Follow

Can't perform Agent collections after 10/29/2015 (AD Enterprise/AD Lab/FTK)

Created by: Eric Klipp
Created date:
Last Updated date:

Problem

User cannot perform Agent collections in AD Enterprise after 10/29/2015.

 

Prerequisites

1) You must have AD Enterprise 5.4 or newer.

2) Before this fix is applied, the default Windows Admin share must be exposed, and AD Enterprise must have permissions to this folder. On Windows 8, 8.1, and 10, this folder is not shared by default. In order to share this folder, please run the attached .reg file (within the .zip) on the desired Agent machine(s).  

3) For best results, disable "Use Sharing Wizard" (under the Folder Options in Windows Explorer, in the View tab) on the desired Agent machine(s).

All four sections of instructions below (Update Your Examiners, Update Your Windows Agents, Update Your Non-Windows Agents, and Push the New Modules) must be followed to complete the fix.

 

Resolution

A) Update Your Examiners

On every AD Enterprise Examiner machine:

 

  1. Download the new Agent installers and modules package from the link below:

    Password: abc123!

  2. Open Windows Explorer.
  3. Navigate to the FTK "bin" folder (typically "C:\Program Files\AccessData\Forensic Toolkit\<version number>\bin").
  4. Rename the existing "Agent" folder to "Agent.old".
  5. Open the "Agent.zip" downloaded in Step 1.
  6. Copy the "Agent" folder inside the "Agent.zip" to the FTK "bin" folder (the folder hierarchy should be "bin\Agent\modules" if you copied the correct folder level).
  7. Open AD Enterprise Examiner.
  8. Open any project/case.
  9. Go to Tools > Configure Agent Push.
  10. Ensure "Path to trusted modules certificate" is pointing to "<FTK_Installation_Folder>\<version>\bin\Agent\modules\adata.p7b".
  11. Ensure "Path to agent modules" is pointing to "<FTK_Installation_Folder>\<version>\bin\Agent\modules".
  12. Click "OK".

Notes: If you have multiple versions of the Examiner on the same machine, you will need to follow the above steps for every version.

B) Update Your Windows Agents

Manual Installation:

You may choose to update your Agents manually by Manually Uninstalling The Windows Enterprise Agent, rebooting, and then Manually Installing The Windows Enterprise Agent.  If you do this, make sure to use the new "AccessData Agent.msi" and "AccessData Agent (64-bit).msi" installers from the above downloaded package.

Remote Installation:

  1. Ensure you have already completed the above "Update Your Examiners" steps.
  2. Open AD Enterprise Examiner.
  3. Go to Tools > Push Agent.
  4. Add a list of any existing Agent machine(s) you wish to update, making sure to check the "Update the agent if it is present" option.
  5. Add the credentials of an account that has access to the "Administrator" (admin$) share on the Agent machine(s).
  6. Click "OK" and allow the Agents to be updated (the existing Agents will be automatically uninstalled, and then the new Agent will be pushed).

C) Update Your Non-Windows Agents

Non-Windows Agents must be updated manually.

  1. Download the new non-Windows Agent installers from the link below:

    Password: abc123!

  2. Uninstall any existing Mac Agents with the steps at Manually Uninstalling The Mac Enterprise Agent.
  3. Install the new Mac Agents with the steps at Manually Installing The Mac Enterprise Agent, making sure to use the new installers downloaded in step 1.
  4. Uninstall any existing Unix/Linux Agents with the steps at Manually Uninstalling The Unix/Linux Enterprise Agent.
  5. Install the new Unix/Linux Agents with the steps at Manually Installing The Unix/Linux Enterprise Agent, making sure to use the new installers downloaded in step 1.

D) Push the New Modules

  1. Ensure you have already completed the above "Update Your Examiners" and "Update Your Agents" steps.
  2. Open AD Enterprise Examiner.
  3. Go to Evidence > Add Remote Data.
  4. Add any Agent machine(s) that you wish to update.
  5. For each Agent you wish to update, check the "Process Info" Volatile Data Job.
  6. Uncheck the "Acquire By Proxy" option and check the "Install or Update Agent Modules" option.
  7. Click "OK" and allow the job(s) to proceed.

Note: During this process, you may be prompted for credentials to push the Agent.  This is just in case the Agent on the target is too old to work with the new modules, in which case it would try to update the Agent first.  However, if you know the Agent on the target has already been updated appropriately, and you do not have Administrator rights to the target, you can input any credentials you wish as it will skip to pushing the new modules after it sees that the Agent is already current.

 

Cause

This is due to our module certificate (adata.p7b) expiring 10/29/2015.  The new Agents have the new module certificate.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk