As you probably already know, Remote Desktop Protocol and Encase Forensic do not play well together in Windows 7, Server 2008, etc. As posted a few years ago, there are a work arounds but none are perfect. Even buying the NAS licensing server has limitations.
...I spent weeks trying to figure out a true solution.Then randomly, out of complete nowhere, a co-worker one day sends an email to our team (@CHI_ForensicLab) saying "Hey, if you ever have this problem with Encase and RDP .. just do this..." I was shocked, amazed, but more importantly it worked!
Before you get started:
- Note this program requires Administrative Rights to run!
- Caution it requires User to Re-Login to RDP Session (user is not logged out)
- Modified from http://community.spiceworks.com/how_to/show/873 and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely
- I don't have time to support this but feel free to leave comments and I can see if my co-worker is interested in answering questions there.
Directions:
1. Copy the text below into a text file
2. If you have EnCase installed somewhere other than the default location, you’ll need to update the section starting at line 23.
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"
3. Save as "Start Encase.bat"
4. Just double click "Start Encase.bat" after connecting via RDP to the workstation.
Start Encase.bat:
@echo off
:: EnCase Starter from RDP Session
:: Author: ALG
:: DATE: 2013.03.06
:: Purpose: Fixes issue of EnCase starting in Acquisition Mode when executed from RDP Session
:: Caution: Requires User to Re-Login to RDP Session (user is not logged out)
:: Modified from http://community.spiceworks.com/how_to/show/873
:: and http://community.spiceworks.com/scripts/show/190-disconnect-terminal-services-session-remotely
:WinVersion
cls
echo ## Definig Windows Version
ver>"%temp%\ver.tmp"
find /i "6.0""%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN
find /i "6.1""%temp%\ver.tmp">nul
if %ERRORLEVEL% EQU 0 goto ADMIN
:MENU1
title Choose EnCase Version to Start via RDP (Requires Reconnect to RDP Session)
:: EnCase Installations (Update to Install Location)
set encase_v6x32="C:\Program Files (x86)\EnCase6\EnCase.exe"
set encase_v6x64="C:\Program Files\EnCase6\EnCase.exe"
set encase_v7x32="C:\Program Files (x86)\EnCase7\EnCase.exe"
set encase_v7x64="C:\Program Files\EnCase7\EnCase.exe"
cls
echo 1: EnCase V6 (32-Bit) [%encase_v6x32%]
echo 2: EnCase V6 (64-Bit) [%encase_v6x64%]
echo 3: EnCase V7 (32-Bit) [%encase_v7x32%]
echo 4: EnCase V7 (64-Bit) [%encase_v7x64%]
echo ---------------------------------------
echo Type EnCase Version ID (above) or Full Path to EnCase.exe
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R
:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
if /I %input% EQU 1 set input=%encase_v6x32%
if /I %input% EQU 2 set input=%encase_v6x64%
if /I %input% EQU 3 set input=%encase_v7x32%
if /I %input% EQU 4 set input=%encase_v7x64%
set path=%input%
goto USERS
:USERS
title Users on Localhost
cls
qwinsta /server:localhost
echo.
echo Type Session ID of current RDP session
echo Type R to refresh user list
echo Type Q to quit
echo.
set input=R
:: Prompt for Install
Set /P input=
if /I %input% EQU Q goto END
if /I %input% EQU R goto USERS
set session=%input%
goto DISCON
:DISCON
title Disconnecting User
cls
tscon %session% /dest:console
echo Log off in process
echo .
goto STARTER
:STARTER
cls
START /b "" %path%
exit
:ADMIN
cls
cd %systemroot%\System32
if /I %CD% EQU %systemroot%\System32 goto MENU1
goto ERR1
:ERR1
title Error
cls
echo This program requires Administrative Rights to run!
echo.
pause
goto END
:END
exit