Dell Encryption EnCase Integration Guide
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2019 Dell Inc. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 Introduction................................................................................................................................. 4 Contact Dell ProSupport.......................................................................................................................................................4 2 Integrate with EnCase.................................................................................................................. 5 3 Use Dell Encryption with EnCase........
1 Introduction Dell Encryption integrates with EnCase v6.15 digital forensic products from Guidance Software, Inc. to support online investigations of encrypted files. With this integration, forensic investigators can view, export, or search within Dell Encryption-secured data. With proper forensic administrator credentials, all Dell Encryption-secured data, regardless of the keys used to encrypt it, are decrypted and presented to the investigator without additional interaction.
2 Integrate with EnCase Enable the EnCase API NOTE: Do not use this API with Security Servers deployed in a DMZ. Use an internal Security Server with restricted access for EnCase integration to maintain security. Security Management Server pre-v7.7 1. Open \Enterprise Edition\Device Server\conf\context.properties. 2. Enable the forensic integration API. service.forensic.enable=true 3. Stop and restart the Security Server. To disable forensic integration, set service.forensic.enable=false.
3 Use Dell Encryption with EnCase Get Encryption Keys Use the EnCase Enterprise user interface to get encryption keys from the Dell Remote Management Console and decrypt all Dellencrypted data for this computer or evidence file. 1. 2. 3. 4. Select the Online check box. Type the Username of the forensic administrator. Type the Password of the forensic administrator. Type the URL to the Dell Server with the EnCase API enabled. For example: https://cred01.somedomain.
4 Use EnCase with Dell Encryption CEGetBundle CEGetBundle is a utility which allows forensic administrators to pull key material from a Dell Server. This utility is available through Dell ProSupport. The following table details the parameters available for the installation. Parameters (Parameters are case sensitive) -L = Legacy mode for exporting keys from a CMG 5.3.x Server -X = URL for the Security Server (Default Security Server for a server at “SecurityServer.Organization.
CEGetBundle -R -bBackupFile -ABackupPwd -oOutputFile -iOutputPwd • The following details the previous example command with example parameter values: CEGetBundle.exe -b"C:\temp \BackupFile.exe" -Aabc123456 -o"C:\temp2\KeyBundle.bin" -iKeyP@ssw0rd The following example downloads the KeyBundle for the device Test1.domain.com with RecoveryID 1A2S3D4F using the forensic administrator A-Admin1@Dom-ain.com: CEGetBundle -Xhttps://server.domain.com:8443/xapi/ -a"A-Admin@Dom-ain.com" -AP@ssw0rd!123 dTest1.domain.