation for information about CodeMeter licensing.
With a standard installation, the SAFE generates a machine key calculated based, in
part, on the hardware profile of the machine on which it was generated. Because
virtual machines may regularly use different processing resources, it is
recommended that a hardware-independent SAFE be used in virtual environments.
If you want to upgrade an existing SAFE, you can perform a quick update. See
“Upgrading the SAFE” on page 25.
To install a SAFE:
1. Download and run the SAFE installation wizard from OpenText My Support.
3. Click Next. The End User License page appears the first time a SAFE is
installed on a machine.
4. Select the I agree and accept check box to accept the end user license agreement.
5. Click Next.
The SAFE Private Key page appears.
• Create a new key creates a new set of SAFE encryption keys. This is
typically used when installing a SAFE for the first time, in an environment
using only one SAFE.
• Import existing private key allows you to select an existing private key for
use with the agents. This is typically used when multiple SAFEs are used in
the enterprise environment and matching agents are desired for each SAFE.
Accept the suggested path for the SAFE.PrivateKey or browse to another
location. Enter the password associated with this private key.
• Use key from existing installation updates your current SAFE after you
have opted not to use the quick update feature.
• Read key from SAFE backup token enables you use a key from your
backup file. To install the same SAFE on a new computer, you must have a
backup copy of your SAFE folder, including the SAFE Backup.spvk and the
keymaster.PrivateKey files. You must also know the SAFE backup token
password. If you are adding a SAFE to a mirror set, you must have
previously copied the SAFE Backup.spvk and the keymaster.PrivateKey
from the Primary SAFE to the installation location. See “Creating a mirror
set” on page 35 for more information.
• Uninstall and remove the SAFE stops the SAFE service, and removes the
SAFE from the computer.
• Read from backup lets you restore the SAFE settings from the .sbk backup
file. This file is generated when the keymaster performs a manual backup of
the SAFE configuration. You can also install a SAFE from a backup file using
the command line. Run the SAFE executable and append the following
options: -frombackup [backup file path] -targetfolder [install folder
path].
Note: The SAFE cannot share the port with another application. If you
change the default, confirm there is no conflict with another application.
• Check In Options enables you to configure agents that check on nodes, such
as laptops, that are not connected continuously to the network. This
functionality is available for certain products (such as EnCase Endpoint
– In the SAFE list box, identify the SAFE with the fully-qualified domain
machine name or IP address and port number. Node machines use this to
locate the SAFE on the network. There can be more than one machine
name or IP address for the SAFE machine, depending on the setup of the
network. A publicly facing IP address must be used for some features,
such as off-net collection jobs. Use the format, [IP Address/Machine
Name]:[Port].
– Select the Enabled check box to enable automatic snapshot settings when
manually deploying agents. This feature will only function if your
OpenText application supports automatic snapshot functionality.
– Interval (Minutes) is the interval between snapshots, in minutes.
– Number of snapshots to retain is the maximum number of snapshots
stored.
– We recommend you name the SAFE to reflect the location of the SAFE
within the organization or by number (if there are multiple SAFEs).
– If you are upgrading your SAFE, do not change the existing name.
• Enter a Service Name. This can be the same name as the SAFE.
• Select Enable Event Logging to turn on Windows event logging. This logs
SAFE events to the Windows Event Log.
– With the text logging feature enabled, logs are written as unencrypted
plain text files to the TextLogs subfolder relative to the SAFE installation
folder.
8. If using RSA SecurID authentication, click the Configure RSA SecurID button.
The Configure RSA SecurID page appears.
• Enter the Primary RSA Authentication Server URL and port number
(example: https://dev-rsa-as-01.rd.otex:5555).
• Enter the 1st Replica RSA Authentication Server URL (optional).
• Enter the 2nd Replica RSA Authentication Server URL (optional).
• Enter the Access KEY.
• Enter the Access ID (optional).
• Select the method to register the Authentication Agent Name:
– Use “OpenText EnCase SAFE“ – All SAFEs on your network that use
this option can have RSA SecurID enabled or disabled with a single RSA
Authentication Manager command.
– Use SAFE Server’s FQDN – Select this option to permit the RSA
Authentication Manager administrator to enable or disable RSA SecurID
usage on individual SAFEs.
• Click OK.
• Primary SAFE Host – Enter the hostname or FQDN of the primary SAFE.
An IP address can not be used.
• Port – Enter the port used for SAFE communication. Default port is 4445.
• Update Poll Rate – Enter the interval in minutes at which the secondary
SAFE will poll the primary SAFE.
• Leave Mirror Set – Select this check box if you want to remove this
secondary SAFE from an existing mirror set. This option is only active if the
SAFE is an existing secondary SAFE that is part of a mirror set.
If configuring the SAFE as part of a mirror set, a valid primary SAFE hostname
or FQDN must be entered. When you click Next, an error message will be
displayed if the installer cannot connect with the Primary SAFE.
• Use Keymaster Key Pair – Select this option if you have an existing
keymaster key pair and want to use it.
– The Keymaster Key Path Field in the Existing Keymaster box is active
when the above option is selected. Enter the path to the keymaster file or
click the browse button to navigate to the file.
• Use Active Directory Logon – Select this option if you want to associate the
keymaster with an Active Directory user.
11. Click Next. The SAFE Backup Token Password page appears.
Create a password for the SAFE Backup Token, confirm the password, and click
OK.
The Secondary Authentication page appears.
must be configured during this step of SAFE installation. To skip this step,
keep the default None option. To use additional authentication, select one of
three available authentication options.
○ Click Card... to read the certificate directly from the card. The Select A
Certificate dialog box displays available certificates. Select one and
click OK.
○ Click File... to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the
user’s certificate file and click OK. On successful import of the
certificate, the certificate is displayed in the Smart Card Certificate
box.
– Select RSA SecurID Authentication to use RSA SecurID credentials.
13. Select the user EnCase Agent Management will use to authenticate access to the
SAFE.
• Existing User – Select a user from a list of existing SAFE users. The Choose
SAFE User drop-down is visible when you select a user from the list. The
user’s private key or Active Directory password also must be provided.
• New SAFE User(auto-generate keys) – Create a user, called
AMPAutoGenUser_, that is used for the sole purpose of authenticating
AMP access to the SAFE. It is not used for other SAFE functions. No
additional information is needed on this page if this option is selected. This
option is selected by default if there are no existing users.
• New Active Directory User – Select to add an Active Directory user. The
Active Directory Logon Settings box is activated. Select a Domain Trustee
and enter their Password.
• New SAFE User(provide keys) – Select to add a new SAFE user. The
SAFE User Settings box is activated. Select a Private Key File and
corresponding Password.
• Enter the Port number the EnCase Agent Management service will use to
serve web pages, or use the default 8443 value.
• Enter the Log Listener Port number, or accept the default 13000 value.
• Enter the Web Address the SAFE web server will display when serving
pages to SAFE users. The port is automatically appended to the web
address.
• Click the Certificate (optional) button to display the Import a Certificate
dialog box.
Note: If you need to install a new certificate, re-run the SAFE installer.
It is important to install the new certificate and complete the SAFE
installation process before removing old certificates.
15. Click Finish to complete SAFE installation. When finished, the SAFE Setup
Complete page appears.
16. Click Yes to create a copy of the public key certificate for distribution.
17. Select a location for the public key and click OK. A confirmation dialog box
opens.
Collect the following from the administrator of the RSA Authentication Manager
prior to configuring the SAFE:
• Primary RSA Authentication Server URL - The URL (including port number) of
the server hosting RSA Authentication Manager. The port number is typically
5555.
• Replica RSA Authentication Server URLs - The SAFE will automatically fail
over to using these RSA Authentication Servers if the Primary is unreachable.
• Access KEY - A secret key used to prove the SAFE has permission to use the
above Authentication Manager.
• Access ID - A unique identifier of the specific Authentication Manager this SAFE
is using. Optional at this time, but may be required in the future.
• Server certificates for web browsers to validate the RSA Authentication Manager
administration pages.
1. Run the SAFE installer. (See “Installing the SAFE” on page 12)
2. Install the following RSA certificates into Trusted Root Certificate Authorities
for ‘Local Computer’ on the SAFE machine.
When the SAFE is installed, the service is configured to use the Microsoft Windows
Local System account. The SAFE also acts as an agent, and agents must have local
administrative access. In the Windows Administration Tools Service Control
Manager, in the Log On tab, you can change the account the SAFE service uses. This
works as long as this account has local administrative access.
If you change it to an account that has limited rights, then you cannot snapshot or
preview the machine where the SAFE is running. If this is not a problem for you,
then you can use an account that does not have administrative rights. The SAFE
must be able to write to the file system to create user files and logs, and open sockets
and ports for network communications.
Due to the number of possible configurations, we cannot predict that all of them will
work. We recommend that the SAFE run as a Local System. If you change that, we
encourage you to thoroughly test the functionality of the SAFE in your environment.
Note: The quick update option cannot be used to update from any a.xx
SAFE version to SAFE version 20.2 or later. You must follow the Migrate data
from an existing Guidance SAFE option in the SAFE installer first.
If you have a SAFE version a.xx, the quick update feature cannot be used, either by
running the installer or via the command line. You first must migrate your SAFE to
version 20.2 or later. See “Migrating data from SAFE versions a.01 through a.11”
on page 26. If you are upgrading from an earlier version (EnCase SAFE 7m12 or
earlier), see section “Upgrading with EnCase v7m or earlier” in the SAFE User Guide
version 20.4 (or earlier).
If you are unsure which SAFE upgrade path to follow for your organization, contact
OpenText My Support.
2. If you have installed a SAFE with the name “SAFE”, a dialog box opens asking
if you want to perform a quick update.
3. When the quick update process finishes, a dialog box opens indicating whether
the update completed or failed.
Note: If the SAFE has a name other than “SAFE” you can still use the
quick update feature, but you must run the SAFE installer from the
command line and explicitly identify the SAFE name using the following
command: <installer-filename>.exe -update "SAFEName".
Note: A quick update on SAFE version 20.2 or later is not possible unless you
have performed a fresh install of SAFE version 20.2 or later or have previously
used the migrate data option described here first.
To migrate data to SAFE version 20.2 or later fromSAFE versions a.01 through
a.11:
1. Run the SAFE installation wizard. The OpenText SAFE page appears.
4. Accept the license agreement and click Next. The SAFE Private Key page
appears.
• Installs the OpenText SAFE in the folder specified in the first wizard page.
• Migrates the Guidance SAFE registry values into 'HKLM\SOFTWARE\OpenText\
SAFE'.
• Migrates the Guidance SAFE configuration data into the OpenText SAFE install
folder.
• Unregisters the Guidance SAFE service and registers the OpenText SAFE service.
Enable text logging by running the SAFE installation wizard. The Enable Text
Logging check box is found on the Options page.
You can also configure text logging parameters by editing the Windows registry. To
configure text logging parameters, use a Windows registry editor and go to the
following registry location:
KEY_LOCAL_MACHINE\SOFTWARE\OpenText\SAFE
If you use Splunk for security information and event management, you can import
the text logs generated by the SAFE into Splunk.
• HTTP Request/Response
• Connection
Logging can be temporarily enabled and disabled as needed. Log files can be found
here: C:\ProgramData\OpenText\AMP\LogFiles
Note: The log file should show details about the connection made to the
SAFE (AMP server) from the EnCase product when a remote check-in
collection job is run, including cipher suite. The log should have between
seven and eight “AMPService” information entries for that time the request
is submitted from the EnCase application. An entry should have details
about each step in the connection process. If you don’t see any entry after
enabling connection logging, it means the request did not make it to the
server.
• To disable connection logging, enter the following in your browser: https://<AMP
Host>:8443/Configuration/DisableKestrelLog
Append the following options to the SAFE executable in the command line (for
example, <installer-filename>.exe -update "SAFEName") to perform additional
functions:
Contact your local system administrator to generate a PKI certificate. The certificate
must meet the following requirements:
• The certificate is available in the personal store of Local System or the user
running the service.
