Jump to content











Photo

Installing Encase in WinFE


  • Please log in to reply
3 replies to this topic

#1 dherrerar

dherrerar
  • Members
  • 2 posts
  •  
    Costa Rica

Posted 20 January 2011 - 10:03 PM

Hi,

I've being testing WinFE, for my work with forensic cases, I've succesfully compiled the live cd and also installed last version of FTK Imager, however It would be more interesting to have also forensic software Encase.

After reading some posts in the forum, I managed to install Encase but the Hasp drivers for the Dongle, I've installed them live in the WinFE environment, after running the haspdinst.exe file.

QUESTION: Is there a way to do this automatically? (Please provide a step by step solution), therefore I can have fully functional Encase in the WinFE environment?. (I've got a official license for working purposes).

QUESTION 2: Is there some directive that blocks USB devices connected?, because I've got some trouble with a USB hard drive for acquire an image of the computer harddrive in which the WinFE was executing...

Thank You.

#2 mkel2000

mkel2000
  • Members
  • 2 posts
  • Location:Southern CA.
  •  
    United States

Posted 21 February 2011 - 02:00 AM

QUESTION: Is there a way to do this automatically? (Please provide a step by step solution), therefore I can have fully functional Encase in the WinFE environment?. (I've got a official license for working purposes).


Thank You.


I think I came up with a solution for the HASP driver issue with Encase. First let me say that I've only been working with WinBuilder FE for a few days and I'm not a programmer. That said, here is what I did:

I assume that you've extracted the haspdinstall.exe file; if so, open that file with WinRar and extract all of the files to a folder (I called mine Hasp.) Go to the driver integration section in Winbuilder FE and view the folder for the x86 drivers. Once you have the folder open, copy the hasp folder into this folder (you can also add any other drivers here, in folders, to have them installed - I added all the Vista/7 Mass storage drivers from Driverpacks.net.)When you build your project, all the drivers in this folder will be copied to the build and injected. One thing I've found in my limited testing is that I don't get any kind of indication from the OS that the drivers are being installed when new hardware is added and it may be necessary to open up device manager and scan for hardware changes, but it does work in the end.

Mark

#3 MB_75

MB_75

    Newbie

  • Members
  • 16 posts
  • Location:Centurion
  •  
    South Africa

Posted 21 February 2011 - 09:43 AM

I assume that you've extracted the haspdinstall.exe file; if so, open that file with WinRar and extract all of the files to a folder (I called mine Hasp.) Go to the driver integration section in Winbuilder FE and view the folder for the x86 drivers. Once you have the folder open, copy the hasp folder into this folder (you can also add any other drivers here, in folders, to have them installed - I added all the Vista/7 Mass storage drivers from Driverpacks.net.)When you build your project, all the drivers in this folder will be copied to the build and injected. Mark


Hi mkel2000 & dherrerar,

This is the best and easiest way to use the HASP dongles for EnCase. Been using it for a few months like this.

Also Yes, it does not show new hardware is added, but when opening EnCase it should not say acquisition, then EnCase did not pick up the dongle.

Another tip for EnCase with the WinBuilder process.
On your PC create a drive letter Y:\ then install EnCase in y:\programs\EnCase.
Customize your EnCase the way you need it, copy any CERT files in the respective folders and close.
After creating your WinFE with WilBuilder copy this folder over to your newly created UFD and boot with it.
100% working EnCase the way it's on your Desktop/Laptop.

Regards,

#4 mkel2000

mkel2000
  • Members
  • 2 posts
  • Location:Southern CA.
  •  
    United States

Posted 21 February 2011 - 04:07 PM

Also Yes, it does not show new hardware is added, but when opening EnCase it should not say acquisition, then EnCase did not pick up the dongle.

Another tip for EnCase with the WinBuilder process.
On your PC create a drive letter Y:\ then install EnCase in y:\programs\EnCase.
Customize your EnCase the way you need it, copy any CERT files in the respective folders and close.
After creating your WinFE with WilBuilder copy this folder over to your newly created UFD and boot with it.
100% working EnCase the way it's on your Desktop/Laptop.


I have previously used WinFE disks based on Windows Vista, so the lack of new hardware notification was something that didn't surprise me. I had never built a WinFE disk before a few days ago (the others had been provided by a previous employer) so I spent several days of frustration trying to get things to work, which they now do. Documentation on the "how to", particularly for Encase, is seriously lacking.

It is not necessary to install Encase to a Y: drive for it to work properly if you add it to the boot.wim file before building the ISO; the caveat is that it needs to be a fresh installation of Encase that hasn't run before. I tried the install of Encase onto the Y: drive of WinFE and didn't like all the reads from the CD that were necessary to load it. I suspect that may eventually cause some issues with Encase during an acquisition, hence the reason for adding it to the boot.wim so it is loaded to RAM. It does add to the initial load time for WinFE, but the total size of the ISO for WinFE still fits nicely on a CD. I will likely do the same type of install for FTK Imager Lite, again to avoid any issues during an acquisition (although I use FTK Imager only as a last resort.) I don't ever see the need to use WinFE as a Live Disk because I have other imaging options available.

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users