EnCase ediscovery VERSION 5.2 ADMINISTRATION GUIDE GUIDANCE SOFTWARE ADMINISTRATION GUIDE ENCASE EDISCOVERY
Copyright 2007-2013 Guidance Software, Inc. All rights reserved. EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.
Contents Preface 5 About this Book... 5 For Further Information... 5 EnCase ediscovery Administration Overview 7 EnCase ediscovery... 8 The Desktop Client... 9 The Web Server... 9 The Examiner Service... 9 The Database Server... 10 The SAFE... 10 Preparing EnCase ediscovery System Components 11 Overview... 12 Getting Started... 12 Tracking Important Information... 13 Preparing the Single Machine System... 15 Verifying Required Software and Configurations - Single Machine Configuration... 17 Allocating Ports - Single Machine Configuration... 19 Setting up Permissions - Single Machine Configuration... 19 Preparing the Web Server Component - Single Machine System... 22 Preparing the Database Component - Single Machine System... 22 Collecting Email and Document Archives - Single Machine System... 23 Preparing System Components on Multiple Machines... 23 Preparing the Database Server... 23 Preparing the EnCase SAFE... 27 Preparing the Web Server... 28 Preparing the Desktop Client... 31 Preparing the Examiner Service Machine(s)... 34 Preparing the Web Client... 39 Installing and Configuring IIS (Internet Information Server)... 39 Installing MS DTC (Microsoft Distributed Transaction Coordinator)... 41 Configuring PowerShell... 42 Setting up Licensing... 42 Activating an Electronic License... 43 Installing a Digital Certificate for SSL Connections... 45 Pay Per Use Considerations... 45 Installing EnCase ediscovery 47 Overview... 48 Installing the Databases... 48 Installing the Database Utility Tool... 49 Creating a Global Database and Schema... 50 Adding Schema to an Empty Database... 52
Creating Case Databases... 53 Upgrading Existing Databases... 56 Running Diagnostics... 59 Backing up the SQL Service Master Key... 60 Installing the Web Server... 61 Installing the Web Components... 62 Configuring the Web Application... 66 Setting up the Administrator Role... 67 Configuring Database and Server Settings... 69 Generating a Connection String with the Utility Script... 71 Installing the Data Service... 72 Setting up Windows Authentication... 75 Configuring the Data Service to Run with HTTPS... 76 Installing the Desktop Client... 76 Starting the Desktop Client... 77 Connecting to the Global Database... 77 Installing the Examiner Service... 78 Configuring EnCase ediscovery 83 Overview... 84 Configuring SMTP Connections... 84 Importing the Microsoft Exchange Certificate... 85 Setting up a Mail Profile for HTTP Connections... 88 Setting up Web API Features... 90 Changing the Hostname of the Web Application... 90 Working with Encrypted Data... 90 Creating Encryption Keys... 90 Opening an Encrypted File... 92 Troubleshooting 141 Overview... 142 Troubleshooting EnServer... 142 Troubleshooting the Data Service... 144 Troubleshooting the Desktop Client... 144 Troubleshooting the Examiner Service... 144 Viewing System Information and Errors... 144 Examiner Service Error Messages... 144 Unable to See Licensed Applications in Web... 148 Not Authorized User Message... 148 Connecting to Microsoft Office 365 Servers... 149 Finding the Build Number of an EnPack... 149 Reverting to a Virtual Machine (VM) Snapshot... 149 Managing User Accounts 95 Overview... 96 Role-Based Security... 96 Creating a New Role... 98 Assigning Permissions to a Role... 98 Assigning Permissions to a Case... 99 Resetting a User's Session... 100
Associating an Active Directory Group or User with a Role... 100 Modifying the Name of an Existing Role... 101 Deleting a Role... 101 Disabling a Role... 101 Tracking User Sessions... 102 Monitoring Tasks... 102 Connecting to Email and Document Repositories 103 Overview... 104 Connecting to Amazon S3 Repositories... 104 Connecting to EMC Documentum Repositories... 104 Connecting to Lotus Domino Servers... 105 Configuring Permissions for Lotus Domino... 105 Configuring EnCase ediscovery for Lotus Collections... 107 Connecting to Microsoft Exchange Servers... 108 Configuring Permissions for Microsoft Exchange 2003... 108 Configuring Permissions for Microsoft Exchange 2007 and 2010... 112 Configuring Microsoft Exchange Online... 114 Configuring EnCase ediscovery for Exchange Collections... 117 Connecting to Microsoft SharePoint and SharePoint Online Repositories... 117 Configuring Permissions for SharePoint and SharePoint Online Web Access... 119 Configuring Permissions for In-House SharePoint Database Access... 120 Connecting to OpenText Livelink Repositories... 121 Connecting to Symantec Enterprise Vault Repositories... 121 Maintenance and Disaster Recovery 123 Overview... 124 Storing Critical Configuration Information... 124 Retrieving the Global Database ID... 124 Backing Up Databases... 127 Performing Manual Backups... 127 Setting Up Automated Backups... 128 Restoring or Moving Databases... 129 Restoring Databases Manually... 129 Changing a Database Owner Manually... 131 Changing Global Database Settings... 133 Restoring Master Keys... 134 Modifying the Case Connection Strings for a New SQL Instance... 137 Connecting to a Restored Database... 140 Recommended Maintenance Procedures... 140 Support 151 Technical Support... 151 Live Chat... 151 Technical Support Request Form... 151 Email... 151 Telephone... 152 EnCase ediscovery Review Technical Support... 152 Support Portal... 152 Registration... 153
User, Product, and Foreign Language Forums... 153 Posting to a Forum... 154 Searching... 154 Bug Tracker... 154 Knowledge Base... 154 MyAccount... 155 Index 157
Preface About this Book This administration guide is for system administrators and database administrators tasked with installing and configuring EnCase ediscovery. This guide focuses on the installation and configuration of the product components. Once they are installed, and ready for use, refer to the EnCase ediscovery User's Guide for information on how to use EnCase ediscovery. Refer to the EnCase ediscovery Release Notes for a summary of new release features, fixed items, and known limitations of the products. For Further Information This manual does not include Microsoft Windows, third-party database setup, or troubleshooting information. It does not include details on using EnCase ediscovery, which can be found in the EnCase ediscovery User's Guide. For information on third-party products used with EnCase ediscovery, refer to the documentation for those products (for example, MSDN or Microsoft SQL Server Books Online). For information on using Secure Authentication for EnCase (SAFE), which describes the details of enabling licensing permissions for EnCase products, refer to the EnCase SAFE Administration Guide.