• The certificate has a private key.
• The certificate is trusted by the operating system.
Follow the workflow from “Installing the SAFE” on page 12, except for the
following:
1. You must run the SAFE installer using the command line and append the -cert
flag as follows:
<installer-filename>.exe -cert
Note: The option to install a certificate is only visible if the installer is run
with the -cert flag. See “Advanced SAFE installation command line
options” on page 30 for details about using this and other flags.
2. At step 7 of the install procedure, where the Options page appears, a Certificate
button will be visible.
3. After completing the first part of the page, click the Certificate button to enter
user credentials to be used by the SAFE service. The User Credentials for
Service dialog box opens.
• Local System account – Use this option to import the certificate into the
current admin user’s cert store and the Local Machine cert store.
• This account – Use this option to import the certificate into the specified
user’s cert store and the current admin user’s cert store.
Note: If the current admin user is manually importing certs for a SAFE
that will run as Local System, then the cert should be imported into the
Local Machine cert store, not the Local System account’s personal store.
The cert should also be imported into the current admin’s personal cert
store. To support backward compatibility, the SAFE service will still run if
the cert is present in the Local System account’s personal cert store. If the
current admin user is manually importing certs for a SAFE that will run as
another user, then you should import the cert in the other user’s personal
cert store and the current admin’s personal cert store.
5. Enter Domain Name, User Name, and Password of the certificate holder to be
used by the SAFE service account for authentication.
• If you are manually importing certs for a SAFE that will run as another user,
then you should import the cert in the other user’s personal cert store and
the current admin’s personal cert store.
7. Select a certificate and click OK to return to the SAFE installer Options page.
8. Click OK to move to the next page. The remaining installation steps are the
same as found in “Installing the SAFE” on page 12.
When you install the SAFE on a machine, the SAFE Configuration Tool is
automatically placed with the SAFE files. If you do not have EnCase Endpoint
Investigator, the SAFE Configuration Tool can be used to set up and administer your
SAFE.
3. Select the check box to agree to the terms of the license agreement.
5. A dialog box opens to indicate that indicates the installation was successful.
Click Close.
Installations that use SAFE mirroring and agent check-in can see improved check-in
performance.
Once Primary and Secondary SAFEs are installed, they can be managed via a web
browser or EnCase Endpoint Investigator. The SAFE installer can also be used to
perform some mirror set management functions.
The following SAFE configuration values are kept in sync between all members of a
mirror set:
• Network
• Roles
• Users
• Network Plugin Repository
• SAFE Check-in settings
• Most SAFE registry settings
• Keymaster Key/AD keymaster SID
• Additional Keymaster security settings
Before you install a Secondary SAFE, collect resources from the Primary SAFE
installation:
Once you have these, use the SAFE installation procedure below. At least one
Secondary SAFE is required to create a mirror set.
• Add the Primary SAFE name or FQDN in the Primary SAFE Host field in
the box. IP addresses cannot be used.
• Enter the Port used by the Primary SAFE if it differs from the default 4445.
• Accept the default Update Poll Rate of 5 minutes or adjust to a different
number.
• Click Next. If the Primary SAFE is successfully contacted, the installer moves
on to the next step.
4. On the Generate Keymaster Keys step, enter the keymaster information
according to your primary keymaster authentication method.
• If you are using keymaster key pair for primary keymaster authentication,
select Use Keymaster Key Pair option and enter the path to the Primary
SAFE Keymaster public key in the Keymaster Key Path field.
• If you are using AD authentication for primary keymaster authentication,
select Use Active Directory Login option and enter the AD keymaster
account in the Active Directory Keymaster field.
5. Continue with the installation. Some later options will be greyed out because
they are not allowed when creating a Secondary SAFE. When installation is
complete and the new SAFE starts up it will contact its Primary SAFE and sync
down the latest SAFE configuration.
• Configure the desktop client machines. See “Configuring SAFE settings for
desktop clients” on page 116
• Log on to the SAFE. See “Logging onto SAFE configuration via the web”
on page 39
• Set up the network tree. See “Setting up the network tree” on page 46.
• Set up roles and associate the network tree with the roles as needed. See “Setting
up roles” on page 53
• Set up users and associate roles with users as needed. See “Setting up user
accounts and permissions” on page 63
• Deploy agents. See “Deploying and managing agents“ on page 125
Once you have installed the SAFE you are ready to configure your it for use.
• define and manage your network topology for use by the SAFE
• create, define, and manage roles
• create, define, and manage user accounts
• manage and view events and logs
• manage network plugins
• generate encryption keys
SAFE configuration in this chapter is primarily described using the SAFE web
interface. EnCase Endpoint Investigator users can also use the application’s built-in
SAFE configuration tools. EnCase Endpoint Investigator workflows are similar to
those found in the web interface, and differences are documented where they exist.
Where <SAFEname> is the name or IP address of the SAFE and <port> is the port
number of the SAFE you want to configure. The SAFE Sign in page and SAFE
User Login box are displayed.
2. Sign in via the default SAFE User Login method, or click the Sign In link in the
top right of the window to select a different sign in authentication method from
the drop-down list.
• Login - SAFE User Login is the default SAFE authentication method and
requires the user Private Key file, username, and password.
• Active Directory Login - This authentication method requires username and
domain for the Username field and password.
• RSA SecurID Login - This authentication method requires the username for
the RSA SecurID User field.
Note: Sign in via the Smart Card authentication method is not supported
via a web browser.
a. For SAFE User Login, click the Choose File button to open a file chooser
dialog box.
b. Navigate to the location of your keymaster.privatekey or other user file.
Select it and enter OK. The file chooser closes, and the private key file and
username are inserted into the corresponding fields of the SAFE User Login
box.
c. Enter the password and click Login to access the SAFE configuration page.
The SAFE configuration home page displays SAFE details and current
logged in user.
When the keymaster or administrative user is successfully signed in to the SAFE, all
SAFE configuration options are available from the menu. SAFE configuration
options will not be visible to other users.
2. Click the Logon to SAFE button in the SAFE box of the home page. The Logon
dialog box opens.
If no users are displayed, or to select different users, right-click Users and select
Change Root Path from the context menu. Navigate to the current encryption
key location for users and keymaster.
3. Select the desired user and enter the password for that user. Click Next.
If no SAFEs are displayed or to log onto another SAFE, right-click SAFEs and
select Change Root Path from the context menu. Navigate to the location of the
desired .SAFE file.
4. Right-click the SAFE for which you want to set the options and select Edit. The
SAFE Options dialog box opens.
Note: This port must match the port you want your agents to
communicate on.
• If the SAFE resides outside your firewall, select Remote SAFE.
– Select None when the target system cannot establish a connection with a
client. All traffic is redirected through the SAFE server to increase
communication times. It also provides the investigator the ability to
obtain data otherwise not available.
– Enable Client to Node (Local) when the client (desktop application) and
the node (agent) reside on the same network, and the SAFE resides on a
different network. This allows data to transfer directly from the node to
the client, after the client successfully authenticates through the SAFE.
Note that the client uses the IP address that the node believes it has,
rather than the IP address the SAFE has for the node. In this
configuration, design the network so that all the company’s employees
are located on the corporate desktop network, and employ routing and
Network Address Translation (NAT).
– Client to Node (SAFE) enables Network Address Translation (NAT),
where a private IP address is mapped to a public IP address. Typically,
the SAFE and node reside on the same subnet, and the client on another.
This allows data to transfer directly from the node to the client, after the
client successfully authenticates through the SAFE. The client also uses
the IP address that the SAFE believes the node has, rather than the IP
address the node reports it has, to allow a direct connection between the
client and node machine. This option is enabled by default.
– Node to Client is similar to the Client to Node (SAFE), except that the
node attempts the direct connection to the client. Use this option when
you want direct data transfer between the node and the client, and where
NAT or a firewall prohibits the node from sending data directly to the
local IP or default port of the client. Once you check this option, the client
return address configuration box and port selector become available to
enter the NAT IP address and custom port.
• Priority raises or lowers an agent’s resource usage for the thread that
controls the connection conducting a preview, acquisition, or sweep. Note
that this does not affect the agent process itself. This feature is useful for
investigating machines when the examination is very sensitive, or with
production servers constantly running CPU-intensive processes.
• Client Return and Port are disabled by default.
3.3 Logout
To log out of the current SAFE via a web browser:
1. Click the username in the top right corner of any SAFE web page. A log out
option is displayed.
2. Click Logout.
Before you set up your network tree, compile a list of the IP addresses or machine
names of all nodes where agents have been or will be deployed. Use folders to
organize your network tree.
2. Click an existing parent folder and the New Folder button to create a child
folder of the parent, or select Network to create a new parent folder at the top
level.
3. Click a parent folder and Create to add nodes or IP ranges to that folder. The
Create New Network page is displayed.
• Name – When naming a node, an IP address, host name, or DNS name can
be used. IP addresses can be expressed using CIDR notation. IPv4 and IPv6
formats are supported. When naming a range, certain characters are not
permitted in this field.
• Comment – Use this field to distinguish machines and ranges when viewing
the network tree.
• Keep the default value in the Port box to use the default SAFE port number.
Otherwise, manually select another port number.
• To manually enter an IP range with start and stop IP addresses, click the IP
Range check box and specify the start and stop IP addresses. IPv4 and IPv6
format are supported.
4. Click OK.
You can also use the SAFE web configuration interface to import a list of individual
targets or IP ranges into your network tree. Import targets from a text file in a
standard tab-separated format. Your user account must have the Edit Network
Layout permission.
1. Log onto the SAFE via a web browser and navigate to the SAFE Configuration
home page.
Click SAFE Configuration > Network from the drop down menu . The
Network page appears.
Note: You can pre-select the import location on the Network page or
advance to the Import Network List from a File page and set the location
there.
2. Click Import. The Import Network List form a File page appears.
Note: You can also directly access the Import Network List from a File
page directly from the SAFE Configuration web menu.
3. In the File to Import box, click the Choose File button in the Import File
Location field. Navigate to and select the import file. Click Open to select the
file.
4. In the Select a Folder box, select a location for your import list. Accept the
default top-level Network location or navigate to a subfolder to import the list
there.
5. Click OK.
Note: Entries that fail validation are skipped. Machine name, cannot be greater
than 49 characters and may not contain any disallowed characters like slashes,
commas, and spaces. The comment field has maximum length of 150
characters.
To add individual folders, nodes, and ranges to your network with EnCase
Endpoint Investigator:
The Tree pane displays the network. The Table pane displays the contents
selected in the Tree pane.
a. Click a folder in the Tree pane or double-click a folder in the Table pane to
add to that folder.
b. Click New from the Network tab or Table pane. The New Machine
dialog box opens.
• Select Default if you used the default port number (4445) when installing
your SAFE. Otherwise, manually select another port number.
• To manually enter an IP range with start and stop IP addresses, click the IP
Range check box and specify the start and stop IP addresses. IPv4 and IPv6
format are supported.
5. Click OK.
2. Select SAFE > Network. The Network table is displayed in the table pane.
4. Select the Only Checked Rows check box if desired. Enter the name of the
output file. Select the browse button to navigate to a location to save the file.
2. Select SAFE > Network. The Network table is displayed in the table pane.
Note: EnCase Endpoint Investigator can only import a network target list file
that it exported.
Roles can be nested within a hierarchical folder structure, with child roles inheriting
the attributes of parent roles. The SAFE administrator must set up and assign roles
before users can perform any SAFE tasks.
1. Log on to the SAFE via a web browser. Use a keymaster or administrator user
account to view the SAFE Configuration home page.
Click SAFE Configuration > Roles from the View section of the dropdown
menu. The SAFE Roles page is displayed.
