Triage User Guide 1.1

2012-09-18

: Pdf Triage Userguide 1.1 Triage_UserGuide_1.1

Open the PDF directly: View PDF .
Page Count: 91

Download
Open PDF In Browser	View PDF

AccessData
Triage

User Guide

Version: 1.1
Published: July 2011

AccessData Legal and Contact
Information

Document date: July 26, 2011

Legal Information
©2011 AccessData Group, LLC All rights reserved. No part of this publication may be
reproduced, photocopied, stored on a retrieval system, or transmitted without the express
written consent of the publisher.
AccessData Group, LLC makes no representations or warranties with respect to the
contents or use of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further, AccessData
Group, LLC reserves the right to revise this publication and to make changes to its content,
at any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Group, LLC makes no representations or warranties with respect to
any software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, AccessData Group, LLC
reserves the right to make changes to any and all parts of AccessData software, at any
time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or
regulations including, without limitation, U.S. export regulations or the laws of the country
in which you reside.
AccessData Group, LLC.
384 South 400 West
Suite 200
Lindon, Utah 84042
U.S.A.
www.accessdata.com

AccessData Trademarks and Copyright Information
AccessData®

is a registered trademark of AccessData Group, LLC.
Distributed Network Attack® is a registered trademark of AccessData Group, LLC.
DNA® is a registered trademark of AccessData Group, LLC.
Forensic Toolkit® is a registered trademark of AccessData Group, LLC.
FTK® is a registered trademark of AccessData Group, LLC.
Password Recovery Toolkit® is a registered trademark of AccessData Group, LLC.
PRTK® is a registered trademark of AccessData Group, LLC.
Registry Viewer® is a registered trademark of AccessData Group, LLC.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, LLC. trademark. With few
exceptions, and unless otherwise notated, all third-party product names are spelled and

AccessData Legal and Contact Information

Legal Information

| i

capitalized the same way the owner spells and capitalizes its product name. Third-party
trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party products.
Third party acknowledgements:
FreeBSD ® Copyright 1992-2011. The FreeBSD Project .
AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and
Basis Technology Corp. All rights reserved.
Copyright © 2005 - 2009 Ayende Rahien

Documentation Conventions
In AccessData documentation, a number of text variations are used to indicate meanings
or actions. For example, a greater-than symbol (>) is used to separate actions within a
step. Where an entry must be typed in using the keyboard, the variable data is set apart
using [variable_data] format. Steps that required the user to click on a button or icon are
indicated by Bolded text. This Italic font indicates a label or non-interactive item in the
user interface.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, LLC. trademark. Unless
otherwise notated, all third-party product names are spelled and capitalized the same way
the owner spells and capitalizes its product name. Third-party trademarks and copyrights
are the property of the trademark and copyright holders. AccessData claims no
responsibility for the function or performance of third-party products.

Registration
The AccessData product registration is done at AccessData after a purchase is made, and
before the product is shipped. The licenses are bound to either a USB security device, or a
Virtual CmStick, according to your purchase.

Subscriptions
AccessData provides a one-year licensing subscription with all new product purchases.
The subscription allows you to access technical support, and to download and install the
latest releases for your licensed products during the active license period.
Following the initial licensing period, a subscription renewal is required annually for
continued support and for updating your products. You can renew your subscriptions
through your AccessData Sales Representative.
Use LicenseManager to view your current registration information, to check for product
updates and to download the latest product versions, where they are available for
download. You can also visit our web site, www.accessdata.com anytime to find the latest
releases of our products.
For more information, see Managing Licenses in your product manual or on the
AccessData web site.

AccessData Contact Information
Your AccessData Sales Representative is your main contact with AccessData Group, LLC.
Also, listed below are the general AccessData telephone number and mailing address, and
telephone numbers for contacting individual departments.