CHAPTER 1 EnCase ediscovery Administration Overview In This Chapter EnCase ediscovery
8 EnCase ediscovery v5.2 Administration Guide EnCase ediscovery EnCase ediscovery uses multiple components to collect, process, analyze, and deliver information. These components can be installed and configured on one or several separate computers. The diagram below shows a multiple machine setup. In this configuration, the Web Components machine has a variety of components installed: the Web application, the Web server, and the data service. The EnCase ediscovery desktop client provides a Windows-based user interface. The EnCase ediscovery Web components machine provides the backbone for the Web interface that enables accessibility from any browser, inside or outside the firewall. In the configuration illustrated above, this machine is where the Web server, the Web application, and the data service are installed. The examiner service schedules and processes all EnCase ediscovery tasks, and connects to targets either directly or through a SAFE. The database server holds the global and case databases, and stores common settings, case settings, and jobs. Installing and configuring the components must be done on properly configured machines, and in a specific order. This administration guide details what configuration and specifications are required for single system setups as well as various component machines. It also provides details for how to install each component.
The Desktop Client EnCase ediscovery Administration Overview 9 The EnCase ediscovery desktop client enables users to set up cases, assign sources, associate custodians and targets, create search criteria, and generate case-specific reports. From within the desktop client, jobs are created, scheduled, and automatically picked up and processed by the examiner service machines. These jobs may include uncompressing and indexing collected data, running keyword searches, and connecting directly to mail servers, document servers, and workstations for data collection. See Preparing the Desktop Client on page 31 for component requirements. See Installing the Desktop Client on page 76 for installation instructions. The Web Server The Web server runs the Web sites and services that enable access from any browser, inside or outside the firewall. The Web application uses the Web server to provide an interface for various tasks, including the creation and monitoring of legal holds, first pass assessments, analysis and review of collected data, status notification, and the management of job activities. Through the Web interface, administrators schedule collections, processing, delivery, and analysis jobs, create and manage criteria, set up examiner profiles, and generate reports. See Preparing the Web Applications Server see "Preparing the Web Server" on page 28 for component requirements. Three components need to be installed on the Web server to fully configure it: The Web server (see Installing the Web Server on page 61) The Web application (see Installing the Web Components on page 62) The data service (see Installing the Data Service on page 72) The Examiner Service The examiner service performs the data collection and processing activities, discovery, preview, and data acquisition from target computers. Examiners are configured to connect to the global SQL database, which stores connections to the individual SQL case databases. The examiner service is a Windows service that can be installed on multiple machines and managed remotely. Because it is a service, no user intervention is needed to restart the system in case of an interruption. Database profiles can be configured to instruct individual examiner service machines to process all available jobs or only desired jobs. See Preparing the Examiner Service Machine(s) for component requirements. See Installing the Examiner Service on page 78 for installation instructions.
10 EnCase ediscovery v5.2 Administration Guide The Database Server The database server stores the databases that contain the data collected from many targets across the network. The global database is the repository for source locations and custodian targets. Individual case databases maintain collection and processing job parameters, as well as all job results pertaining to a case. These databases are accessed directly through the desktop client or through a Web browser. See Preparing the Database Server on page 23 for component requirements. See Installing the Databases on page 48 for installation instructions. The SAFE The SAFE (Secure Authentication For EnCase) server is used to administer access rights, provide for secure data transmission, and broker communications between the network and the EnCase Enterprise user. Using a SAFE is needed for collecting information over the network. Please refer to the SAFE Administration Guide for all details relating to SAFE setup and management.
CHAPTER 2 Preparing EnCase ediscovery System Components In This Chapter Overview Getting Started Tracking Important Information Preparing the Single Machine System Preparing System Components on Multiple Machines Installing and Configuring IIS (Internet Information Server) Installing MS DTC (Microsoft Distributed Transaction Coordinator) Configuring PowerShell Setting up Licensing Installing a Digital Certificate for SSL Connections Pay Per Use Considerations
12 EnCase ediscovery v5.2 Administration Guide Overview This chapter details the hardware, software, and system requirements needed to install and configure the product components. Recommended and preferred resource values and configurations are noted where applicable. Prior to installing the product software on any component machine, Guidance Software strongly suggests you adhere to the following guidelines: Disable any indexing engines (such as the one native to Vista and Windows 7) before installing and configuring any component machine. Guidance Software recommends that all component computers apply an alternate IT policy of system patches and upgrades, to eliminate the possibility of unwanted reboots and disconnections during installation and configuration. For both installation and operation, Guidance Software recommends that you have administrator rights on your local computer. If your company policy does not allow you to have administrator rights, then you minimally need read/write permissions for the installation folders. To manage time zone differences among different computers, set the database server, the EnCase SAFE, and all Examiner computer system clocks to UTC (GMT with no daylight savings time). Getting Started Before you begin setting up your system, you must determine whether you are going to be configuring a single machine system, or a multiple machine system. Setting up a single machine system A single machine system may be fully sufficient for smaller networks. The process for setting up a single machine system follows these steps: 1. Check the computer and ensure that all hardware and software requirements are met, and that permissions are set correctly for each component (see Preparing the Single Machine System on page 15). 2. In exactly this order, install the following components: Install the database utility (Installing the Database Utility Tool on page 49) Using the database utility, create a global database (Creating a Global Database and Schema on page 49) Using the database utility, create one or more cases (Creating Case Databases on page 53) Install the Web server component (Installing the Web Server on page 61) Install the Web application component (Installing the Web Components on page 62) Configure the Web application (Configuring the Web Application on page 65) Set up the Administrator role (Setting up the Administrator Role on page 67) Configure the Database and Server (Configuring Database and Server Settings on page 69) Install the data service component (Installing the Data Service on page 72) Install the desktop client (Installing the Desktop Client on page 76) Install the examiner service component (Installing the Examiner Service on page 78)
Setting up a multiple machine environment Preparing EnCase ediscovery System Components 13 While other configurations are possible, this guide assumes a system configured with a separate machine for the desktop client, one or more machines for the examiner service, a single Web server machine for the Web server, Web application and data service components, a machine for the database, and multiple Web client machines. To set up a typical multiple machine environment: 1. Check the following machines and ensure that all hardware and software requirements are met, and that permissions are set correctly for each component. Web server (Preparing the Web Applications Server see "Preparing the Web Server" on page 28) Database server (Preparing the Database Server on page 23) Examiner service machine(s) (Preparing the Examiner Service Machine(s) on page 34) Desktop client (Preparing the Desktop Client on page 31) Web client machines (Preparing the Web Client on page 38) 2. In exactly this order, install the following components on the following machines: On the Web server: Install the Web server component (Installing the Web Server on page 61) Install the Web application component (Installing the Web Components on page 62) Configure the Web application (Configuring the Web Application on page 65) Set up the Administrator Role (Setting up the Administrator Role on page 67) Configure the Database and Server (Configuring Database and Server Settings on page 69) Install the data service component (Installing the Data Service on page 72) On the database server, install the database utility (Installing the Database Utility Tool on page 49) Using the database utility, create a global database (Creating a Global Database and Schema on page 49) Using the database utility, create one or more cases (Creating Case Databases on page 53) On the desktop client machine, install the desktop client (Installing the Desktop Client on page 76) On the examiner service machine(s), install the examiner service components (Installing the Examiner Service on page 78) Tracking Important Information Use the following table to keep track of information you will need during and after the installation process: Server name Domain name Description Active Directory service account name/password Logged on username/password Value
14 EnCase ediscovery v5.2 Administration Guide Description Background service user (domain\username) Value Global database name SQL Server master key NAS path SAFE path Computer name Single machine configuration: Desktop client: Web components machine: Database server: Examiner service machine(s): Operating system version Single machine configuration: Desktop client: Web components machine: Database server: Examiner service machine(s): SQL Server version System type (32- or 64 bit) Available space (> 1 GB required) Component Web application Data service Web API ESB Listener SSL enabling SMTP receive connector on the mail server 80 (default) 8080 (default) 8081 (default) 8700 (default) 443 (default) 25 (default) Port
Preparing EnCase ediscovery System Components 15 Component Port SMTP receive connector on the mail server (using SSL) SAFE SQL server Microsoft DTC Web server 465 (default) 4445 (default) 1443 (default) 3372 (default) 8888 (default) Preparing the Single Machine System To successfully install all components to a single machine, that machine must meet or exceed the requirements and configurations for all the separate component machines described below. Configuration - Single Machine Class Operating Systems Browser Processor (CPU) Server class hardware (64-bit) Windows Server 2003 SP1 64-bit Enterprise Windows Server 2003 SP1 R2 64-bit Enterprise Windows Server 2008 R2 64-bit Enterprise Microsoft Internet Explorer, versions 8.x or 9.x Mozilla Firefox, versions 4.x and 5.x Intel Quad-Core (for example, Intel Core 2 Quad) AMD Opteron For machines doing heavy OCR processing, Guidance Software recommends a minimum of two or more hyperthreaded multi-core processors. Four or more cores per processor are preferable. Memory (RAM) 16 GB or greater ( 48 GB preferred) One additional GB of RAM per thread is recommended to process OCR. For most users, this translates to an extra 5 GB of RAM per running examiner service.
16 EnCase ediscovery v5.2 Administration Guide Configuration - Single Machine Hard Drive Capacity 500 GB or more with > 2.5 GB available on the drive where the operating system is installed. An additional 3 GB of free space is needed for the examiner service, whether it is installed on the C: drive or any secondary drive or partition. The amount of disk storage required after installation depends upon the size of the original source data to be processed and the processing options selected. As a general guideline, allow enough storage for 10 times the original data size. If you use the desktop machine for output file storage, you need to allocate sufficient space. For five jobs running concurrently, the minimum amount of storage for temporary files is approximately 25 GB; however, Guidance Software recommends allocating 50 GB of output file storage. Hard Drive Speed Number of Hard Drives Recommended Network Configuration 7,200 RPM (10,000 RPM or faster preferred) For best performance, three hard drives are recommended: an application drive, a temp drive, and a separate drive for LEF files Gigabit Ethernet (GbE) The Web Server must be part of an Active Directory domain. VMware The system can be run using VMware and Boot Camp as follows: WMware Workstation 6.5 WMware Workstation 7.0 VMware Server 1.1 (GSX) VMware vsphere 4.0 ESXi Boot Camp v2.0 Boot Camp v3.0 Restrictions Intel Itanium processors are not supported. A dedicated, unshared USB port must be present unless the Examiner license is acquired using the Network Authentication Server (NAS). Although most temp files are stored in a temporary folder by job, a few are stored in the user's global temp folder. Confirm that this Temp folder (typically C:\Users\[UserID]\Local\Temp is not located in the user's directory. Ports 80, 8888, and 443 (for SSL), must be available on this machine. Make sure Fast User Switching is set to off. The setting for this is usually found in the local group policy editor (type gpedit.msc in a command prompt, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon and set Hide entry points for Fast User Switching to Enabled.) If you are using Windows Vista or Windows 7, and if the machine has the Windows Search service enabled, you must switch it off. You can turn it off completely, or disable it for the installation temporary directory (go to Control Panel > Administrative Tools, and double click Services to locate the Windows Search service).
Configuration - Single Machine Preparing EnCase ediscovery System Components 17 Recommendations Performance is optimized for 64-bit hardware. Use fault-tolerant drives and or fault-tolerant power supplies to reduce the possibility of outages or data loss. Mirrored operating system and application installation on the primary drive and partition. RAID-5 or better drives for storage of LEFs. Set the screen resolution to 1024 x 768 or higher for optimal viewing. Pay-Per-Use See Pay Per Use Considerations on page 45. Verifying Required Software and Configurations - Single Machine Configuration Use this checklist to verify that you have the minimum required software requirements installed. Additional software and configuration may be required depending on your needs. 1. Check your operating system (Computer > Properties) Windows Server 2003 SP1 64-bit Enterprise Windows Server 2003 SP1 R2 64-bit Enterprise Windows Server 2008 R2 64-bit Enterprise 2. Check your version of SQL Server Microsoft SQL Server 2008 Microsoft SQL Server 2008 R2 Microsoft SQL Server 2005 SP4 3. Verify that the following SQL Server packages are installed: Database Engine Services Reporting Services Management Tools (Complete) 4. Verify that PowerShell is configured correctly (see Configuring PowerShell on page 41) 5. Verify that the following are installed: Microsoft Office 2003, 2007 SP2, or 2010 including a full version of Outlook (required). Microsoft Excel 2003, 2007 SP2, or 2010 (required for Case Screening Reports) PowerShell 2.0 or above (required to run the Database Utility tool) SQL CMD (required to run the Database Utility tool) Windows Installer 4.5 Windows Imaging Component (WIC) must be installed to support Microsoft.NET 4, which is automatically installed if not present on the system. The WIC is available on all supported operating systems except Windows Server 2003. If you are installing the data service, examiner service, or Web components on Windows Server 2003, you must first install WIC. Please refer to Installing the.net Framework at http://msdn.microsoft.com/enus/library/vstudio/5a4x27ek(v=vs.100).aspx. IIS (see Installing and Configuring IIS (Internet Information Server)) MS DTC (see Installing MS DTC (Microsoft Distributed Transaction Coordinator)) MS DTC should be configured to enable both inbound and outbound connections.
18 EnCase ediscovery v5.2 Administration Guide A firewall exception may be required. 6. Verify you have correct permissions configured (see Setting up Permissions - Single Machine Configuration) Connectors software You may also require some or all of the following software to support collection from third party document repositories: IBM Lotus Notes Client v7, v8, and v8.5 (if collecting or processing Domino server or NSF emails). For processing Documentum Repositories, the Documentum client v5.x, v6.6 must be installed (if using the Documentum connector). Microsoft C++ runtime (CRT) if using OpenText Livelink (see the OpenText documentation for the specific version of the runtime required). The Enterprise Vault API runtime application must be installed on any computer running the desktop client or the examiner service, using Enterprise Vault as a source. You can find this on the Symantec installation media. Double click the.msi file to install the application and accept all of the defaults. The examiner service machine must also point to the correct DNS Server when trying to connect to the Enterprise Vault server. For processing OpenText Livelink Repositories, a download is needed for Open Text if the Microsoft C++ runtime (CRT) is not present on the system. If you attempt to create an Open Text definition without the CRT, Open Text does not display as an option in the Create New Source dialog box. For processing Symantec Enterprise Vault Repositories: The examiner service machine and the Enterprise Vault servers must be on the same domain. Connection is made using port 80 on the Enterprise Vault server; proxies are not supported. The Enterprise Vault API runtime application must be installed on any computer running the desktop client or the examiner service, using Enterprise Vault as a source. You can find this on the Symantec installation media. Double click the.msi file to install the application and accept all of the defaults. If collecting an Exchange email or journal archive on the Vault server, Outlook must be installed on the examiner service machine, and be configured for an Exchange account. If collecting a Lotus Domino email or journal archive using a Vault 8 or 9 server, the Lotus Notes client must be installed on the examiner service computer. To collect from SharePoint Online: All components of Microsoft.NET v3.5.1 SP1 (installed automatically on 32-bit machines) must be installed. For 64-bit machines use "Add Features" (for MS Server 2008 R2) or "Turn Features On or Off" (for Windows 7) to install. Collection from SharePoint Online is supported on Windows Server 2008 R2 only. The Windows Process Activation feature should be installed automatically. If prompted, agree to the installation. Additional applications are required. See Connecting to SharePoint and SharePoint Online Repositories, section below.
Allocating Ports - Single Machine Configuration The default port numbers used by the system are: Component Port Web application 80 Data service 8080 Web API 8081 EnServer 8888 SSL enabling 443 Preparing EnCase ediscovery System Components 19 SMTP receive connector on the mail server SMTP receive connector on the mail server (using SSL) 25 465 SAFE 4445 SQL server 1443 Microsoft DTC 3372 Pay Per Use Usage information is transported via SSL, which uses port 443 as the default. Thus, incoming and outgoing communication must be allowed for that port. If an organization uses a proxy server, then that server must be able to pass SSL client certificates. Setting up Permissions - Single Machine Configuration If it does not exist already, your Windows administrator must create a new domain user account with specific permissions for the EnServer service. To import Active Directory custodians, the user must have Read permissions for Active Directory. The Active Directory user account must be able to: Read/write to the user's own installation directory Read/write case folders Read directories Connectors permissions are covered in the specific connectors topics below. To change a user's permission: 1. Open Active Directory Administrative Overview. 2. Open Users. 3. Right click the selected user and use the options to add to another group or modify permissions.
20 EnCase ediscovery v5.2 Administration Guide Connecting to the database server If the machine connects to SQL Server using Windows Authentication, then the user logged into the machine must: Be trusted for delegation (the user's Active Directory administrator can enable delegation). Have read access to the Internal Output folder. Additionally, the user through which the examiner service machine connects to the database must have Administer Bulk Operations permission. Web server permissions The computer must be part of an Active Directory domain. The EnServer service user account must: Be part of an Active Directory domain. Have permission to read data from and write data to all of the directories specified on the config page (localhost/config). This includes Web files, Temp, User Home, and DB Temp. Have read/write permissions to the C:\inetpub\EnCase Application\Web Components\ECC Background Service\BackgroundService.exe.Config file. Have read/write permissions to the Web application's C:\inetpub\EnCase Application\Web Components\ECC Background Service\web.config file. Have the same database access permissions as the Examiner user (see Preparing the Examiner Service Machine(s) on page 34). Have permission to view Group Membership on Active Directory domains The Domain User Account must have read permissions for the internal output folder and the job output folder of every collection and processing job. Each case has one internal output folder; however, the job output folder is different for each job. Examiner service user permissions The following are typical permissions required for successful collections: Users must have local admin privileges to computers where the software will be installed. For UNC collections of network shares, the examiner service doing collections must have Read permissions to the root storage directory for any user shares that will be collected for ediscovery. If servlet deployment will be inter-domain, inter-domain trusts must be available for access to the SAFE and examiner service machines. If network shares are to be collected, parent folders must allow read access. For example, when collecting from \\server\share\folder, \\server\share must allow the examiner read access. For processing a live Exchange server, the examiner service must have an Administrator account and a mailbox on the Exchange server that has been logged into at least once. The examiner service must have at least Receive As and Read Only Admin privileges to the Exchange server. Shared folder and NTFS permissions required to collect from network shares are: Share permission: Read NTFS Permissions: Read and execute: Allow List folder contents: Allow Read: Allow
Permissions shown in the permission entry table should be: Traverse folder/execute file: Allow List folder/read data: Allow Read attributes: Allow Read extended attributes: Allow Read permission: Allow For Lotus Domino server versions 8.5, 8.0 and 7.0: Read public documents Write public documents Replicate or copy documents For Lotus Notes local NSF versions 8.5, 8.0, and 7.0: Preparing EnCase ediscovery System Components 21 Guidance Software does not support switching between Multiple User and Single User modes if you reinstall the Notes client on the examiner service computer(s). Because of how Lotus handles the.ini file, EnCase ediscovery may not be able to connect to the Domino server after switching installation modes. EnCase ediscovery collects the address books from the server. Set up users to back up their personal address books on the server, if you want EnCase ediscovery to collect them. To assure that collection results remain consistent, do not run an older version of the Lotus Notes client against a newer version of the Domino server or NSF archive file, as collection results can be inconsistent. For processing Open Text Livelink, the examiner service must have proper credentials on the OpenText server. For processing Documentum, the user account must have access to the document repository (be added to the repository database) to collect document files. Normal user privileges are adequate. For processing SharePoint Repositories, the examiner service must have Administrator permissions on the SharePoint Repository. To process Symantec Enterprise Vault and run a collection job against a Vault archive, the user must have Read permissions on that specific archive. Permissions on the Vault store or the Vault server are not sufficient. Database server permissions User access to the SQL databases must be established. Users must have Active Directory domain user privileges as well as either: Authentication rights to the instance of the SQL database (if Windows authentication is used), or Access to the SQL Server authentication credentials (if SQL Server authentication is used). The administrator creating the SQL databases must have at least the dbcreator server role. All database users must have at least the db_owner role. This is important to note if someone other than the database creator is using the database. The SQL Server service account must have read/write access to the default data, log, and backup directory locations.
22 EnCase ediscovery v5.2 Administration Guide Preparing the Web Server Component - Single Machine System For the Web application to run: IIS with ASP.NET 4.0 and Windows Authentication roles must be enabled The MS DTC component service must be enabled (see Installing MS DTC (Microsoft Distributed Transaction Coordinator)) If.NET4 is already installed, navigate to IIS > ISAPI and CGI restrictions and confirm that ASP.NET 4.0 is allowed. Before installing and configuring the Web server, deactivate any services or applications that use port 80. Port 80 is commonly used by Web services such as Microsoft Internet Information Services (IIS) or Apache. If you intend to use SSL certificates with the Web server, you also need to make sure there are no conflicts with port 443. Although the Web server cannot share ports with these third party servers, it can run side-by-side with them as long as there is no port conflict. After you configure the Web server to remove any such conflicts, you can restart these servers. Note: You can also override the port setting, and run the service on a non-privileged port (a port higher than 1024). Be aware of your company's email delivery rules and policies. To prevent spam, your email server may be set to limit the number of email messages sent in an hour. If such settings are in place, your hold notifications will not be delivered. If you are sending legal hold notifications, make sure your mail server is set up to send your hold notifications successfully. Preparing the Database Component - Single Machine System If you are using SQL Server 2005, you must configure it for TCP/IP (SQL Server 2005 is not configured for TCP/IP on initial installation). Make sure SQL Server is installed with the collation setting default of SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AS. Both server and database must have the same collation settings for database tables to be created. If this default setting is changed, databases cannot be created. The databases must be configured to be case insensitive. This is usually the default setting. Configure the server firewall to allow inbound and outbound data connections through TCP ports 80 and 1433. If the firewall ports are incorrectly configured, testing the connection to the global database fails. In Windows Server 2003 and Windows Server 2008: Navigate to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules. Click New Rule and follow the prompts to create inbound rules for TCP ports 80 and 1433. Select Control Panel > System and Security > Windows Firewall > Create New Rule > Inbound Rules > Action to Allow the Connection. Select Control Panel > System and Security > Windows Firewall > Inbound Rules > Name to name the rule. Make sure the following options are installed in your SQL database: database engine services, reporting services, management tools - basic (see Preparing the SQL Server on page 25).
Preparing EnCase ediscovery System Components 23 Collecting Email and Document Archives - Single Machine System To search electronic mail, the machine must have the same mail client software (Microsoft Outlook or Lotus Notes) installed. The version of the mail client must match that of the mail server to be searched. See Connecting to Email and Document Repositories on page 103. To search Documentum and Symantec Enterprise Vault document servers, the machine must have the respective client or runtime installed. OpenText Livelink and SharePoint do not require any additional client-side installation. SharePoint Online is supported on Windows 7, Vista SP2 or higher, Windows Server 2008 SP2, and Windows Server 2008 R2 operating systems. It is not supported on Windows XP, Windows 2003, Windows Server 2003 R2, or Windows Server 2008 operating systems. Preparing System Components on Multiple Machines If you are using multiple machines in your setup, the following configurations and permissions are required for each machine. For further information, you may also want to refer to the system requirements listed under Preparing the Single Machine System on page 15. Preparing the Database Server The database server houses the global and case databases. The desktop client, the web server, and the examiner service machines must all be able to communicate with the database server. For optimal performance, Guidance Software recommends that the database server be installed on a separate computer from the other product components. Configuration Database Server Class Operating System Processor (CPU) Memory (RAM) Hard Drive Capacity Hard Drive Speed Network Configuration Server Windows 2003 (64-bit) Windows 2003 R2 (64-bit) Windows 2008 (64-bit) Windows 2008 R2 (64-bit) Windows 2003 Server R2 (64-bit) Windows 2008 Server R2 (64-bit) Intel Dual-Core (e.g., Intel Core 2 Duo ) AMD Phenom 8 GB or more 250 GB or more with > 1 GB available 7,200 RPM or more Gigabit Ethernet (GbE)
24 EnCase ediscovery v5.2 Administration Guide Configuration Database Server Software Hardware SQL Packages Restrictions Microsoft SQL Server 2008 Microsoft SQL Server 2008 R2 Microsoft SQL Server 2005 SP4 PowerShell 2.0 or above is required to run the Database Utility tool. SQL CMD must be installed to run the Database Utility tool. Windows Imaging Component (WIC) must be installed to support Microsoft.NET 4, which is automatically installed if not present on the system. The WIC is available on all supported operating systems except Windows Server 2003. If you are installing the data service, examiner service, or Web components on Windows Server 2003, you must first install WIC. Please refer to Installing the.net Framework at http://msdn.microsoft.com/enus/library/vstudio/5a4x27ek(v=vs.100).aspx. Guidance Software recommends using a separate, dedicated computer for the database server. Database Engine Services Reporting Services Management Tools (Complete) The system administrator or database administrator must ensure appropriate database access for users, and make sure passwords are saved or stored accordingly so that users can connect. System time on the database server and on the examiner service machine(s) must be synchronized. Times are converted to GMT. Jobs will not execute properly if the times are not synchronized. Pre-installation checklist Before you begin: If you are using SQL Server 2005, you must configure it for TCP/IP (it is not configured for TCP/IP on initial installation). Make sure the SQL server is installed with the collation setting default of SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AS. Both server and database must have the same collation settings for database tables to be created. If this default setting is changed, databases cannot be created. User access to the SQL databases must be established. Users must have Active Directory domain user privileges as well as either: Authentication rights to the instance of the SQL database (if Windows authentication is used), or Access to the SQL Server authentication credentials (if SQL Server authentication is used). The administrator creating the SQL databases must have at least the dbcreator server role. All database users must have at least the db_owner role. This is important to note if someone other than the database creator is using the database. The databases must be configured to be case insensitive. This is usually the default setting.
Preparing EnCase ediscovery System Components 25 The SQL Server service account must have read/write access to the default data, log, and backup directory locations. Configure the server firewall to allow inbound and outbound data connections through TCP ports 80 and 1433. If the firewall ports are incorrectly configured, testing the connection to the global database fails. In Windows Server 2003 and Windows Server 2008: Use Control Panel >System and Security > Windows Firewall > Inbound Rules > Protocol and Ports settings to create inbound rules for TCP ports 80 and 1433. Select Control Panel > System and Security > Windows Firewall > Inbound Rules > Action to Allow the Connection. Select Control Panel > System and Security > Windows Firewall > Inbound Rules > Name to name the rule. Post-Installation Requirement It is important that the SQL Service Master Key be backed up and stored in a secure location before utilizing the SQL Instance. To accomplish this, please work with your SQL database administrator or run the following commands in MS SQL Management Studio. BACKUP SERVICE MASTER KEY TO FILE = 'E:\ECC_Data\servicemaster.key' ENCRYPTION BY PASSWORD = '[Password]' GO Note: replace [Password] with a value (in single quotes) that meets your company's password complexity requirements. Store the small key file and password in a secure location. Guidance Software recommends storing secure information and other configuration information together to ease the process of database troubleshooting. Note: Transparent Data Encryption is used to encrypt the case database connection strings. For more information on this feature of MS SQL, see http://msdn.microsoft.com/en-us/library/bb934049.aspx Preparing the SQL Server Make sure the following options are selected in your installed SQL database: Database engine services Reporting services Management Tools - Basic Whether you are using Windows Authentication or Mixed Mode, make sure the account has Active Directory access.
26 EnCase ediscovery v5.2 Administration Guide To configure the SQL server: 1. Create a domain user account to use as a service account for SQL (i.e. ACME\sql.svcacct). This account can have Deny log on locally enabled in Active Directory if required. 2. Set the SQL Server Agent to Automatic Startup. 3. Click the Use the same account for all SQL Server services button and enter the SQL service account credentials for the account you just created. 4. In the Collation tab, make sure the SQL server is installed with the collation setting default of SQL_Latin1_General_CP1_CI_AS or Latin1_General_CI_AS. Both server and database must have the same collation settings for database tables to be created. If this default setting is changed, databases cannot be created. 5. Click Next. The Database Engine Configuration dialog displays.