2. Select Create. The Role tab of the Create New Role page is displayed.
– Any connections not allocated fall into a pool on a first come, first served
policy.
– Each child role has only the number of connections allocated to the
parent.
– If the number of connections allocated to the child roles exceeds that of
the parent role, all connections in the parent role fall into the pool.
– Any allocations of the child role can be taken by the parent role.
You can see the current number of connections for each role in the SAFE Roles
table.
4. Click the row of any permission to select. Click Add or Remove to add that
permission. A dot in the Selected column indicates the role permission is part of
the role.
The Add All and Remove All buttons add or remove all available permissions
at once.
The Revert All button returns permissions to the state when the tab was
opened.
• Acquire Image gives the investigator the ability to acquire network devices
while assigned to this role. If this permission is not given, the user can only
preview network devices associated with the role.
• View Pictures activates pictures displayed in the Doc tab in the View pane.
• Browse File Structure displays the file structure in the Tree pane. A user
with this permission can also expand and contract folders within the file
structure.
• View File Contents gives the user the ability to see file content in the View
pane. If this is the only permission given, the View pane is the only active
pane.
• Copy Files gives the user the ability to copy folders from the Tree pane and
copy/unerase files from the Table and View panes. It also enables the user to
use external viewers.
• Keyword Search allows the user to conduct only a keyword search or index
a case. Results are not displayed if this is the only permission selected. The
search button is the only active button.
• Allow Script File Access allows use of EnScript programs while previewing
network devices.
• Snapshot Information allows the snapshot function to access the dynamic
data.
• Allow Registry Value Access allows the snapshot function to access registry
values.
• Allow Registry List Access allows the snapshot function to access registry
lists.
• Edit Registry allows EnScript programs to edit the target registry (available
only if your SAFE is enabled for remediation).
• Terminate Process allows EnScript programs to terminate a process on a
target machine (available only if your SAFE is enabled for remediation).
• Run Process allows EnScript programs to run a process on a target machine
(available only if your SAFE is enabled for remediation).
• Edit Files allows EnScript programs to edit files on a target machine
(available only if your SAFE is enabled for remediation).
Note: Edit Registry, Terminate Process, Run Process, and Edit Files
permissions require remediation. To check if your SAFE is
remediation-enabled, navigate to the SAFE installation directory and
run the command safe -diag from the Windows command line.
Remediation status is one of the flags displayed.
• Read Memory grants the user access to physical and process memory on
any computer accessible to that role. Administrators should be aware that
users in this role potentially have access to security information, such as
passwords and other credentials on the computer they are examining, to the
• Undeploy Agents enables users assigned this role to undeploy agents from
endpoints. A deployed agent cannot be automatically removed if the user
does not have this permission.
• Queue Endpoint Jobs enables the SAFE user to queue new jobs to
endpoints. For a SAFE user to queue new jobs they must be assigned a role
that has been granted the Queue Endpoint Jobs permission. The Role must
also be granted access to the target machine the job will run on and the
plugin the job uses.
5. Optional – Select Edit Permission on any row to open the Time Frame dialog
box to further control the permissions by time.
Start Date/Time and Stop Date/Time can be defined, as can a weekly schedule.
Select OK to accept the schedule or Close to cancel and close the dialog box.
6. Click Next to advance to the Network tab. The Network table is displayed.
The Network table displays Name (machine name or network range name),
Start and Stop addresses (for ranges), and State.
• Machines (or nodes) are always in one of three states: Included, Excluded, or
Neutral.
• Machines can have different states for different roles.
• When you add a machine, it is by default in a Neutral state, neither
specifically included or excluded.
• Select a row to enable the Add, Subtract, and Clear buttons.
– The state of a parent machine propagates down through the tree to its
children.
– If you exclude a parent folder but leave an individual machine within
that folder in the Neutral state, the machine is excluded.
– Parent inheritance can be overridden by explicitly granting (or denying)
permission to a machine at the child level.
– A parent role must have a machine included before you can create a child
node.
• A machine must be Included for an investigator to preview it. Subsequent
nodes that refer to the same machine are Included for access if they are left
in a Neutral state.
• If a network range is left Neutral for security purposes, no machine in this
range can be accessed unless explicitly set to be included in the network tree.
• If you have conflicting states for the same machine within the same role,
then access is denied. For example, if you allow access for 192.168.2.100, but
deny access to the range 192.168.2.1-192.168.2.200 within the same role, then
access to that node will be denied.
• If a permissions conflict arises, denying access takes precedence over
granting access.
7. Click Next to advance to the Enhanced Agent tab. The available agent plugins
are displayed.
• Select a plugin, and click Allow or Deny to control access to the plugin from
the role. Revert All returns permissions to the state when the tab was
opened.
An Allow icon in the plugin Name field indicates access to the plugin is
allowed.
A Deny icon in the plugin Name field indicates access to the plugin will
be denied.
To add an Enhanced Agent plugin, see Network Plugin Repository.
1. From the View menu, select Roles. The Roles tab is displayed.
2. Right-click the desired parent role in the Tree pane and click New. The Role
dialog box opens.
– Any connections not allocated fall into a pool with a first come, first
served policy.
– Each child role has only the number of connections allocated to the
parent.
– If the number of connections allocated to the children roles exceeds that
of the parent role, all connections in the parent role fall into the pool.
– Pools of parent roles can be accessed by children roles.
– Any allocations of the child role can be taken by the parent role.
• You can see the current number of connections for each role in the Table
view.
4. Click New to select permissions to add to the new role. The New Permission
dialog box opens.
• Acquire Image gives the investigator the ability to acquire network devices
while assigned to this role. If this permission is not given, the user can only
preview network devices associated with the role.
• View Pictures activates pictures displayed in the Doc tab in the View pane.
• Browse File Structure displays the file structure in the Tree pane. A user
with this permission can also expand and contract folders within the file
structure.
• View File Contents gives the user the ability to see file content in the View
pane. If this is the only permission given, the View pane is the only active
pane.
• Copy Files gives the user the ability to copy folders from the Tree pane and
copy/unerase files from the Table and View panes. It also enables the user to
use external viewers.
• Keyword Search allows the user to conduct only a keyword search or index
a case. Results are not displayed if this is the only permission selected. The
Search button is the only active button.
• Allow Script File Access allows use of EnScript programs while previewing
network devices.
• Snapshot Information allows the snapshot function to access the dynamic
data.
• Allow Registry Value Access allows the snapshot function to access registry
values.
• Allow Registry List Access allows the snapshot function to access registry
lists.
• Edit Registry allows EnScript programs to edit the target registry (available
only if your SAFE is enabled for remediation).
• Terminate Process allows EnScript programs to terminate a process on a
target machine (available only if your SAFE is enabled for remediation).
• Run Process allows EnScript programs to run a process on a target machine
(available only if your SAFE is enabled for remediation).
• Edit Files allows EnScript programs to edit files on a target machine
(available only if your SAFE is enabled for remediation).
Note: Edit Registry, Terminate Process, Run Process, and Edit Files
permissions require remediation. To check if your SAFE is
remediation-enabled, navigate to the SAFE installation directory and
run the command safe -diag from the Windows command line.
Remediation status is one of the flags displayed.
• Read Memory grants the user access to physical and process memory on
any computer with access to that role. Administrators should be aware that
users in this role potentially have access to security information such as
passwords and other credentials on the computer they are examining, to the
same extent they would have if logged on as a local administrator. Allowing
a user read memory access to any computer containing secure information,
such as the SAFE or network servers, should be done with caution.
• Deploy Agents enables users assigned this role to deploy agents
automatically to endpoints. Using configurable control scripts, the SAFE
automatically installs agents on targets that do not have agents currently
installed. For automatic deployment, the SAFE user must have this
permission, control scripts must be configured, and the Deploy Agent check
• Machines (or nodes) are always in one of three states: Included, Excluded, or
Neutral.
• Machines can have different states for different roles.
• When you add a machine, it is by default in a Neutral state, neither
specifically included or excluded.
• Select a machine to enable the change state buttons.
• Add Selected Items sets the selected machines to the Included state.
• Subtract Select Items sets the selected machines to the Excluded state.
• Clear Selected items returns the selected machines to the Neutral state.
• Permissions are inherited:
– The state of a parent machine propagates down through the tree to its
children.
– If you exclude a parent folder but leave an individual machine within
that folder in Neutral state, the machine is excluded.
– A parent role must have a machine included before you can create a child
node.
• A machine must be Included for an investigator to preview it. Subsequent
nodes that refer to the same machine are Included for access if they are left
in a Neutral state.
• If a network range is left Neutral for security purposes, no machine in this
range can be accessed unless explicitly set to be included in the network tree.
• If you have conflicting states for the same machine within the same role,
then access is denied. For example, if you allow access for 192.168.2.100, but
deny access to the range 192.168.2.1-192.168.2.200 within the same role, then
access to that node will be denied.
• If a permissions conflict arises, denying access takes precedence over
granting access.
7. Click Finish to save all changes and create the role.
Permissions are rules determining whether or not a user can perform specific
functions. Two kinds of permissions control the ability of users to perform certain
actions or view certain elements:
There are two special administrative user accounts that are central to the SAFE: the
keymaster role and the SAFE administrator role.
The keymaster is the super administrator for a SAFE server. The primary duties of
the keymaster:
• Create roles
• Create user accounts
• Create the network tree
Because of the power that the keymaster has over the system, OpenText
recommends the keymaster not be a regular user of the SAFE server. Instead, the
keymaster account should be held by a person within the company who meets the
following criteria:
• C-level (CEO, CFO, CIO, CTO, COO, CISO, CSO) or senior executive
• Not likely to leave the company
• Has corporate liability
If the keymaster password is lost or the keymaster keys become corrupted, there is
no way to recover a lost password or keypair. Please maintain backup copies of the
keymaster key pair and take steps to ensure the keymaster password is not
irretrievably lost. If the keymaster key pair require replacement, go to the OpenText
My Support portal at https://support.opentext.com and retrieve the knowledge base
article on replacing the keymaster key.
Use web-based SAFE configuration to create and manage user accounts and
configure the authentication method a user must use to log on to the SAFE. There
are four primary authentication methods: SAFE Logon, Active Directory Logon,
Smart Card Logon, and RSA SecurID Logon. If you configure the user with
SAFE Logon as the primary authentication method, you can optionally select a
secondary authentication method for additional security. When logging on to the
SAFE with secondary authentication enabled, the user first enters the password
associated with their public key, and then authenticates with the secondary
authentication method selected by the administrator, before access is granted to the
SAFE.
To add a SAFE user with SAFE Logon as the primary authentication method:
1. Direct your browser to the SAFE web server and log on as keymaster or
administrator.
2. Select SAFE Configuration > Users from the menu bar. The SAFE Users page
displays a table of all SAFE users.
3. Click Create to add a child user to the default keymaster parent account, or click
an existing parent row to create a child user to that parent.
Expand a parent user by clicking next to the parent name. Collapse a parent
user by clicking next to the parent name.
The Enterprise User tab of the Create New User page is displayed.
5. Click the Choose File button and select the user’s public key file. The Public
Key and Username boxes are updated with the public key name and user name.
7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.
Note: With this feature enabled, the EnCase Endpoint Investigator user
can log on to the SAFE only if all open and active cases contain a case
number. If the user has unsaved cases, SAFE login will fail and an error
message is displayed until all cases are saved. Saved cases are recorded in
the SAFE event log.
– Click Choose File to open a file chooser and import the certificate from a
file. Two formats are supported: DER encoded X.509 and Base-64
encoded X.509. Select the user’s certificate file and click OK.
On successful import of the certificate, the certificate is displayed in the
Smart Card Certificate box.
– Click Card to read the certificate directly from the card. The dialog box
displays available certificates. Navigate to the certificate, select it, and
click OK.
On successful import, the certificate is displayed in the Smart Card
Certificate box.
