How to Configure and Use SQL with EnCase Products

How to Configure and Use SQL with EnCase Products www.ceicconference.com Introduction Databases for Guidance Software Enterprise Products: EnCase ediscovery EnCase CyberSecurity Best Practice for EnCase Applications Currently v5.2.1 Tools Required Guidance Software Database Utility Microsoft : SQL Server Management Studio EnCase Case Connection Editor Page 2 Aaron Bennett, Guidance Software, Inc. 1

Database Life-Cycle Prepare the Systems Configure SQL Create Databases GSI Database Utility The Upgrade If you have to Troubleshoot Always Backup Maintenance & Recovery System Preparation Systems Requirements: SQL Server Supports the entire application Stores all casework and reporting data Database Utility System User system which is designated to run the database utility User must have SQL Server permissions in order to create databases Minimum configuration Scale resources up Prioritize Memory and Disk IO first Aaron Bennett, Guidance Software, Inc. 2

System Preparation: SQL Server Installation of SQL Server Database Engine Reporting Services SQL Server Management Studio Optional to install on SQL Server itself Recommended Resources Preparing SQL Server: Install Recommended Packages Ensure Database Administrator has requirements and GSI Resources Check that SQL Server is available from all EnCase Systems Backup SQL Server Master Key and other important Database Resources - Start at SQL Configuration Manager System Preparation: Software Required Server Version: Microsoft SQL Server Min: SQL2005 sp4 Max: SQL2008r2 Packages: SQL Server Database Instance Reporting Service Complete Management Studio GSI Database Utility Provided by Guidance Software Specific Systems Settings Required: SQL Server Server Settings and Permissions Accounts and Roles Machine designated to run Database Utility Permissions for SQL Components Permission to run PS Scripts Install SQL resources on Database Utility Machine SQL Server Management Studio [OR] SQLCMD + SQL Native Client Aaron Bennett, Guidance Software, Inc. 3

System Preparation: Start with SSMS SSMS (Sql Server Management Studio) Management Studio: SQL Permissions Maintenance Schedules Modifying Catalog Properties Scripts, Queries, Configuration Performing Manual Backups - In addition to GSI Database Utility Creating or Upgrading ediscovery or CyberSecurity databases Running Application-specific diagnostics *Optional whether to install SSMS on SQL Server itself* Configure SQL: Installation If you must install SQL Server, these options are recommended: Run SQL Services via System Account, - no need to run via AD Account Include Windows Authentication-Mode - This option alone is more secure - Mixed-mode also suitable Server Collation: - SQL_Latin1_General_CP1_CI_AS - Latin1_General_CI_AS Allow traffic through Firewall Aaron Bennett, Guidance Software, Inc. 4

Configure SQL: Catalog Settings Running the Application, Two users should be created (minimum) 1. EnCase_Service Account: Account that is used by the application to service users All databases should use the EnCase Account or [sa] for the File DB Owner Must be either a SQL or AD User account; AD Groups will not work Should not change database owner once the tables are created 2. EnCase Enterprise Desktop Users: access to the application databases for importing data, creating criteria/jobs, etc. Case Role: DB_Owner If the system administrator is file owner, map the EnCase_Service account to this role as well Database Administrator may grant a team member the ability to create databases. This user will need the server-level permission: DB_Creator Record information on all accounts used when building the ECC Database set. Keep this information! Lab Break 1 Open SSMS and examine configuration Get briefly familiarized with the application s areas Open SQL Configuration Manager Services and Settings for the MSSQL Service itself Examine Enterprise Configuration Settings in SSMS User and Catalog Properties Aaron Bennett, Guidance Software, Inc. 5

Creating Databases: The Database Utility Guidance Software Database Utility Introduced in v5.1.0 The only method to create databases This means: Advanced functions Easier to manage Creating multiple catalogs atonce Not necessary for DB Creator to access SSMS on a regular basis Creating Databases: Completing DataBase Utility Database Name: Must be unique in the SQL Server. Do not reuse names for Global or Case catalogs Database Master Keys: Create Tables operation within Global requires entering a Database Master Key. Diagnostic Results: Critical errors will prevent further action Warnings Can be skipped Once Database creation completes, can be checked in Management Studio and Connected in EnCase Enterprise Aaron Bennett, Guidance Software, Inc. 6

