This document outlines the process for previewing third-party software-encrypted hard drives; for this example, we will use PC Guardian. This process assumes that the user does not wish to boot the suspect drive in order to maintain forensic integrity of the evidence file; an encrypted drive on the LAN in an EnCase Enterprise environment can already be previewed and acquired unencrypted, since the live machine has already passed the decryption step. This process will not work unless you have both the drive encryption password and the Windows login username and password. Also, using this process, you will only be able to preview and acquire the logical volume on the encrypted drive.

This example allows the user to acquire the decrypted volume using EnCase Enterprise; alternately, you can install EnCase Forensic on the Virtual Machine and preview the volume.

NOTE: You should maintain the initial acquisition for forensic integrity.


Setting up EnCase and the Physical Disk Emulator (PDE) Module

1. Install EnCase
2. Make sure the PDE cert is in your C:\Program Files\EnCase5\Certs directory
3. Make sure the dongle that the PDE cert was generated for is present in the machine (check Help > About EnCase and verify that the PDE module appears in the pop-up window)
4. Acquire the PC Guardian-encrypted drive, either via FastBloc, crossover or direct DOS
5. Right click on the device in the Tree Pane and select "Mount as Emulated Disk"
6. Click on Client Info tab and uncheck Disable Caching, Create New Cache, Write Cache Path, Desktop, and give the file a name (e.g., PC Guardian cache.D01)
7. When asked if you want to install the driver needed, select "Continue Anyway"
8. Once the evidence file has been mounted, EnCase will pop up a box telling you on what device the evidence has been mounted on and the drive letter.

1. Install and launch VMware version 4
2. Select "New Virtual Machine" and click [Next >]
3. Select "Custom" and click [Next >]
4. Select the guest operating system of the evidence file you have mounted on PDE. Windows versions can be determined by using the "Initialize Case" EnScript.
5. The virtual machine's OS can also be determined examining the root folder. Windows 2000, XP and 2003 Server all use C:\Documents and Settings for user profiles. For the system root folder name, Windows 2000 and NT use C:\WINNT; Windows XP, 9x and Win 2003 use C:\Windows.
6. Click [Next >]
7. Assign the desired amount of memory VMware will use and click [Next >]
8. Select the type of network to use. "Use bridged networking" will assign its own IP address on the external network.
9. Accept the default I/O adaptor type (Buslogic)
10. Select "Use a physical disk" and click [OK] at the warning message
11. Select the PDE mounted device from the drop down device list. The number of the device will be the same as the one that EnCase gave you after the file was mounted using PDE; click [Next >]
12. Use the default disk file specified in the "Specify Disk File" screen
13. VMware will show the newly created virtual machine; click on "Start this virtual machine" to boot the virtual machine. Click in the virtual machine window (to get cursor control back to the desktop, press [Ctrl][Alt].
14. Use [Ctrl][Alt][Insert] in the virtual machine instead of [Ctrl][Alt][Delete] to log on or get to the Task Manager.
15. At the prompt, type the username/password for the encrypted PC Guardian Machine
16. Enter the administrator/password at the Windows login prompt to access the Virtual Machine.

1. To install the servlet on the Virtual Machine, connect to a shared folder containing enstart.exe on the physical machine, or insert the floppy disk or zip drive containing enstart.exe into the physical machine.
2. Open a command prompt on the Virtual Machine and change directories to the location of the servlet
3. Run the service as a process (enstart.exe -run)
4. Check if the servlet is running by typing "netstat -an" at the command prompt. This should show port 4445 listening.

1. On the host computer (or an Examiner) logon into the Enterprise SAFE
2. Using the Add Device option, open the Enterprise folder; select New nodes, blue check the Virtual Machine's IP address and click [Next >]
3. Blue check the logical volume for the PC Guardian encrypted HDD and click [Next >]
4. Preview and/or acquire the logical volume