– Click Next to advance to the Permission/Role tab.
Click the row of any permission or role to select. Click Add or Remove to add
or remove that permission or role. A dot in the Selected column indicates the
role permission is included for the user. A dot in the IsRole column indicates the
role is active for the user.
The Revert All button returns permissions and roles to the state when the tab
was opened.
The following permissions are available:
automatically added. When these two permissions are active, you cannot
have any other permissions set.
• Administer Users grants the user administrative access over user accounts.
This permission is only visible when signed in as keymaster. Selecting this
permission automatically adds Create Users, Create Roles, and Access
EnCase Agent Management permissions.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy enhanced agents to
nodes on the network.
• Access EnCase Agent Management grants the user access to the SAFE web
server, which contains data about agents deployed on endpoints across the
network. The SAFE user with this permission can view the current endpoint
jobs that are running or queued up, but cannot queue new jobs. To queue
new jobs the SAFE user must have the Queue Endpoint Jobs role permission.
Users must be assigned at least one role to perform tasks that use the SAFE.
Optional: Click the Edit Permission icon on any row to open the Time Frame
dialog box to further control the permissions.
Start Date/Time and Stop Date/Time can be defined, as can a weekly schedule.
Select OK to accept the schedule or Close to cancel and close the dialog box.
To add a SAFEuser with Active Directory, RSA SecurID, or Smart Card Logon
as the primary authentication method:
1. Select SAFE Configuration > Users from the menu bar. The SAFE Users page
displays a table of all SAFE users.
2. Click Create to add a child user to the default keymaster parent account. The
Enterprise tab of the Create New User page is displayed. You can also click an
existing parent row to create a child user to that parent.
Click the row of any permission or role to select. Click Add or Remove to add
or remove that permission or role. A dot in the Selected column indicates the
role permission is included for the user. A dot in the IsRole column indicates the
role is active for the user.
Revert All returns permissions and roles to the state when the tab was opened.
• SAFE Logon
• Microsoft Active Directory Logon
• Smart Card Logon
• RSA SecurID Logon
While the procedure for selecting and configuring the user’s authentication method
is different depending on the method chosen, configuring the user permissions and
roles is identical regardless of authentication method used. Select the setup
procedure that corresponds with the user authentication method you want to set up:
2. From the menu bar, select SAFE > Users. The Users tab is displayed.
6. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.
– Click the Domain Trustee browse button. The Select User or Group
dialog box opens.
– Enter an Active Directory user name. Click OK.
• Select Additional Password to require the user to enter an additional
password to authenticate access to the SAFE. A check box is displayed
indicating that the user must set a new password at next logon.
– The user creates the password the next time logging onto the SAFE.
– The administrator cannot view the additional password, but can reset or
disable it.
• Select Smart Card Authentication to require the user to authenticate to the
SAFE using their smart card. A smart card certificate text box and card and
file browse buttons display.
– Click Card to read the certificate directly from the card. The Windows
Security dialog displays available certificates. Select one and click OK.
– Click File to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the
user’s certificate file and click OK.
– On successful import of the certificate, the certificate is displayed in the
Smart Card Certificate text box.
• Select RSA SecurID Authentication to use RSA SecurID credentials.
• View All Logs allows a user to read the SAFE logs. A user logged on to the
SAFE with this permission can view the logs as the keymaster sees them. For
the View All Logs permission to work, you must also set the View Logs
permission. When these two permissions are active, you cannot have any
other permissions set.
• Manage Network Plugin Repository allows the user to manage the
Network Plugin Repository, which is used to deploy the enhanced agent to
nodes on the network.
10. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.
Note: To create a new role, see Setting up roles with EnCase Endpoint
Investigator.
11. Select the Time Frame tab to view and modify time frame values.
1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.
2. From the menu bar, select SAFE > Users. The Users tab is displayed.
7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.
8. Click the Domain Trustee browse button. The Select User or Group dialog box
opens.
• Enter the required information for the user or group. Click OK.
• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.
Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.
12. Select the Time Frame tab to modify time frame values.
1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.
2. From the menu bar, select SAFE > Users. The Users tab is displayed.
7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.
8. Add the user’s smart card certificate by reading the card or importing the
certificate file.
• Click Card to read the certificate directly from the card. The Select a
Certificate dialog displays available certificates. Select one and click OK.
• Click File to import the certificate from a file. Two formats are
supported: DER encoded X.509 and Base-64 encoded X.509. Select the user’s
certificate file and click OK.
• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.
11. To edit the Start, Expires, Days, or Hours fields, right-click the role name in the
table and select Edit. The Edit dialog box opens for the role.
Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.
12. Select the Time Frame tab to modify time frame values.
1. Launch the desktop application, and log onto the SAFE as keymaster or
administrator.
2. From the menu bar, select SAFE > Users. The Users tab is displayed.
7. Select the Require Case Information check box to require the EnCase Endpoint
Investigator user to enter case information when creating a new case.
Note: The SAFE and RSA SecurID Authentication Manager both require
configuration in order to use RSA SecurID for SAFE user authentication.
See RSA SecurID steps in the Installing the SAFE workflow.
• The top pane displays all available permissions/roles. The lower pane
displays the time frame values that each permission/role is available.
Note: To create a new role, see Setting up roles using EnCase Endpoint
Investigator.
12. Select the Time Frame tab to modify time frame values.
1. Log on to your SAFE with a user account that has log access.
2. Click SAFE Configuration > Event Logs. The SAFE Event Logs page displays a
table of selected log events. The table is empty when no log events selected.
3. Click Read Logs to open the Event Log Search dialog. A table of event type
categories are listed in the Log Codes tab. Use this tab to select logs to display in
the SAFE Event Logs table.
4. The Users tab filters event logs by user. Click to expand a parent or to
collapse.
The Roles tab filters event logs according to a user’s SAFE role. Click to
expand a parent or to collapse.
The Time Frame tab filters an event activity by time. The Start Date and Stop
Date selections are independent of each other. If Any Time is selected for Start
Date, a specific date and time or Never can be selected for Stop Date
5. Click Submit to close the Event Log Search, return to the SAFE Event Logs
table, and display your selections.
Click the Export to CVS icon to create a CVS file of the log entry data. The file
is placed in your browser’s download folder.
2. In the Table tab, click Read Logs. The Read Logs dialog box opens.
3. The Event Types tab shows event folders and the individual event names
contained in the selected folder.
The Users tab filters event logs by user. When expanded, the left pane shows all
users, while the right pane shows the children of the left pane selection.
The Roles tab filters event logs according to a user’s SAFE identification role.
The left pane shows established access rights, while the right pane shows the
peers of the item selected in the left pane.
The Time Frame tab filters an event activity by time. The Start Date and Stop
Date selections are independent of each other. If Any Time is selected in one, a
specific date and time can be selected in the other.
1. Select the desired records in the Table pane you want to save.
2. Click the options button in the right corner of the Table tab, then click Save
As in the drop-down menu. The Save As dialog box opens.
– If specific rows are selected, you can also opt to export Only Checked
Rows and Show Folders.
• Specify the output Format (Tab delimited, RTF, web page, XML, or Review).
• Designate a location for the saved file.
• Select Open file if you want the file to open after saving.
The Network Plugin Repository can hold plugins for multiple applications that use
the SAFE. EnCase products can use a combination of standard and enhanced agents
across a network. The enhanced agent can be deployed to endpoints running
Windows and macOS. Agent functionality differs depending on operating system.
New functions are added to the enhanced agent periodically, and functionality
varies between products:
Refer to the release notes of a product to view the latest changes to its plugin.
1. Open SAFE configuration in a web browser and log on to the SAFE with an
account that has the Manage Network Plugin Repository permission.
2. Click SAFE Configuration > Network Plugin Repository. The SAFE Network
Plugin Repository page displays a table of plugins added to the repository. The
table will be empty if no plugins have been added.
3. Click Create to add a new plugin. The Enhanced Agent Plugin tab of the Create
Network Plugin Repository page appears.
enhanced agent file is distributed with your product application when you run
the installer. The file is located in the following default directory: C:\Program
Files\[product name]\lib\EnCaseEA. Information for the selected enhanced
agent plugin is displayed.
Notes
• The Network Plugin Repository can hold enhanced agent plugins for
multiple EnCase products. If you use a SAFE with more than one
product, the plugin corresponding with each product must be installed
to use that product’s enhanced agent functionality.
• EnCase Endpoint Investigator ships with two enhanced agents:
EnCaseEA.cab and plugin.zip. The EnCaseEA.cab is used exclusively
with Windows OS machines. The plugin.zip is cross-platform and
works with Windows OS and macOS machines. OpenText recommends
installing both enhanced agents on the same SAFE to increase collection
flexibility. See the EnCase Endpoint Investigator User Guide for details
about using each enhanced agent.
5. Accept or modify the default settings as appropriate for the product plugin you
are adding:
– Accept the default Disk Space Quota, Memory Quota, and Timeout
settings.
– The Persistent check box describes an attribute of the agent. The
Persistent check box is selected for the SAFE plugin to indicate the agent
starts when the machine is powered on and continues to run as long as
the machine is on.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.
To update and deploy the enhanced agent to endpoints on your network using
EnCase Endpoint Investigator:
1. Open EnCase Endpoint Investigator and log on to the SAFE with an account
that has the Manage Network Plugin Repository permission.
2. Select SAFE > Network Plugin Repository from the menu bar. The Network
Plugin Repository tab is displayed.
3. If you are upgrading the enhanced agent, select the existing network plugin for
your product.
Click Delete on the table menu bar, and click Yes in the confirmation dialog.
4. Select New on the table menu bar. The Enhanced Agent Plugin dialog box
opens.
5. In the Source Path field, navigate to your current installation location for your
product and select the enhanced agent .cab or .zip file. The enhanced agent file
is distributed with your product application when you run the installer. The file
is located in the following default directory: C:\Program Files\[product name]
\Desktop Client\Lib\. Information for the selected enhanced agent plugin is
displayed.
Note: The Network Plugin Repository can hold enhanced agent plugins
for multiple EnCase products. If you use a SAFE with more than one
product, the plugin corresponding with each product must be installed to
use that product’s enhanced agent functionality.
6. Accept or modify the default settings as appropriate for the product plugin you
are adding:
– Accept the default Disk Space Quota, Memory Quota, and Timeout
settings.
– The Persistence check box describes an attribute of the agent. It cannot be
altered. Persistence is checked for the SAFE plugin to indicate the
enhanced agent starts and loads the plugin when the machine is powered
on.
– Select the Deploy Redistributables check box if you want to deploy
required C++ runtime libraries to the target.
7. Click Next. The Network dialog box opens.
8. Select agent machines or IP ranges to be allowed to run the enhanced agent and
click Add Selected Items. A plus sign is displayed over the icons of the selected
machines.
9. Click Finish to close the dialog.
10. Select SAFE > Roles from the menu. The Roles tab is displayed.
11. Select the role you want to add enhanced agent product functionality to and
click Edit. The Role tab of the Edit role window is displayed.
12. Click the Enhanced Agent Plugins tab.
13. Select the enhanced agent plugin for your product and click Allow.
2. To create user accounts, which are added to the SAFE by the keymaster or a
user with the Administer Users role
Note: Any user who has the Administer Users permission cannot have
any other roles. This account can be used to administer users only. It
cannot be used to acquire data from agent nodes.
• Users cannot log on to the SAFE until their respective accounts have been
added to the SAFE and assigned a role. See Setting up user accounts and
permissions and Setting up user roles.
The SAFE installer can generate keymaster keys. To generate other encryption keys,
use the SAFE web application or the desktop investigation application.
1. Open SAFE configuration in a web browser and log on to the SAFE with an
account that has the Administer Users role.
3. Enter a Name, New Password, Confirm Password and click Generate Key.
A public and private key set is generated, placed in a zip file, and added to your
browser download folder.