AccessData Legal and Contact Information

Documentation Conventions

| ii

Mailing Address and General Phone Numbers
You can contact AccessData in the following ways:

TABLE Contact-1 AD Mailing Address, Hours, and Department Phone Numbers
Corporate Headquarters:

AccessData Group, LLC.
384 South 400 West
Suite 200
Lindon, UT 84042 USA
Voice: 801.377.5410
Fax: 801.377.5426

General Corporate Hours:

Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays

State and Local
Law Enforcement Sales:

Voice: 800.574.5199, option 1
Fax: 801.765.4370
Email: Sales@AccessData.com

Federal Sales:

Voice: 800.574.5199, option 2
Fax: 801.765.4370
Email: Sales@AccessData.com

Corporate Sales:

Voice: 801.377.5410, option 3
Fax: 801.765.4370
Email: Sales@AccessData.com

Training:

Voice: 801.377.5410, option 6
Fax: 801.765.4370
Email: Training@AccessData.com

Accounting:

Voice: 801.377.5410, option 4

Technical Support
Free technical support is available on all currently licensed AccessData products.
You can contact AccessData Customer and Technical Support in the following ways:

TABLE Contact-2 AD Customer & Technical Support Contact Information
Domestic Support Americas/Asia-Pacific
Standard Support:

Monday through Friday, 5:00 AM – 6:00 PM (MST), except
corporate holidays.
Voice: 801.377.5410, option 5
Voice: 800.658.5199 (Toll-free North America)
Email: Support@AccessData.com

After Hours Phone Support:

Monday through Friday 6:00 PM to 1:00 AM (MST), except
corporate holidays.
Voice: 801.377.5410, option 5

After Hours Email-only Support:

Monday through Friday 1:00 AM to 5:00 AM (MST), except
corporate holidays.
Email: afterhours@accessdata.com

International Support Europe/Middle East/Africa
Standard Support:

Monday through Friday, 8:00 AM – 5:00 PM (UK-London),
except corporate holidays.
Voice: +44 207 160 2017 (United Kingdom)
Email: emeasupport@accessdata.com

After Hours Support:

Monday through Friday, 5:00 PM to 1:00 AM (UK/London),
except corporate holidays.
Voice: 801.377.5410 Option 5*.

After Hours Email-only Support:

Monday through Friday, 1:00 AM to 5:00 AM (UK/London),
except corporate holidays.
Email: afterhours@accessdata.com

AccessData Legal and Contact Information

AccessData Contact Information

| iii

TABLE Contact-2 AD Customer & Technical Support Contact Information (Continued)
Other
Web Site:

http://www.AccessData.com/Support
The Support web site allows access to Discussion Forums,
Downloads, Previous Releases, our Knowledgebase, a
way to submit and track your “trouble tickets”, and in-depth
contact information.

AD SUMMATION

Americas/Asia-Pacific:
800.786.2778 (North America).
415.659.0105.
Email: support@summation.com

Standard Support:

Monday through Friday, 6:00 AM– 6:00 PM (PST), except
corporate holidays.

After Hours Support:

Monday through Friday by calling 415.659.0105.

After Hours Email-only Support:

Between 12am and 4am (PST) Product Support is
available only by email at afterhours@accessdata.com.

AD Summation CaseVault

866.278.2858
Email: support@casevault.com
Monday through Friday, 8:00 AM – 6:00 PM (EST), except
corporate holidays.

AD Summation Discovery Cracker

866.833.5377
Email: dcsupport@accessdata.com

Support Hours:

Monday through Friday, 7:00 AM – 7:00 PM (EST, except
corporate holidays.

Note: All support inquiries are typically responded to within one business day. If there is

an urgent need for support, contact AccessData by phone during normal business
hours.

Documentation
Please email AccessData regarding any typos, inaccuracies, or other problems you find
with the documentation:
documentation@accessdata.com

Professional Services
The AccessData Professional Services staff comes with a varied and extensive
background in digital investigations including law enforcement, counter-intelligence, and
corporate security. Their collective experience in working with both government and
commercial entities, as well as in providing expert testimony, enables them to provide a full
range of computer forensic and eDiscovery services.
At this time, Professional Services provides support for sales, installation, training, and
utilization of FTK, FTK Pro, Enterprise, eDiscovery, and Lab. They can help you resolve
any questions or problems you may have regarding these products

AccessData Legal and Contact Information

Professional Services

| iv

Contact Information for Professional Services
Contact AccessData Professional Services in the following ways:

TABLE Contact-3 AccessData Professional Services Contact Information
Contact Method

Number or Address

Phone

Washington DC: 410.703.9237
North America: 801.377.5410
North America Toll Free: 800-489-5199, option 7
International: +1.801.377.5410

AccessData Legal and Contact Information

adservices@accessdata.com

Professional Services

| v

Table of Contents

AccessData Legal and Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Legal Information . . . . . . . . . . . . . . . . . . . . . . .
AccessData Trademarks and Copyright Information
Documentation Conventions . . . . . . . . . . . . . . . .
Registration . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .i
. . . . . . . . . . . . . . . . . . . .i
. . . . . . . . . . . . . . . . . . . . ii
. . . . . . . . . . . . . . . . . . . . ii

Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

AccessData Contact Information

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Mailing Address and General Phone Numbers . . . . . . . . . . . . . . . . . . . . iii
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Professional Services

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Contact Information for Professional Services . . . . . . . . . . . . . . . . . . . . . v
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

About AD Triage . . . . . . .
Components of AD Triage

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Prerequisites .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Installing AD Triage Admin .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Launching AD Triage Admin . . .
Admin User Interface Overview .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Triage Admin Main Window
Manage Collections Dialog .
Manage Licenses Dialog . .
Profiles Dialog . . . . . . . .
File Filtering Dialog . . . . .
Regular Expression Dialog .
Keywords Dialog . . . . . . .
Hash Filter Dialog . . . . . .
Table of Contents

.
.
.
.
.
.
.
.

. .6
. .8
. .9
. 10
. 11
. 12
. 12
. 13
| vi

Default Collector Wizard Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Custom Collector Wizard Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Manage Triage Devices Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Collection Interface Overview

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Performing Basic Triage Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About Triage Profiles .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Managing Licenses . . . . . . . .
Creating a Triage USB Device .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating a Standard Triage Device . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating a Custom Triage Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating a Bootable Disc . . . . . . . . . . . .
About Collecting Data on a Target System .

. . . . . . . . . . . . . . . . . . . . . . . . . 28
. . . . . . . . . . . . . . . . . . . . . . . . . 28

Collecting Data from a Live System . . . . . . . . . . . . . . . .
Booting AD Triage on a Target System . . . . . . . . . . . . .
Automatically Collecting Data on a Target System . . . . . . .
Manually Collecting and Exporting Data on a Target System .

Saving Collected Data . . . . .
Managing Saved Collections .

.
.
.
.

. 29
. 29
. 30
. 30

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Filtering Saved Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Reviewing Saved Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Generating Reports for Saved Collections . . . . . . . . . . . . . . . . . . . . . . . 37
Performing Advanced Triage Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Advanced Profile Tasks

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Copying a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Editing a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Deleting a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

About Custom Filters .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Creating a Custom Filter . . . . . . . .
Creating a Keyword Group . . . . . . .
Creating a Hash Group . . . . . . . . .
Creating a Regular Expression Group

Advanced Saved Collections Tasks

.
.
.
.

. 41
. 44
. 45
. 45

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Exporting Saved Collections . . .
Deleting a Saved Collection . . .
Importing a Saved Collection . . .
Recovering a Remote Collection

Using the Triage Receiver

.
.
.
.

. 46
. 47
. 47
. 47

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Mounting to a Remote Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table of Contents

| vii

Appendix A Managing Security Devices and Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . 51

AccessData Product Licenses .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Installing and Managing Security Devices . . . . . . . . . . . . . . . . . . . . . . . 51

Installing LicenseManager

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Starting LicenseManager . . . . . . . . . .
Using LicenseManager . . . . . . . . . . .
Updating Products . . . . . . . . . . . . . .
Sending a Dongle Packet File to Support

Virtual CodeMeter Activation Guide

.
.
.
.

Network License Server (NLS) Setup Guide .

Table of Contents

.
.
.
.
.
.

.
.
.
.

. 61
. 62
. 70
. 71

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup for Online Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up VCM for Offline Systems. . . . . . . . . . . . . . . . . . . . . .
Creating a Virtual CM-Stick with Server 2003/2008 Enterprise Editions
Additional Instructions for AD LAB WebUI and eDiscovery . . . . . . . .
Virtual CodeMeter FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . .
Preparation Notes . . . . .
Setup Overview. . . . . . .
Network Dongle Notes . .
NLS Server System Notes
NLS Client System Notes .

