Support   

Brochures:

 
   
Untitled Page > products and services   > company   > resources   > support   > message boards
Download Center eSolutions Support Articles Support Videos Customer Service

Home > Support Home > Articles > Performing the Crossover Network Cable Acquisition

Performing the Crossover Network Cable Acquisition
  1. Make sure the subject machine is configured to boot from the floppy as follows:
    1. Physically unplug all the hard drives before turning on the computer.
    2. Power on and run the BIOS setup routine to ensure that the computer is set to boot from the floppy drive (drive A:) if the ENBD is used, or the CD ROM drive if the EnCase Boot CD is used. To access the BIOS setup, you will need to press a specific key sequence repeatedly as soon as the power comes on. On most IBM compatible PCs, the key is [F1] or [Delete]. Compaq computers often use the [F10] key. If possible, check the computer's documentation. There is usually a message flashed on the power splash-screen indicating which key to press to access the BIOS setup.
    3. In the BIOS, look for the boot order section. After setting the BIOS to boot from the appropriate device with the boot diskette or CD in the drive and the hard drives still disconnected, reboot the computer to confirm that it does.
    4. After confirming that the computer boots from the correct device, turn off the computer.
    5. Reconnect the hard drives and reboot the computer with the media still in the drive.
  2. Connect the subject computer to the storage computer via the crossover cable.
  3. Boot the subject computer with the appropriate EnCase Network Boot Disk.
  4. The ENBD displays the following menu options on startup:
    • Network Support - Loads the appropriate menu system for crossover acquisition
    • USB - Acquisition (no drive letter assigned) - Loads DOS USB drivers to allow the acquisition of a USB-connected device
    • USB - Destination (drive letter assigned) - Loads DOS USB drivers to allow storage to a USB-connected device
    • Clean boot - Loads similar to the barebones boot disk to do a direct DOS acquisition
  5. From the menu, select AUTO to allow the ENBD to detect the NIC, or select MANUAL to load the packet driver manually. If AUTO is selected, you are prompted to press any key to accept the drivers, at which point EnCase launches and automatically runs in Network Server mode.
  6. If the driver is loaded manually, choose ENCASE from the menu to launch EnCase. You can also run EnCase to do a direct DOS acquisition by typing EN.EXE at the command prompt.

    EnCase for DOS user screen
  7. Put EnCase for DOS in Server mode.
  8. Choose Server. The subject machine should now be running in Server mode, displaying a message stating Waiting to connect...
  9. Boot the forensic PC into Windows.
  10. If your forensic computer is using Windows XP Service Pack 2 or Windows 2003, Configure the Windows firewall as follows:
    1. From the Windows Start button, select Settings, then choose Windows Firewall in the Control Panel.

      Windows Firewall control panel
    2. By default, the Firewall is set to [On]; the Don't allow exceptions box should be unchecked. If it is set to [Off], Windows Firewall has been turned off and will not interfere with any functionality, and you can skip this process. If the Firewall is on, click on the Exceptions tab at the top of the window.

      Windows Firewall Exceptions tab
    3. Click on the [Add Program…] button

      Adding an exception
    4. Find EnCase in the list showing in the Programs: window and click to select it, or click on the [Browse…] button to find the EnCase executable so that it shows in the Path: field.
         For v4, the default path is: C:\Program Files\EnCase4
         For v5, the default path is: C:\Program Files\EnCase5
    5. Click on the [OK] button.
    6. Click on the [OK] button in the main Windows Firewall button to allow the crossover preview\acquisition.
  11. You will also need to configure your IP Address as follows:
    1. Right-click on My Network Places and select Properties.
    2. Right-click on Local Area Connection and select Properties.
    3. Double-click the TCP/IP protocol.
    4. Enter a fixed IP address (such as 10.0.0.50) in the IP Address tab.
    5. Enter a sub-net mask of 255.255.255.0.
    6. Click on the Advanced button
    7. Click on the DNS Tab
    8. Remove all of the DNS server addresses
    9. Remove all of the DNS suffixes

      Removing DNS Servers and Suffixes
    10. Click on the WINS Tab
    11. Remove all of the WINS addresses

      Removing WINS addresses
    12. Click on the [OK] button.
  12. Launch EnCase for Windows.
  13. Click the [ADD device] button on the top toolbar.
  14. Place a blue check in the box to the left of Network Crossover and click [Next]

    Selecting Network Crossover as Device to Preview
  15. Blue check the Drive that you wish to acquire and click [Next]

    Choosing device on suspect system to preview
  16. Click [Finish] at the Preview Devices Dialog Box

    Preview devices dialog box
  17. Now you are successfully previewing the suspect's system through the crossover cable.

    Previewing a device over the crossover cable
  18. EnCase overlays a blue triangle in the lower right corner of the device icon to indicate that the device is live.

    Blue triangle indicator for live devices
  19. Now you can right click the Device and choose [Acquire]
  20. Add any after acquisition options and click [Next]

    After Acquisition Options
  21. Fill in all required and any optional information and click [Finish]

    Filling out Acquisition Parameters
  22. EnCase will now begin acquiring over the network cable.

 

 

© 2002-2007 Guidance Software, Inc. All Rights Reserved.
Privacy Statement | Historical Information | Contact Us | Careers | Mailing List | Resellers