Creating Databases: Connecting Desktop If creating a new Global/Case set: Run EnCase Enterprise Desktop Open Enterprise Applications Click ediscovery or CyberSecurity Configure Database Connection If switching the database connection in Desktop Run EnCase Enterprise Desktop Navigate to Settings Select Change Database Configure Database Connection 13 Creating Databases: Connect in ECC Connecting to ECC for the first time, will open the ODBC dialog: Microsoft OLE DB SQL Provider for SQL Server required Connect to Global Database Navigate to cases which have been created Each new Case or Investigation created in the Database Utility will automatically appear in Desktop and the Web Application Aaron Bennett, Guidance Software, Inc. 7

Creating Databases: Service Master Key Stored connection stings are encrypted by : Database Master Key + SQL Service Master Key Best Practice to store: Master Key Passwords SQL Service Master Key Key File Decryption Password Connection strings is the only field which is encrypted by default Important during SQL Migration http://technet.microsoft.com/en-us/library/bb964742.aspx 15 Upgrading: Prerequisites AD or SQL User logon which initiates upgrade DB_Owner and DB_Creator on the Global and Case catalogs To allow the script to backup the existing database To drop unused signatures and broker features To modify the schema When upgrading to v5: SQL05sp4 or SQL08r2 Server Edition Database version should be 4.4 or 5.1 Select the group of cases which will be upgraded May deactivate cases to be skipped in previous version. Aaron Bennett, Guidance Software, Inc. 8

Upgrading: Pathways Certain mandatory upgrade pathways from recent ECC Versions. Version 3:. <= v3.7 Version 4: v3.8.1 v4.1. <= v4.2.3 v4.2.4 v4.3.0+ Version 5: <= v4.4.2 NEW v5 Global ORIGINAL v4 Global Upgraded v5 Catalogs Remaining v4 Catalogs Upgrade: GSI Database Utility Database provides the facility to upgrade any candidate Global Database version (4.4.1 and 5.1.0) Complete Diagnostic before the actual upgrade proceeds Choose the Databases to be Upgraded Can elect to leave some behind in the old Global Upgraded Databases will be deactivated in the old global Strongly recommended to backup catalogs prior to Upgrade Aaron Bennett, Guidance Software, Inc. 9

Upgrading: logging & backups Upgrade creates a log for each database in the Current User AppData Directory %userprofile%\appdata\roaming\encase Applications\Database Utility Run Command + %appdata% Upgrade will attempt to create a backup for each database upgraded If there is an error with the Global or any Case databases, the log can be used to troubleshoot Look near the end of the *.log file Lab Break 2 Aaron Bennett, Guidance Software, Inc. 10

Troubleshooting Common issues: Jobs not executing: Check the status of Examiner Service first Check SQL Logs for error messages Create tables issue: Check Database Names for special/illegal characters Duplicated Database Names will not work Other common issues Re-check permissions/ownership accounts Never alter databases outside ECC Moving files causes broken links to stored paths Unsupported operations: Running stored procedures Queries which INSERT data or ALTER tables/schema Deleting Tables Removal of records (case ids, custodians, etc ) The Utility does a complete upgrade check before it will proceed; invalid databases cannot be upgraded Troubleshooting: Apps that depend on SQL Enterprise Applications that connect to databases: EnCase Desktop Web Components Site Cyber/API Sites Data Service Site Examiner Services EnCase WebServer Visit: http://localhost:8888/config Aaron Bennett, Guidance Software, Inc. 11

Troubleshooting: Service Broker In previous versions of the software, it is sometimes necessary to troubleshoot Service Broker Issues. Versions: v4.3.0 v5.1.3 User permission issues cause disabled Queues: dbo.ctq dbo.notify Properties of dbo.ctq EnQueue not enabled Notify Queue is also down Queues must be re-enabled. Check SQL Logs, use permission scheme in v5.1 Admin Guide. Troubleshooting: Logs, Configuration Manager Locate the SQL Logs to get information on: Messages, Service Messages, User Actions, Server Information, Login Failures, and more! Open Sql Server Configuration Manager to check the instance & services Protocols: TCP/IP, Named Pipes, Shared Memory (local) SQL Service: service account, start-up parameters Default and Named Instance Services running and their running condition. Aaron Bennett, Guidance Software, Inc. 12