.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.

. 71
. 71
. 72
. 73
. 75
. 77
. 77

. . . . . . . . . . . . . . . . . . . . . . . . 79
.
.
.
.
.
.

.
.
.
.
.
.

. 79
. 79
. 79
. 79
. 80
. 80

| viii

Introduction

About AD Triage
AD Triage is designed to collect and review data/artifacts from a live or powered down
target system and facilitate the transfer of that data to an administrator system. An AD1
logical image of the system’s artifacts can then be written to the destination of your choice.
From there, the data can be decrypted and imported into the administrator’s interface for
further review and reporting or can be consumed by FTK for more advanced analysis.

Components of AD Triage
AD Triage is made up of two interfaces, the Admin interface, and the Collection interface.
The Admin interface is what you install on your machine. You will use this interface to
review and store all the data that you collect.
The Collection interface is what you boot to on the target system. You can use this
interface to collect and export data to a USB device or a specified computer on the same
network as the target system.

Introduction

About AD Triage

| 1

Installation

This chapter contains all the information you need to install AD Triage.

Prerequisites
Before you install AD Triage, you must have the following items:
A CodeMeter dongle that is licensed for AD Triage (see Appendix A Managing Security
Devices and Licenses page 51)
CodeMeter Runtime 4.2 installed on your system
Microsoft .NET 3.5 SP1

Software Requirements
To run AD Triage, in addition to the hardware requirements, you need the following:
An additional license with separate installation.
Microsoft Windows OS platform on which AD Triage operates as a standalone product.
AccessData FTK installed on your machine (if you intend to add the imaged data to a
case for further investigation).
Images created by AD Triage are AccessData-proprietary AD1-type images. AD1 images
can be imported back into AD Triage, and can be added as evidence to a case in any AD
FTK-core product.

Hardware Requirements
AD Triage requires the following additional hardware:
USB ports on your machine.
CodeMeter USB or Virtual CmStick (with current licenses installed).
A USB device for each profile you create in AD Triage.

Installation

Prerequisites

| 2

Installing AD Triage Admin
To install AD Triage Admin
1. Insert installation disk into the CD/DVD drive.
2. Open the file for the installation disk.
3. Run the SETUP.EXE file.
FIGURE 2-1 Welcome Screen

4. In the Installation Wizard, click Next.

FIGURE 2-2 End-User License Agreement

5. Mark the I accept the terms in the License Agreement and click Next.

Installation

Installing AD Triage Admin

| 3

FIGURE 2-3 Select Installation Folder Screen

6. Browse to the location where you want to save your program files, select whether you

want to install AD Triage for all users or just for the current user, and click Next.

FIGURE 2-4 Confirm Installation Screen

7. Click Install to begin the installation.

Installation

Installing AD Triage Admin

| 4

FIGURE 2-5 Installation Complete Screen

8. Click Finish to close the installation wizard.

Getting Started

This chapter introduces you to the features and interface of the Admin and Collection
interfaces.

Launching AD Triage Admin
To launch AD Triage Admin
Select Start > Programs > AccessData > ADTriage > ADTriageAdmin.exe.
The Triage Admin window opens.

Admin User Interface Overview
This section describes the elements of the Admin console. Use the following sections as a
reference when using the Admin interface.

Triage Admin Main Window
The Triage Admin main window is the first thing you see when you open Triage (see
Launching AD Triage Admin page 6). You can use the Admin main window to set up
devices, create custom collection agent profiles, customize filters for profiles, manage
licenses, and manage saved collections. Use the following figure and table to understand
the elements found in the Triage Admin main window.