Preparing EnCase ediscovery System Components 27 Windows authentication mode creates a sa account for SQL Server Authentication and disables it, forcing the use of only the Windows Authentication. Windows authentication confirms the user's identity through Windows, and is much more secure than SQL Server Authentication. Guidance Software recommends using Windows Authentication mode. Mixed Mode (recommended) enables you to use Windows Authentication and SQL server authentication. If you choose this option, you must provide and then confirm a strong password for the system administrator (sa) account. A password for the system administrator (sa) account is recommended, but not required. 6. Click Next. 7. Select Install the native mode default configuration. 8. The installation takes 30-45 minutes. Once complete, log into the SQL Server Management Studio. Preparing the EnCase SAFE The EnCase SAFE component is used to store the licensing and public keys for the product. Check the current Release Notes for the version number of the EnCase SAFE that is compatible with your version. Configuration EnCase SAFE Class Operating System Processor (CPU) Memory (RAM) Hard Drive Capacity Hard Drive Speed Desktop or server class hardware (64-bit) Windows 7 Windows 2003 Server - SP2 (64-bit) Windows 2003 Server R2 - SP2 (64-bit) Windows 2008 (64-bit) Windows 2008 R2 (64-bit) Windows XP Professional - SP2 (64-bit) Intel Dual-Core (e.g., Intel Core 2 Duo ) AMD Phenom 2 GB or more 40 GB - Storage required is minimal 5,400 RPM or more (7,200 RPM or more preferred)
28 EnCase ediscovery v5.2 Administration Guide Configuration EnCase SAFE Network Configuration Gigabit Ethernet (GbE) VMware You can run a primary SAFE in a VM environment in EnCase versions prior to Version 7.05 Examiner/Version 7d SAFE, providing the physical license key is plugged into a physical USB port on the machine hosting the virtual machine, and the physical USB port is passed through to the virtual machine exclusively. The electronic licensing available in Version 7.05 Examiner/Version 7d SAFE and later eliminates the need for a physical license key in both physical machines or in machines running in VMs. You can also operate a secondary SAFE machine using Network Authentication Server (NAS). Support is provided for running the examiner and secondary SAFE on VMware and Boot Camp as follows: VMware Workstation 6.5 VMware Workstation 7.0 VMware Server 1.1 (GSX) VMware vsphere 4.0 ESXi Boot Camp v2.0 Boot Camp v3.0 Preinstallation checklist Before you begin, make sure: The SAFE computer is available over the network through Remote Desktop Connection with /admin and /console access by the installers. You have local admin rights to the SAFE computer. The security key drivers have been loaded on the SAFE computer and the SAFE security key is inserted into a USB port on the computer. Note: The SAFE computer must have a dedicated USB port. Host-based firewall is off or set to allow TCP connections to the SAFE process. The default value for the TCP port is 4445. Preparing the Web Server The Web server is required for all components to function. Before you begin Confirm that the Web Server machine is part of a domain and that the user account is a member of that domain. Make sure the domain account has sufficient Read/Write permissions for accessing SQL. Confirm that ASP.NET and Windows Authentication Roles are installed by right clicking on My Computer > Manage > Roles and verifying that ASP.NET and Windows Authentication are listed. If.NET4 is already installed, navigate to IIS > ISAPI and CGI restrictions and confirm that ASP.NET 4.0 is allowed.
Preparing EnCase ediscovery System Components 29 Configuration Web Server Class Operating Systems Processor (CPU) Memory (RAM) Hard Drive Capacity Hard Drive Speed Network Configuration Server class hardware (64-bit) Windows Server 2003 SP1 64-bit Enterprise Windows Server 2003 SP1 R2 64-bit Enterprise Windows Server 2008 SP1 64-bit Enterprise Windows Server 2008 R2 64-bit Enterprise Intel Quad-Core (for example, Intel Core 2 Quad) AMD Opteron 8 GB or greater ( >16 GB preferred) 250 GB or greater with > 1 GB available 7,200 RPM (10,000 RPM or faster preferred) Gigabit Ethernet (GbE) The Web Server must be part of an Active Directory domain. Restrictions Recommendations Additional Software Intel Itanium processors are not supported. A dedicated, unshared USB port must be present unless the Examiner license is acquired using the Network Authentication Server (NAS). The Web server performance is optimized for 64-bit hardware. Use fault-tolerant drives and or fault-tolerant power supplies to reduce the possibility of outages or data loss. Optimize Web server performance by storing index files locally. For optimal performance, store the merged, index file on the Web server. Microsoft Excel 2003, 2007 SP2, or 2010 (required for Case Screening Reports) Windows Installer 4.5 IIS (see Installing and Configuring IIS (Internet Information Server)) MS DTC (see Installing MS DTC (Microsoft Distributed Transaction Coordinator)) Windows Imaging Component (WIC) must be installed to support Microsoft.NET 4, which is automatically installed if not present on the system. The WIC is available on all supported operating systems except Windows Server 2003. If you are installing the data service, examiner service, or Web components on Windows Server 2003, you must first install WIC. Please refer to Installing the.net Framework at http://msdn.microsoft.com/enus/library/vstudio/5a4x27ek(v=vs.100).aspx. Network Ports TCP Port 4445 is available for connectivity throughout the enterprise network. Port 8888 must be available; if SSL will be used, port 443 must be available.