Troubleshooting: System Health Sql Commands: sp_who Sp_Who2 sp_configure SQL Server: SQL Activity Monitor Windows System: Task Manager = Run + Taskmgr Resource Monitor = Run + Resmon Backups: Recommendations Consistent Database Backup is Critical Use Full backup capability in Ssms. - Never copy mdf/ldf to another directory, create a full *.bak file for each catalog. - Specify backup options, defaults may not fit your workflow. For manual backups, it is recommended to define a complete new backup each time, avoid append or overwrite options in case this will be confusing to manage. - For automated backups, manage available disk-space and retention accordingly. Back Up Often. In addition to regular backups, initiate additional backups if important work has been performed, new Cases initiated, or if system maintenance will be undertaken. If necessary to restore, check the MS SQL Documentation for standard procedures. - If moving the database set, additional steps will be necessary, see maintenance and recovery in the admin guide. Work with Database group if not managing ECC s instance of SQL. Aaron Bennett, Guidance Software, Inc. 13

Backup: SQL Folder Locations Each SQL Instance has a backup folder, this can be customized by admins to point to another location. The Utility will attempt to use this location to auto-backup, Backup manually in addition to be certain! Each SQL Instance has a Data folder, this will contain the mdf, ldf. Data, Logs, Backup, etc. may be specially mapped by your DBA Putting files in these locations requires special rights, check with DBA Lab Break 3 Aaron Bennett, Guidance Software, Inc. 14

Maintenance: Keep Info up-to-date Critical items of information which should be saved/updated Server Access: DBOwner, SQL users, AD users, Service Accounts SQL Passwords stored in a secure location If SQL configuration is non-default, record this information and submit to your DBA. DBA can better assist if they are aware of ECC requirements and behavior Global/Case Catalog information: Instance-specific information Data/Backup directories Instance Address Backup Instance Service Master Key ECC Database Master Keys Connection strings Case Database mapping information (Catalog and Friendly Name) Maintenance: Database Integrity Workflow for database integrity tasks How to set up & execute maintenance scheduler Recommended Tasks: Database & Transaction Log Backup Task Useful Interval Backup DB & Transaction Log Yes Frequently Database Integrity Check Yes Periodically Rebuild Index Yes Before/After running job Reorganize Index Yes Before/After running job Shrink Database No Only on de-activated, archived cases Integrity checks Rebuild Index Reorganize Index (db defrag) Shrinking Databases Only on closed/archived cases, do not shrink active production cases Aaron Bennett, Guidance Software, Inc. 15

Maintenance: Automating with Maintenance Plans Maintenance Plan Wizard: Setup Maintenance Plan Elements by selecting from default options Maintenance Plan Diagram: Map Maintenance Workflow via Plan Diagram. Recovering: Can be complicated A complicated workflow exists for moving databases Moving Databases should not be a common occurrence However, it is sometimes vital to bring systems up-to-date Diagram explains the overall process Break down the process into manageable steps! Planning for much more than just SQL Moving Data, Server OS and Account Management, Etc Alter Master Key* Open DB Master Key ECC DB.bak Sync to New SQL SMK Restore Users, permissions & enable Broker Adjust Global DB connection strings Connect to restored DB with ECC Restore Previous SQL SMK *If Database Master Keys have not been stored 32 Aaron Bennett, Guidance Software, Inc. 16

Recovering: Simplified Steps for Moving Databases If you must move databases and restore to a New SQL Server for any reason. Use the simplified steps: 1. Backup all the databases 2. Restore them to the new server 3. Rework the keys to they can communicate 4. Modify Global so it knows all the cases are on the new server 5. Connect with ECC 33 Recovering: Sample Commands on DB Keys It is recommended to backup the service master key from SQL Whether you plan to move dbs or not Is a disaster-recovery measure If moving databases to a shared SQL instance Use the Master Key entered in the GSI Utility to sync to the new SQL Instance 34 Aaron Bennett, Guidance Software, Inc. 17

Restoring: Case Connection Editor After all the recovery work is completed in the new SQL, Create a new connection string for the new SQL Instance: Strings Stored in Global Database Also displays the Catalog and ECC name information Can Export the table of cases for records. Only use the provided editor! It will validate the Case Identity to prevent errors in mapping connections 35 Lab Break 4 Aaron Bennett, Guidance Software, Inc. 18

Questions Aaron Bennett, Guidance Software, Inc. 19