Friday, September 13, 2013

EnCase via RDP (part 2)

As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years agothere are a work arounds but none are perfect. Even buying the NAS licensing server has limitations.

...I spent weeks trying to figure out a true solution.Then randomly, out of complete nowhere, a co-worker one day sends an email to our team () saying "Hey, if you ever have this problem with Encase and RDP .. just do this..." I was shocked, amazed, but more importantly it worked!

Before you get started:
  • Note this program requires Administrative Rights to run!
  • Caution it requires User to Re-Login to RDP Session (user is not logged out)
  • Modified from http://community.spiceworks.com/how_to/show/873 and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely
  • I don't have time to support this but feel free to leave comments and I can see if my co-worker is interested in answering questions there.
Directions:

1. Copy the text below into a text file
2. If you have EnCase installed somewhere other than the default location, you’ll need to update the section starting at line 23.
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"

3. Save as "Start Encase.bat"
4. Just double click "Start Encase.bat" after connecting via RDP to the workstation.

Start Encase.bat:
@echo off

:: EnCase Starter from RDP Session
:: Author: ALG
:: DATE: 2013.03.06
:: Purpose: Fixes issue of EnCase starting in Acquisition Mode when executed from RDP Session
:: Caution: Requires User to Re-Login to RDP Session (user is not logged out)
:: Modified from http://community.spiceworks.com/how_to/show/873
:: and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely

:WinVersion
cls
echo ## Definig Windows Version
ver>"%temp%\ver.tmp"
find /i "6.0" "%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN
find /i "6.1" "%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN

:MENU1
title Choose EnCase Version to Start via RDP (Requires Reconnect to RDP Session)
:: EnCase Installations (Update to Install Location)
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"
cls
echo 1: EnCase V6 (32-Bit) [%encase_v6x32%]
echo 2: EnCase V6 (64-Bit) [%encase_v6x64%] 
echo 3: EnCase V7 (32-Bit) [%encase_v7x32%]
echo 4: EnCase V7 (64-Bit) [%encase_v7x64%]
echo ---------------------------------------
echo Type EnCase Version ID (above) or Full Path to EnCase.exe
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R
:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
if /I %input% EQU 1 set input=%encase_v6x32%
if /I %input% EQU 2 set input=%encase_v6x64%
if /I %input% EQU 3 set input=%encase_v7x32%
if /I %input% EQU 4 set input=%encase_v7x64%
set path=%input%
goto USERS

:USERS
title Users on Localhost
cls
qwinsta /server:localhost
echo.
echo Type Session ID of current RDP session
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R

:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
set session=%input%
goto DISCON

:DISCON
title Disconnecting User
cls
tscon %session% /dest:console
echo Log off in process
echo .
goto STARTER

:STARTER
cls
START /b "" %path%
exit

:ADMIN
cls
cd %systemroot%\System32
if /I %CD% EQU %systemroot%\System32 goto MENU1
goto ERR1

:ERR1
title Error
cls
echo This program requires Administrative Rights to run!
echo.
pause
goto END

:END
exit


6 comments:

  1. I have also been looking for a solution to this for a while but running this did not seem to work.

    Can you please confirm what platform/versions you were using and the exact steps you undertook to achieve this.

    Thanks in advance

    ReplyDelete
    Replies
    1. Windows 7 x64. Others confirmed it worked.

      Delete
  2. This is wonderful - thank you!

    (Other) Anonymous - Check your installation paths vs. the default in the batch file. You might need to change one of them, or simply enter the encase.exe installation path in the console in quotes.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. I cannot start jobs when I started encase this way. It seems that processes running when processing data fail. Anyone else having issues with this?

    ReplyDelete
  5. Excellent stuff !
    Works for both EnCase 6 and 7 on x86_64
    Win7 and Svr 2K8

    ReplyDelete