2. Click Tools > Generate Encryption Key from the menu bar. The Generate
Encryption Key dialog box opens.
3. Click Next to generate a new key. A progress bar is displayed. When the key is
generated, the Password dialog box opens.
– If you lose the keymaster password, you must perform the installation
again.
4. Click Finish to complete the key generation process. The Copy Public Key File
dialog box opens.
5. Accept the default location, or browse to another location, then click Save. The
public and private keys are saved to the specified location.
• If you use a network share folder to distribute keys, make sure that keys are
copied locally for the most stable performance.
1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.
2. Click SAFE Configuration > Backup. A Backup SAFE dialog asks you to
confirm download of a SAFE backup file.
3. Click OK.
A SAFE Backup file (.sbk) is prepared and added to your browser download folder.
1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.
2. Click SAFE Configuration > Auto Backup. The Backup Configuration dialog
box opens.
1. Click SAFE Configuration > Auto Backup. The Backup Configuration dialog
box opens.
• The SAFE uses the same private key and works with all the agents used by
previous implementations of the SAFE.
• A SAFE keymaster is the only user who can create this package.
• Machine specific information (specifically, SAFE setup) is not replicated.
Prerequisites
Installation of the SAFE must be done with the SAFE configuration file (using
the .sdt extension), the keymaster key file, and the keymaster password.
• Users
• Config
• Keymaster public
• Network tree
• Role tree
• SAFE Backup Key
• Licenses
• Certs
• Deployment scripts
1. Direct your browser to the SAFE web server and log on to the SAFE as
keymaster.
3. Click OK.
A SAFE Configuration file (.sdt) is prepared and added to your browser download
folder.
1. Initiate the SAFE installation process and advance to the SAFE Private Key
page.
3. Select a SAFE Transfer file (.sdt) in the SAFE Transfer File box.
4. Select a keymaster private key file in the Keymaster Private Key box.
Note: The correct keymaster private key must be used when installing
with a SAFE config package, otherwise the “Decryption key is not the
same” error message will be displayed to indicate the wrong keymaster
private key was used.
1. Direct your browser to the web server of a SAFE that is a member of a mirror set,
and log on to the SAFE as keymaster.
2. Select SAFE > Mirror Settings. The SAFE Mirror page is displayed.
Name, Port, and Primary/Secondary status, and Version of all SAFEs in the mirror
set are listed in the table. The Primary SAFE is identified with a dot in the Primary
column. This column is empty for Secondary SAFEs.
Name, Port, and Primary/Secondary status of all SAFEs in the mirror set are listed in
the table. The Primary SAFE is identified with a dot in the Primary column. This
column is empty for Secondary SAFEs.
The primary SAFE must already be set up before adding a secondary SAFE to a
mirror set. The secondary SAFE must be also installed using the Primary SAFE
Backup.spvk file and the Primary SAFE's keymaster public/private keypair or
keymaster AD authentication according to the instructions in Creating a mirror set.
As long as the SAFE is not currently a member of the mirror set the keymaser can
add it to the mirror set.
1. Direct your browser to the SAFE web server of a non-primary SAFE and log on
to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.
3. Click Change Settings. The Join Mirror dialog box opens.
4. Enter the Primary SAFE Host and accept the Default (SAFE Port) or enter a port
number into the Port field and click Join Mirror. Only hostname and FQDN are
valid values for the Primary SAFE Host box.
5. A dialog box opens asking to confirm joining the secondary SAFE to the Primary
SAFE as a member of the mirror set. Click OK.
1. Direct your browser to the web server of the secondary SAFE in the mirror set,
and log on to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.
3. Click Change Settings to open the Promote/Leave Mirror page.
The page displays the secondary SAFE hostname, port, and two options:
Promote to Primary SAFE and Leave Mirror Set.
4. Select Leave Mirror Set to remove the secondary SAFE from the mirror set.
5. A dialog box opens asking to confirm removal of the secondary SAFE. Click OK.
You can remove a secondary SAFE from the mirror set by logging on to the primary
SAFE and removing it there. This option should only be used if the secondary SAFE
crashes beyond repair. Once the affected secondary SAFE is removed from the
mirror set via the primary SAFE, the change will propagate across the mirror set;
however, if the Secondary SAFE were to come back online, it would see it was
removed from the mirror set and add itself back in.
1. Direct your browser to the web server of the primary SAFE in the mirror set, and
log on to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set. Secondary SAFEs have a Remove
link in the final column of the table.
3. Click Remove in the row of the secondary SAFE you want to remove.
4. A dialog box opens asking to confirm removal of the secondary SAFE. Click OK.
2. Select SAFE > Mirror Settings from the main menu. The Secondary SAFE Mirror
Set dialog box opens.
3. Select the Remove SAFE from Mirror Set radio button in the Mirror Set Action
box and click OK.
To remove the secondary SAFE via this method, log onto the primary SAFE, select
the secondary SAFE from the Mirror Set tab and click the Delete button in the tab
header. The secondary SAFE will be removed from the mirror set and the change
will be propagated to all other Secondary SAFEs.
1. Direct your browser to the web server of the secondary SAFE in the mirror set,
and log on to the SAFE as keymaster.
2. Click SAFE Configuration > Mirror Settings. The SAFE Mirror page appears,
and a table lists all SAFEs in the mirror set.
The page displays the secondary SAFE hostname, port, and two options:
Promote to Primary SAFE and Leave Mirror Set.
4. Select Promote to Primary SAFE to promote the secondary SAFE to primary.
5. A dialog box opens. Click OK to confirm promotion of the SAFE to primary.
The secondary SAFE becomes the new primary SAFE for the mirror set. If it is
online, the old primary SAFE is demoted to secondary SAFE status. If the old
primary SAFE is offline when the promotion takes place, it is removed from the
mirror set and must be manually added back as a secondary SAFE. To do this, delete
the mirror.edt file from the old primary SAFE installation folder and restart the
SAFE service. It will come up as a stand-alone SAFE. You can then log on to it and
add it in as a Secondary SAFE according to the the instructions here: “Adding a
SAFE to a mirror set” on page 111.
2. Select the default SAFE authentication method the application will prompt the
user to use when logging onto the SAFE:
• SAFE User uses the user’s public key credentials associated with their
SAFE user account.
• Current Windows User uses Microsoft Active Directory authentication of
the current logged in Windows user.
• Windows prompt prompts the user to authenticate using their Microsoft
Active Directory credentials.
• Smart Card User authenticates using the user’s smart card and PIN.
• RSA SecurID User logs on to the SAFE using RSA SecurID authentication.
3. Click the Endpoint Investigator tab to review and modify Private Key Caching,
Auto Reconnect Attempts and Auto Reconnect Interval settings.
• Private Key Caching is the length of time the desktop client keeps the
private key password in memory. This allows you to log on and off of the
SAFE without having to re-enter passwords for the specified time period.
– Closing the desktop application clears the cache, so you need to enter
your password again when you open the application.
• Auto Reconnect Attempts is the number of times the desktop client tries to
reconnect to an agent node, if the connection between the two is lost, before
giving an error message. If you change the default setting:
5. Copy the [SAFEname].safe file from the SAFE machine to each of the machines
that will access the SAFE. The default location of the [SAFEname].safe file and
all user keys is \EnCase\Keys in the installation folder (typically in your
documents and settings or documents folder). You can also save to a network
share drive, if desired.
To set up a SAFE and agents for off-net collections via the SAFE installer:
Note: See the full SAFE installation procedure at Installing the SAFE.
3. In the SAFE list box, identify a SAFE with the fully-qualified domain machine
name or IP address and port number. Node machines use this to locate the
SAFE during check-in. There can be more than one machine name or IP address
for the SAFE machine, depending on the setup of the network. A publicly facing
IP address must be used for off-net collection. Use the format:
[IP Address/Machine Name]:[Port]
Where multiple SAFEs are included on the SAFE list, agents check in to SAFEs
in the order in which they are listed. Select the Round Robin SAFE check box to
enable round robin (random) check-in: the agent will be randomly assigned a
SAFE from the list and a check-in is attempted to that SAFE. The list is followed
sequentially after that. If the check box is cleared, check-in occurs sequentially,
starting from the first SAFE on the list.
5. For Windows targets, deploy the Windows agent to the machines you want to
enable off-net collection for using the following command:
setup.exe -c
For other operating systems targets, see related entries in “Deploying and
managing agents“ on page 125.
• Select Push new settings at next Check-In to push any settings to agents
when they next check in. This is selected by default.
• Select Push Plugins at Check-In to push relevant plugins in the SAFE
Network Plugin Repository to agents when they next check in.
• Modify or keep the existing IPs or Machine names list of SAFEs. Only IP
addresses or machine names may be used. The port is required.
• Modify or keep the existing check-in Interval.
• When the Round Robin SAFE setting is selected, the agent check-in will first
be assigned in to a SAFE from the IPs or Machine names list on a Round
Robin (random) basis, and then go through the list sequentially. If this check
box is not selected, the SAFE is assigned in the order it appears on the list.
Note: Volatile Artifacts Storage Settings are used solely for EnCase
Endpoint Security only and should not be enabled for or used by other
products.
2. Select SAFE > Check in Settings from the main menu. The Check In
Information dialog box opens.
• Select Push new settings at next Check-In to push any settings to agents
when they next check in. This is selected by default.
• Select Push Plugins at Check-In to push relevant plugins in the SAFE
Network Plugin Repository to agents when they next check in.
• Modify or keep the existing IPs or Machine names list of SAFEs. Only IP
addresses or machine names may be used. The port is required.
• Modify or keep the existing check-in Interval.
• When the Round Robin SAFE setting is selected, the agent check-in will first
be assigned in to a SAFE from the IPs or Machine names list on a Round
Robin (random) basis, and then go through the list sequentially. If this check
box is not selected, the SAFE is assigned in the order it appears on the list.
Note: Volatile Artifacts Storage Settings are used for EnCase Endpoint
Security only and should not be enabled for or used by other products.
You can also push check-in settings to agents via the Network Target Using SAFE
Agent workflow in EnCase Endpoint Investigator.
Pushing check-in settings via the network target Using SAFE agent workflow
2. Within a case, select Add Evidence > Preview > Network Target Using SAFE
Agent from the main menu. A dialog displays network targets.
3. Select targets from the table or click the Add Text List button to enter a list of
targets.
The command line can also be used on Windows machines to force agent check-in.
Other administrative and diagnostic commands are available. See “Deploying
Windows agents” on page 129.
Agent diagnostic and other commands can be run with agents on other operating
systems, including macOS and *NIX variants. See “Deploying and managing
agents“ on page 125.
The EnCase Agent Management module stores jobs and user data on the SAFE
machine in the following default folder location:
C:\ProgramData\OpenText\AMP
Note: In order to store the job output in a network folder, the AMP Service
must be running as an Active Directory user with write permission to the
specified network folder.
The SAFE uses agents installed on individual machines across the network as a
secure way to communicate with and gather information from these machines.
These agents are verified with the SAFE using private/public key encryption and
appear as running services on the target machines.
To stop or remove agents, see “Stopping and removing agents” on page 165.
– Navigate to Add Evidence > Add Network Preview and click Add Text List
at the top of the Add Network Preview dialog.
– Enter the machine name or IP address in this dialog as [machine name or IP]:
[Port number].
You must specify the agent port number when connecting. You can install the agent
using the -l switch to specify a different port number.
4.2 Variables
The following variables are used in this chapter to refer to the specifics of your
installation.
Variable Description
<node> Node machine name
<deploy path> Path where the agent will be installed. The following
locations are used:
• Linux: /usr/local/encase
• Solaris: /var/spool/pkg
• AIX: /opt
• macOS: /usr/local/encase (if using xinetd) or /
Library/Startupitems (if using launchd)
<host path> Path on the SAFE machine where the agent resides
(typically C:\Program Files\EnCase SAFE\Agents)
<agent name> Name of the agent or package for Solaris and AIX nodes
The steps for deployment and execution depend on the file used and the method by
which the agent is executed.
Some operating systems write to the registry or other parts of the system when an
executable is launched. To prevent writing to the file system, execute the agent from
other media such as a DVD, although some operating systems do not support
operating the agent from removable media. See “Running Windows agents as a
service or as a process” on page 131.
If you execute an agent from another device, you must manually place the media
containing the agent in the appropriate location prior to executing it. For example, if
a DVD containing the agent is placed into a system’s optical DVD drive, you must
know its drive letter before you can execute the agent remotely.
• The Agent file contains the code to be executed on each network node. The name
of the agent depends on the operating system.
• The Agent Setup file, used on Windows operating systems only, contains
multiple agents and automatically detects which agent to install when you run
the setup file. Its file name is either setup.exe or setup.msi.
• The Agent Package file used on AIX machines contain multiple agents for
multiple versions of the operating systems. The file name is encase.agent.rte.
bff.
• The Agent Configuration file, used for the check-in agent exclusively on *nix
machines, contains the information used to check in what is otherwise contained
in the Windows Registry for Windows machines.
• You must set up the SAFE service to run under a privileged account with access
to the target machine. Generally, this is a domain account with administrative
access on the target.
• The SAFE user needs to be assigned a role that is configured with the Deploy
Agents permission.
• A master control script creates the agent on the target machine. See “Modifying
control scripts for automatic deployment of agents” on page 128.
• You must select the Deploy agents option.
4.4.1.1 Deployment.wsf
The SAFE uses deployment.wsf to deploy agents. Prior to use, rename
DeploymentExample.wsf to Deployment.wsf and modify it as needed using a text
editor.
Even though the SAFE only uses this single script to deploy the agent, the
Deployment.wsf script can invoke multiple scripts to create whatever deployment
strategy you require. Modify the GetScript() function to run additional scripts
from the deployment.wsf file.
• Psexec.wsf
– Psexec is a popular utility you can download from Microsoft free of charge.
– Within psexec.wsf, search for the "psexecpath=" function to point to the
correct location of the tool.
• Wmi.wsf
– If using this script, an SSH client utility is required to be installed on the SAFE
machine.
○ PuTTY is an SSH client utility for Windows you can download for free
from http://www.putty.org/.
○ Plink.exe is a command-line version of the PuTTY utility and is also
available for download at http://www.putty.org//
– In Ssh.wsf, search for the "sshexec.path=" function to point to the correct
SSH client utility.
• Java.wsf
– This script opens java.exe using the following command line: java.exe
-DservletPath="<AgentPath>" -DIPAddress="<IPAddress>"
-DMachineName="<MachineName>" -jar"<JarFileName.jar>".
– In Java.wsf, search for fname to specify a user-provided jar file that executes
the agent deployment process.
– The jar file must be located in the same folder as the Java.wsf file.
The Windows agent includes a snapshot kernel driver integral to the agent, and it is
used when providing snapshot data. This file is named enstart64.sys. It is
automatically dropped into %windir%\system32\ when installing using setup.exe.
If enstart64.exe is manually deployed or running as a process, then this driver file
is not included and memory acquisitions and snapshots are not possible.
The Windows agent is fully compliant with Windows Credential Guard. The
Windows agent is also supported in Device Guard - Enforced mode.
The following case-sensitive options are used with enstart.exe and enstart64.exe:
Option Description
-l <port> Specifies the port where the agent listens.
-diag Returns the following diagnostic codes:
• 0: Status OK
• 1: No Node Certificate
• 2: No Security Key
• 4: No Serv (a problem exists with the service)
• 8: No Port (unable to bind to port, port already in use)
Output to console:
• Agent version
• Checkin configuration: Enabled/Disabled, Round Robin
(True/False), Interval in minutes, Volatile Storage and list of
SAFEs
-f 192.168.0.0:4445 Force check in to the specified SAFE. IP address or machine
name is optional; however, if either is used, the port must be
included. The SAFE IP address or machine name must be on the
list of SAFEs. The command must be issued in the command line
as an administrator for the force check-in to succeed.
-c Starts the server in the console (32-bit agents only).
-h Displays a help message.
-R Reset the Universally Unique ID (UUID) value associated with
the endpoint. For example, enstart64.exe -R.
-run Runs the server in the console.
-U <tag> Set a user defined tag value associated with the endpoint. For
example, enstart.exe -U 112233ad.
The following case-sensitive options are used with setup.exe and setup.msi:
Option Description
-drop Drops this agent to the local directory.
-p <path> Sets the path for installing the agent binaries. The default is
%systemroot%\system32.
-n <name> Sets the name of the agent binary and the service name. The
default is enstart.exe for the binary and enstart for the
Windows Service Name.
-r Removes the service, the registry entry, and the binary. This does
not remove the directory where the binary resides.
Option Description
-s Starts the agent in stealth mode, hiding it from the Task Manager
(32-bit agents only).
-l <port> Specifies the port where the agent listens.
-h Displays a help message.
-c Enables check-in. Adds the automatic snapshot interval and
backlog values to the agent. These values are set in the
SAFE installer.
• Active Directory
• Domain Push
• PsTools
• IPC$ and PsExec
• Removable Media and PsExec
The method you use depends on your network configuration and user account/
password policy.
• When running as a service the agent runs every time the network node is
restarted. This method requires making registry entries to the system.
• Running as a process runs the agent once. If the node is restarted, it no longer
runs the agent. Running the agent as a process does not allow memory
acquisitions or snapshots.
○ Navigate to Administration tools Local Security Policy > Local Policies >
Security Options > Network access: Sharing and security model for local
accounts.
○ Set to Classic.
• Verify you have a SAFE installed and running on your network.
The setup file automatically determines the operating system version and installs the
correct agent.
1. If you run the msiexec command on a machine that already has the msi and
agent installed, it uninstalls the msi, but not the agent. Running it again
reinstalls the msi, but it does not affect the agent.
Note: To remove the msi, you must use the /x switch with msiexec.
2. To uninstall the agent and msi using the msi, the only way is to create a batch
file and execute it on the remote system in the same directory that setup.msi is
located. Here is an example of the batch file required:
@echo off
:Uninstall msi package (using /x switch)
Msiexec.exe /x setup.msi /quiet
:Install msi, but feed agent setup file a '-r' to uninstall agent
Msiexec.exe /I setup.msi /quiet ENSTCMDLINE='-r'
:Uninstall msi package (again)
Msiexec.exe /x setup.msi /quiet
If you have a problem feeding the command line options to the msi, you can edit the
msi:
Note: If you edit the msi database using tools such as Orca, and set the
above property in the msi, you do not need to send the command line to
the remote system.
Note: If you have not previously run the installer at least once on the
node, copy the setup.exe or setup.msi installer file to the node and
execute it before running the enstart executable.
1. Identify target systems and users. Make an inventory of the platforms in use
and determine if all target systems are members of the Active Directory.
2. Create a central distribution point. Select a central location where you want to
deploy or initiate agent installation. The target systems must be able to see this
location.
4. Create a push script. This is a custom script that installs the agent from the
central distribution point onto the target system and runs when a user logs in.
This section contains an example of a push script.
c. Configure your domain so the script executes each time a user logs on.
e. Add the script to the Domain Users Properties box under the Profile tab.
Verify that you created a push script as described in “Deploying Windows agents
with Active Directory” on page 134.
2. Using User Manager, add a user or group profile pointing to the location of
your push script.
3. Specify in the user’s profile that the agent is installed via the push script when
the user authenticates.
The PsTools suite is available at the Microsoft TechNet Internet site at https://
technet.microsoft.com/en-us/sysinternals/pstools.aspx.
Note: If you do not use the -p option (to allow a password) in the
command line, you must enter it later. When using the -p option, the
administrative level password is displayed in plain text on the screen.
Even though PsExec returns an error, it completes with an error code of zero.
Running net start on the remote machine verifies that enstart is running.
Note: The PsExec utility transmits the password across the network in
plain text, which can cause problems if intercepted by an unauthorized
person using a packet sniffer.
Also required:
If the -p option (to allow a password) is not used in the command line, you are
prompted to enter it later. With the -p option used, the administrative level
password is displayed in plain text on the screen. Do not use this option if there are
others you do not want to share this password with.
Note: The PsExec utility transmits the password across the network in plain
text, which can cause problems if intercepted by an unauthorized person using
a packet sniffer.
Even though PsExec returns several errors, it completes each node with an error
code of zero. Running net start on any of the successful remote machines verifies
that enstart is running.
2. From the Add Evidence box, select Add Network Preview. The Add Network
Preview dialog box opens.
3. Select the folder containing the nodes to add. To create a partial list of nodes,
blue check the nodes you want to include.
4. Click the Option icon on the far right of the Add Network Preview dialog
and select Save As. The Save As dialog box opens.
• Select Only Checked Rows to include the machines you have blue checked
in the current view only.
• Set the Stop row to the maximum number of rows for EnCase to include in
the export file. To include all machines in the view, set this equal to the last
row number. You must assign this value even if you are exporting only
checked rows.
• Select the Name field only from the list of available fields.
• Keep the Output Format default of Tab Delimited.
• Specify the export path and file name.
6. In the output file, you must remove the line numbers and column header fields
before PsExec can use the file. You can remove the information by any desired
method. Two suggested methods are:
• Drag and drop the exported file into a blank Excel spreadsheet. Excel
automatically formats the data into two columns. You can delete the first
column and first row for clarity. Alternately, you can copy and paste the list
You can disable the ability to map an IPC$ connection on the target system, or deny
it through network permissions. You must create the IPC$ connection only if the
account used to log into the client system is not a member of the local administrator
group on the target system(s), or a member of the domain administrator group. You
must have administrator credentials to deploy agents.
If you are creating multiple IPC$ connections (specific or all nodes on a subnet),
every node machine must have one common user name.
• For multiple, specific nodes: for /f %1 in (<node list>) do net use \\%1\
ipc$/u:%1\<username> <password>.
Parameter Description
<node list> Text file containing the list of node names. The default name
is export.txt.
<node name> Name of the node with the IPC$ connection.
<A.B.C> First three octets of the IP address subnet where you want to
deploy (for example, 10.0.0).
<username> Common user name on all systems where you want to
deploy.
Parameter Description
<password> Common password on all systems where you want to
deploy. If you want to be prompted for the password, use
an asterisk (*).
3. If prompted, enter the password for the node and press Enter.
After IPC$ is connected, you can deploy by copying the agent to the nodes.
Parameter Description
<agent> Name of the agent: usually setup.exe for running
as a service, and enstart.exe for running as a
process.
<node name> Name of the node for the IPC$ connection.
<node list> Text file containing the list of node names. The
default is export.txt.
<A.B.C.> The first three octets of the IP address subnet
where you want to deploy (for example, 10.0.0.).
After copying the agent to the node, you must execute the agent. See “Executing the
agent using psexec” on page 139.
Parameter Description
<node list> Text file containing the list of node names. The
default name is export.txt.
<node name> Name of the node with the IPC$ connection.
<A.B.C.> First three octets of the IP address subnet where
you want to deploy (for example, 10.0.0).
<agent> Name of the agent: usually setup.exe for running
as a service, and enstart.exe for running as a
process.
<agent options> Any agent options you want to use.
Running net start on the remote machine verifies that enstart is running.
Parameter Description
<node name> Name of the node with the IPC$ connection.
<agent path> Location and path of the agent, usually enstart.exe
for running as a process, or setup.exe for running as a
service.
Running net start on the remote machine verifies that enstart is running.
• The Windows ARM agent does not have an installer, so it must be run as a
process on the target machine.
• Enhanced agent functionality is not supported.
The following case-sensitive shell command options are used with all *NIX agents:
Option Description
-d Runs the agent as a daemon.
-diag Output to console:
• Agent version
• Check in configuration: Enabled/Disabled, Round Robin
(True/False), Interval in min, Volatile Storage and list of
SAFEs
-f Force an agent to check in.
To check in to one SAFE, both the SAFE IP address and the port
must be included: sudo ./enmacos -f SAFEIP:PORT.
Option Description
-U <tag> Set a user-defined tag value associated with the endpoint. For
example, sudo ./enmacos -U 112233ad.
You can copy the agent to the nodes using one of the following:
• Make sure your removable media contains enough storage space to fit the agent
and any additional agent configuration files.
• You must have physical access to the machine where you want to deploy the
agent.
• You must know the specific instructions for mounting the removable media for
your distribution.
1. Insert media into your SAFE computer or another computer that contains the
agent and agent configuration files.
2. Copy the agent and the agent configuration file to the removable media. The
agent and agent configuration file is usually located at C:\Program Files\
EnCase SAFE\Agents on your SAFE.
3. Remove the media and insert into the machine where you want to copy the
agent.
4. Mount the device using the instructions specified in your operating system
documentation.
For example, this command mounts a floppy drive on a Linux system: mount –F
pcfs /dev/diskette /floppy.
Note: If you are using Solaris, you may need to use the command
volcheck before the mount command, if the mount command generates an
error.
1. Copy the agent configuration file using the command cp <mount point>/
nixcheckin <deploy path>.
2. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.
3. Make the agent executable using the chmod command chmod 700 <deploy
path>.
4. If you are copying to a location that is not yet mounted (such as a network
share), mount it now.
5. Copy the agent using the command scp2 <host path>\<agent name>
root@<node>:<deploy path>.
6. Enter the password for the root account. The transfer starts.
1. Copy the agent configuration file using the command scp2 <host path>
\nixcheckin root@<node>:<deploy path>.
2. Enter the password for the root account. The transfer starts.
3. Rename the nixcheckin file using the command mv nixcheckin .<agent name>.
4. Make the agent executable using the command chmod 700 <deploy path>.
4. Transfer the file using the command put <host path>/<agent name> <deploy
path>/<agent name>.
5. If you want to use the check-in feature, transfer the agent configuration file
using the command put <host path>/nixchekin <deploy path>/.<agent name>.
Note: This command transfers and renames the nixcheckin file to a file
with the same name as your agent, preceded by a dot.
7. Make the agent executable using the command chmod 700 <deploy path>.
The Linux agent uses dynamic linking to shared libraries when executed. If the
shared libraries are not installed on the target system, the agent reports an error
upon execution. Execute the command corresponding to your processor version to
list all shared libraries required for the agent to run on your version of Linux.
• ldd ./enlinuxarm
• ldd ./enlinuxarm64
• ldd ./enlinuxpc
• ldd ./enlinuxpc64
• ldd ./enibmz64
When using auto-update with a Linux agent, you must execute the agent with a -p
parameter specifying a path to the agent.
1. Copy the agent using removable media, SSH, SCP, Telnet, FTP, etc.
2. Determine how you want to deploy the Linux agent. If running the agent as a
service your answer will be dictated by your system’s current INIT software.
Methods include:
After deployment, verify the agent is connected using one of the methods discussed
in “Verifying agent deployment” on page 163.
1. Use WinSCP or another deployment tool to copy the Linux agent file
(enlinuxarm, enlinuxpc or enlinuxpc64) from the [SAFE Installation
Directory]/Agents/Linux on the SAFE machine into /usr/bin/ on the target
machine.
4. Install the agent with a daemon -d parameter. Because the agent start location is
auto-detected, -p check-in and auto-update path parameter is optional. If using
-p, the path would be /usr/bin/ if the agent is located at /usr/-bin/
enlinuxpc64. Do not include the agent in the specified path. Optional: specify a
port with a -l parameter, the default port value is 4445.
Format
Example
Install without check-in/auto-update path: /usr/bin/enlinuxpc64 -d
Install with check-in path: /usr/bin/enlinuxpc64 -d -p /usr/bin/
Install with a non-default port: /usr/bin/enlinuxpc64 -d -l 1337 -p /usr/
bin/
Note: In certain Linux and Unix distributions the netstat command may
require alteration to return a LISTENING process result, parameters other
than -an may be required, for instance, -e, -ef, -A.
Installation
To install, copy the package from your SAFE installation to the Linux machine and
run the following command corresponding to your agent’s version:
Files deployed
Note: After installation is complete the enlinuxpc64 service will be enabled and
started automatically.
Command Description
sudo rpm -Uvh enlinuxpc64-23.4. upgrade the agent
0-1.el9.x86_64.rpm
Limitations
1. Copy the nixcheckin file from the SAFE installation directory into /usr/bin/.
Note: The nixcheckin file will not exist if check-in was not enabled in the
SAFE at the time of install.
Note: Files preceded by a period are hidden from view by default, but can
still be used and modified. View hidden files with: ls -a [directory]
1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.
2. Using vim or another editing tool, create a service file in the machine’s */init.d
directory.
vi /etc/init.d/enlinuxpc64
Note: This file should be placed in the machine’s */init.d directory. The
exact location varies from build to build. You can locate your
active .service files to find this directory.
Note: The following script runs the x64 agent controlled by a service. The
x86 version of the script is identical to the x64 agent as a service, but
references to 64 are removed. Name the script enlinuxpc, and modify all
references in the script below. Modify the ARM version of the script in a
similar way: remove references to 64, name the script enlinuxarm, and
modify all references in the script.
if [ "${PID}" != "" ]
then
echo "Agent processes running by PID:" && echo "$PID"
else
echo "No agent processes, agent not LISTENING"
fi
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 1
esac
exit 0
Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following
start).
3. Create a link file to the newly created script named S94enlinuxpc64 in /etc/
rc3.d (run level 3):
cd /etc/rc3.d
4. Change permission and owner to allow eXecute for the new link file:
chmod 755 /etc/rc3.d/S94enlinuxpc64
5. Change permission and owner to allow eXecute for the original service file:
chmod 755 /etc/init.d/enlinuxpc64
Port 4445 should now be listening and the init.d service status should show it as
active.
/etc/init.d/enlinuxpc64 status
Note: This service should persist following a reboot but can be killed as a
process via the command, pkill -9 enlinuxpc*.
Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.
1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.
2. Using vim or another editing tool, create a service file in the machine’s */
systemd/system directory.
vi /etc/systemd/system/enlinuxpc64.service
Notes
Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following
ExecStart=.
5. Port 4445 should now be listening and a systemctl status should show it as
active.
Note: This service should persist following a reboot and cannot be killed
as a process due to the Restart=always parameter. To stop the service you
will need to use the systemctl command.
Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.
1. Perform steps 1-3 of “Deploying the Linux agent as a process” on page 145. To
use check-in, follow the procedure in “Enabling the Linux agent for check-in”
on page 147.
2. Using vim or another editing tool, create a service file in the machine’s init
directory.
vi /etc/init/enlinuxpc64.conf
Notes
• This service file should be placed in the machine’s */init directory. The
exact location varies from build to build. You can locate your
active .conf files to find this directory.
• This script runs the x64 agent controlled by a service. The x86 version of
the script is identical to the x64 agent as a service, but references to 64
are removed. Name the script enlinuxpc, and modify all references in
the script below. Modify the ARM version of the script in a similar way:
remove references to 64, name the script enlinuxarm, and modify all
references in the script.
Note: The script runs the agent on port 4445 by default. To specify another
port, use the -l [PORT#] parameter in the deployment line following exec.
3. Reload init configuration:
initctl reload-configuration
5. Port 4445 should now be listening and an initctl status enlinuxpc64 should
show it as active.
Note: This service should persist following a reboot and cannot be killed
as a process due to the respawn parameter. To stop the service use the
initctl command.
Examples below use x64 version of the agent, substitute enlinuxarm or enlinuxpc
with other processors.
The Solaris 10 and 11 agent differs from the Linux agent in that it has separate files
for each distribution, and it requires special drivers to function properly. The Solaris
agent names are ensolsparc10 and ensolsparc11.
You can also get the version using the command: uname -a
The command gives you the Solaris version in a format such as:
2. You must also determine properties for the node where you want to install the
agent.
• Solaris version
• Kernel version
3. Copy your agent to the Solaris node using removable media, SSH and SCP, or
Telnet and FTP.
4. Determine how you want to deploy the Solaris agent. Available methods
include:
Verify the agent is connected using one of the methods discussed in “Verifying
agent deployment” on page 163.
The installsol11.sh script helps install the Solaris 11 agent as a service. It will not
work with Solaris 10.
• Transfer the agent file ensolsparc11 and the installsol11.sh file to the
machine where you want to set up the agent as a service. You can copy the
agent to the Solaris node using removable media, SSH and SCP, or Telnet and
FTP. The script must have executable permission. Both the script and the agent
should be in the same directory. Running the script will install the agent in /
usr/local/encase directory and will register it as a service.
1. Solaris agents can be found in the SAFE installation directory on the machine
your SAFE was installed on. The default directory for the SAFE installation and
Solaris agent folder is C:\Program Files\OpenText\SAFE\Agents\solaris\
agent.
2. Using a tool like WinSCP, or another method, copy the Solaris agent file
matching the version of Solaris you're deploying to into /usr/bin on the target.
The /usr/bin/ location is an example and is not a required location.
4. Change the Solaris agent's file ownership to root: chown root:root /usr/bin/
ensolsparc11
5. Install/run the agent as a daemon and specify a check in path, The path should
be /usr/bin/ where the agent is located at /usr/bin/ensolsparc11, and should
not include the agent itself: /usr/bin/ensolsparc11 -d -p /usr/bin/
6. The agent should now be listening on port 4445 (if no port is specified), or the
port you specified. Run netstat -an | grep *.4445 to confirm.
Note: From this point you should be able to create a service manually in
the OS, or use service management software to modify the agent's
automated start up.
The above procedure installs the Solaris agent as a process that will not persist
through reboots. Once the agent runs as a process you can then create a service that
will run the agent the same way at an assigned run level during boot.
Additional information
To kill the agent process, use a process kill command: pkill -e -9 /usr/bin/
ensolsparc11
3. Using a text editor such as vi, insert this text into the file:
#!/bin/sh
#This script automatically starts and stops the ensolsparc11 agent
pid=`/usr/bin/ps -e | /usr/bin/grep <agent name> | /usr/bin/sed -e 's/^ *//' -e
's/ .*//'`
case $1 in
'start')
<deploy path>/<agent name> -d -p <deploy path>
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/<agent name> {start|stop}" ;;
Esac
6. You must place a symbolic link in the desired run level to call the script. The
best run level to use in Solaris is run level two. To set this run level, execute:
cd /etc/rc2.d
ln -s /etc/init.d/<agent name> S96<agent name>
To confirm the agent is running, see “Verifying agent deployment” on page 163.
For a list of shell commands for use with Solaris agents, see “Deploying *NIX
agents” on page 141.
1. Identify attributes of the target systems, such as DNS names, IP addresses and
operating systems.
2. Verify the machine the agent is deployed from has network connectivity to all
target systems.
3. Deploy the agent to the AIX node using removable media, SSH and SCP, or
Telnet and FTP.
We recommend an SSH client with file transfer capabilities and running SSHD
on the target systems.
4. Install the AIX package with the command installp -a -d /opt encase.
agent.rte. Do not enter the bff file extension when entering this command.
The installer determines the correct agent to install and output information
regarding the install.
The installation finishes with the output encase.agent.rte 5.4.0.0 USR APPLY
SUCCESS.
Verify the agent is connected using one of the methods discussed in “Verifying
agent deployment” on page 163.
Refer to current release notes for your product for important information on agent
compatibility with platforms, operating systems and file systems.
Agent deployment
Use the following Team ID with your mobile device management application to
deploy the OpenText EnCase agent on macOS devices:
Driver deployment
Use the following Team ID with your mobile device management application to
deploy the OpenText EnCase driver on macOS devices:
For a list of shell commands for use with macOS agents, see “Deploying *NIX
agents” on page 141.
3. Run the following commands to grant the script permission and execute it:
chmod +x installer.sh
sudo ./installer.sh
If you are removing the agent from a machine with a macOS version prior to 11, you
can remove the driver by appending the following commands to the ones listed
above:
sudo kextunload -v /Library/extensions/gsidrv.kext
sudo rm -r /Library/extensions/gsidrv.kext
1. Execute the command netstat -an | grep [port#], replacing [port#] with
your SAFE port.
2. Verify that your SAFE port is open and listening.
1. When installing your SAFE, in the Check In Information dialog, specify the IP
address and port of the SAFE.
2. From the SAFE installation directory, copy the nixcheckin file to the target
machine’s agent folder (where you installed the agent).
3. Rename the nixcheckin file to .enmacos (note the dot before the name).
4. Start and restart the agent.
To force check in a macOS agent, the standard -f force check-in command for *NIX
systems is used. See “Deploying *NIX agents” on page 141.
1. On the target macOS system, go to System Preferences > Security & Privacy.
The Security & Privacy page opens.
2. Click the Full Disk Access folder from the list on the left.
3. Click the padlock icon. On the dialog that opens, enter a User Name and
Password to unlock Security & Privacy preferences. The padlock icon changes
to unlocked.
4. Scroll through the list on the right and select the enmacos agent.
a. If the enmacos agent is not on the list, click the plus + icon to open a Finder
window.
b. If the usr folder is not visible, press the Command + Shift + Period keys on
your keyboard to make the folder visible.
c. Navigate to: usr/local/sbin/enmacos
d. Select the enmacos application.
Action Command
Start the agent sudo launchctl load –w /Library/LaunchDaemons/
com.GSI.servlet.plist
Action Command
Output diagnostic enmacos -diag
information about the agent
to console
• Installation status
• Language of the machine
• Version of the EnCase agent ePO plugin
• Whether the agent is running
• Directory where the agent is installed
• Version of the installed agent
6. Browse to the location of the S_EESERV7000.zip file and click Next. The Package
Options tab displays package information.
1. On the ePO home page, open the drop-down menu, mouse over Software, and
click Extensions.
2. In the lower left corner of the screen, click Install Extension. The Install
Extension dialog box opens.
3. Click Browse and navigate to the GuidanceServletExtension.zip file. This file
is part of the SAFE installation process, and is stored in the EnCase SAFE\ePO
folder.
4. Click Open. The Install Extension window displays details about the extension
package.
5. Click OK. The Configuration window shows the extension installed
successfully.
1. On the ePO home page, click Menu > Policy > Client Task Catalog.
Note: You can drag the Client Task Catalog option and drop it into the top
navigation bar for easier access.
2. The Client Task Catalog is displayed. From the Client Task Types list in the left
pane, select Product Deployment.
3. At the top of the window, click New Task.
4. For the task type, select Product Deployment.
5. Enter information in the appropriate fields:
• Enter -f "<UNC path to the agent setup.exe file>": This must be available
to the target via a network share. We recommend creating a \\share visible
to network targets (nodes) to contain the agent. Copy the current setup.exe
from the root directory of the SAFE to this share, and specify the share path
in the cmd switches when you check in the agent.
• When you update the SAFE, make sure to copy the new agent to the \\share
described above.
• Enter -u <username> .
• Enter -d <domain>.
• Enter -t <password>.
• Enter -o "<setup options>".
A complete example might look like this (note that the -o argument is not
required and includes optional agent options, which must be in quotes):
-f \\192.168.2.1\share\setup.exe -u john.doe -d mydomain.com -t
password -o "-n custom_agent_name -l 9999" -v 7001
8. Click Save. You can now create a client task assignment to deploy the agent via
individual client task operations or via agent wakeup calls.
Note: Any authentication errors are shown in the log file C:\Windows\Temp
\ServletSetupError.Log on the agent machine.
If the default name enstart or enstart64 process is not running, confirm that you
have not renamed the process to something else, or try reinstalling the agent on the
node.
2. At the command prompt, type netstat -na | findstr 4445 and press Enter.
3. Confirm the machine is listening on the port number where your SAFE is
configured. The default port number is 4445.
Repeat steps 1-3 on your SAFE machine to verify it is also listening on the same port.
2. At the command prompt, type TELNET <IP> <port> and press Enter.
Repeat these steps on your SAFE machine. This confirms your SAFE can connect to
the client.
2. Execute the command pskill \\<node name> <agent name> with these
parameters:
Parameter Description
<node name> The name of the node machine.
<agent name> The name of the agent, usually setup.exe for running as a
service, and enstart.exe for running as a process.
• Open a command prompt on the machine. Remove the agent using the
command setup -r.
• From a command shell using either Telnet or SSH, delete the check-in
configuration file using the command rm .<agent name>.
After you delete the check-in configuration file, the agent resumes typical operation.
1. Copy setup.exe from your SAFE to the removable media. The file is typically
located at C:\Program Files\EnCase SAFE.
2. Insert the media into the machine where you want to remove the agent. Open a
command window on the machine.
3. Execute the command setup.exe -r.
No output is returned. This stops the enstart service, deletes enstart.exe and
enstart_.sys (regardless of how they were named during installation), and
removes registry entries relating to the agent.
4. Remove the following registry keys using regedit.exe for Windows XP/2003
machines or regedit32.exe for all other machines:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
\LEGACY_ENSTART
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
\LEGACY_ENSTART
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root
\LEGACY_ENSTART
Notes
5. Using the appropriate registry editor for your machine, search for and delete
any remaining values and keys that have enstart in the name.
1. Make sure the agent is not currently being accessed by EnCase Examiner.
If your results are similar to the output in this example, the agent is running as a
process:
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN
If your results are similar to the output in this example, the agent is running as a
process:
Note: 2360 is the PID on the machine used in this example. The PID on
your machine will differ.
4. If the output to the previous command returns nothing, the agent is probably
running using inetd or xinetd. Determine if the agent is running using xinetd:
look in the /etc/xinetd.d directory for a configuration file typically named
enlinuxpc for Linux or enosx for macOS. If you find the file, the agent is
running using xinetd.
5. If you are using Linux, determine if the agent is running using inetd, view the
contents of the /etc/inetd.conf file. If you find an uncommented line referring
to the agent as in this example, the agent is running using inetd:
enlinuxpc stream tcp6 wait root /usr/local/encase/enlinuxpc enlinuxpc -i
-p /usr/local/encase
6. If you are using macOS 10.4 or later, determine if the agent is launching during
startup: look for a folder called EnCase in the /Library/StartupItems folder.
3. If you are using OS X 10.4 or later and the agent is running from launchd,
remove the directory containing the startup files: execute
rm –R /Library/StartupItems/EnCase
4. If the agent is running using inetd, open /etc/inetd.conf using a text editor
such as vi. Locate and delete (or comment out) the entries referring to your
agent. Save and close the configuration file. Some examples are:
enosx stream tcp6 wait root /usr/local/encase/enosx enlinuxpc -i -p
/usr/local/encase
Note: Do not type the bff file extension when entering the command.
2. Remove the EnCase directory and any remnants with the command:
rm -R /usr/local/encase
If you are installing the SAFE for the first time or are having trouble upgrading, a
section is included for these issues. For post-installation troubleshooting, validate
the following information:
You must check each component. This is because an error may appear as if the cause
is one component, when the actual source of the problem is in a different
component. Review the following troubleshooting items in the next topics to solve
common problems.
Issue Description
SAFE certificate path must There are two causes for this error:
contain a valid path.
• The <SAFEName>.Setup file does not exist at the target
location.
• The <SAFEName>.Setup file is invalid.
Issue Description
Decryption key is not the Three files are validated during SAFE setup:
same.
• SAFE Private Key.spvk
• <SAFEName>.Machine
• <SAFEName>.Setup
Resource update error Installing the SAFE on a machine with anti-virus software
message during SAFE installed can result in a resource update error message. To
installation. resolve the issue, quit the installer and try running the
installer again or disable anti-virus software prior to SAFE
installation.
When performing a SAFE Performing a SAFE update will not properly update the
update, the update fails or Agent subfolders if a folder containing an agent is open in
the update process is Windows Explorer. OpenText recommends refraining from
incomplete. navigating to any of the SAFE installation folders while a
SAFE update is in progress.
Enhanced agents installed on In SAFE versions 21.2 and later, a user has the option to
targets with custom name install the SAFE with an -opt flag and specify custom
values can only be values for the enhanced agent name. Because this feature
uninstalled manually when was only introduced in version 21.2 of the SAFE, it cannot
downgrading to a SAFE be carried over to SAFE version 21.1 or earlier in a
version that does not support downgrade scenario. As a workaround, prior to
custom name values. downgrading to SAFE Version 21.1, any enhanced agents
with custom names must be manually uninstalled from
affected targets.
When downgrading from If you downgrade to SAFE 22.3.1 or earlier from SAFE 22.4
SAFE 22.4 or later to SAFE or later, you must manually delete the following files:
22.3.1 or earlier, downgrade dumpenc.rdb, appendonlyenc.aof. Both files are found in
fails. <ProgramData>\AMP\DB folder, then use the UI installer.
This is required due to a change in the database schema.
Issue Description
When downgrading to SAFE If you install the current version of the SAFE on a clean
20.3 or earlier, the cert cannot system, select the Local System account option, use the
be found. installer to import a cert, and then later downgrade to SAFE
20.3 or earlier, you must manually import the cert into the
Local System account's personal cert store. The reason is that
older versions of SAFE look for the cert there, but the 20.4
SAFE installer imports the cert to the Local Machine cert
store.
Run services.msc from the Windows command line and locate the EnCase
SAFE service. The status column indicates if the service is running.
To check if the SAFE is listening for the clients, run netstat -na from the command
line. This screen shows that the SAFE service is listening on port 4445. If you
specified a different port number during the installation of the SAFE, then you
should see that port number.
If the SAFE is not started or listening, start the SAFE using the command net start
safe from the Windows command line.
You can also stop and restart the SAFE to refresh the service. To stop the SAFE, use
net stop safe from the Windows command line.
To manually start the SAFE again, use the command net start safe and press
Enter.
The diagnostic output lists status information and configuration settings of the SAFE
service, including your SAFE Certificate expiration date (null for current SAFE
installations), the number of connections, remediation and snapshot flags, and other
information.
Term Action
SAFE Version This indicates the current version of the SAFE. Verify that the
version of the SAFE contains the features you are attempting
to use. Agent version is derived from the SAFE version.
Connections The maximum concurrent SAFE connections should be greater
than the concurrent nodes that you are attempting to access.
Remediation The flag is Y by default for the latest SAFE release. If you are
unable to remediate, verify that the permission is included in
the user role. See “Setting up user accounts and permissions”
on page 63.
Snapshot If the flag reads Y, but you are unable to snapshot, verify that
the permission is included in the user role. See “Setting up
user accounts and permissions” on page 63.
Invalid key data The system hardware no longer matches the
<SAFEName>.Machine file used to generate the SAFE. Back
or up the SAFE installation folder using the key from your
existing installation.
Invalid MAC ID
• Can the client computer ping the computer hosting the agent?
• Can the client ping the SAFE computer?
• Can the SAFE ping the computer hosting the agent?
• Have you disabled or added an exception for any firewalls?
For further agent troubleshooting steps, see the corresponding product user guide
for details.
If you are experiencing licensing issues with your OpenText EnCase product, see the
installation and configuration section in the user guide of your product.
ID Event Message
20556 The command is not permitted
19276 Invalid key
20044 Invalid username
20309 User logged on
18005 User logged off