Getting Started

Launching AD Triage Admin

| 6

FIGURE 3-1 Triage Admin Main Window

TABLE 3-1 Elements of the Triage Admin Main Window
Interface Element

Description

Admin Tab

The following options are available on the Admin
tab:



Devices Tab

The following options are available on the
Devices tab:




Configure Tab

Standard Triage Device (see Default Collector
Wizard Dialog page 14)
Custom Triage Device (see Custom Collector
Wizard Dialog page 15)
Manage Triage Devices (see Manage Triage
Devices Dialog page 16)

The following options are available on the
Profiles tab:






Getting Started

Manage Saved Collections (see Manage Collections Dialog page 8)
Manage Licenses (see Manage Licenses
Dialog page 9)

Manage Profiles (see About Triage Profiles
page 20)
Manage Custom Filters (see About Custom
Filters page 41)
RegEx Groups (seeDefault Collector Wizard Dialog page 14)
Keyword Groups (see Regular Expression
Dialog page 12)
Hash Groups (see Hash Filter Dialog
page 13)

Admin User Interface Overview

| 7

Manage Collections Dialog
Open the Manage Collections dialog by clicking the Manage Saved Collections button on
the Admin tab. Use the following figure and table to understand the elements in the
Manage Collections dialog.

FIGURE 3-2 Manage Collections Dialog

TABLE 3-2 Elements of the Manage Collections Dialog
Interface Element

Description

Manage Collections Pane

Lists recent actions performed in the Triage
Admin main window. Click the column headings
to sort by column. Double-click the ID number to
open the evidence file.

Review Collection Button
Generate Report Button

Click to open the Recover Evidence dialog (see

Reviewing Saved Collections page 36).

Click to open the Generate Reports dialog (see

Generating Reports for Saved Collections
page 37).

Import Collection Button

Getting Started

Click to import a collection from file. (see

Importing a Saved Collection page 47).

Recover Remote Collection Button

Click to import a collection that was saved on a
remote directory (see Recovering a Remote
Collection page 47).

Export Collection Button

Click to create an AD1 image of the evidence
(see Exporting Saved Collections page 46).

Admin User Interface Overview

| 8

TABLE 3-2 Elements of the Manage Collections Dialog (Continued)
Delete Collection Button

Click to delete the selected evidence from the
profile (Deleting a Saved Collection page 47).

Profile Name Field

Enter text to filter the Manage Collections pane
by the Profile Name column.

Case Name Field

Enter text to filter the Manage Collections pane
by the Case Name column.

Agent Name Field

Enter text to filter the Manage Collections pane
by the Agent Name column.

Reset Collection View

Click to remove filters and return to the default
collection view.

Use Dates Below for Filtering Check Check to filter the Manage Collections pane by
Box
selected date range.
Search Button

Click to filter the Manage Collections pane by the
criteria you entered.

Manage Licenses Dialog
Open the Manage Licenses dialog by clicking the Manage Licenses button on the Admin
tab. Use the following figure and table to understand the elements in the Manage Licenses
dialog.

FIGURE 3-3 Manage Licenses Dialog

TABLE 3-3 Elements of the Manage Licenses Dialog

Getting Started

Dongle ID

Lists the number for the codemeter used for AD
Triage.

Licensed Device Count Max

Lists the number of licenses for separate
devices. Only visible if you signed up for a
limited amount of device licenses, but unlimited
amount of recoveries.

Admin User Interface Overview

| 9

TABLE 3-3 Elements of the Manage Licenses Dialog (Continued)
Available License Count

Lists the number of licenses still available for
use. Only visible if you signed up for a limited
amount of device licenses, but unlimited amount
of recoveries.

Upper Device Pane

Lists the devices currently in use.

Un-License Device Button

Click to remove the license from the selected
device.

Re-License Device Button

Click to reattach a license to the selected device.

Lower Device Pane

Lists un-licensed devices that are connected to
the computer.

License Device Button

Click to attach a license to the selected device
(see Managing Licenses page 23).

Refresh Button

Click to refresh the lists of devices.

Profiles Dialog
Open the Profiles dialog by clicking the Manage Profiles button on the Configure tab. Use
the following figure and table to understand the elements in the Profiles dialog.

FIGURE 3-4 Profiles Dialog

TABLE 3-4 Elements of the Profile Dialog

Getting Started

Profile Pane

Lists the current profiles.

Copy Profile Button

Click to copy the selected profile.

Edit Profile Button

Click to edit the selected profile.

Delete Profile Button

Click to delete the selected profile.

Admin User Interface Overview

| 10

TABLE 3-4 Elements of the Profile Dialog (Continued)
Create New Profile Button

Click to create a new profile (see Creating a
Profile page 20).

File Filtering Dialog
Open the File Filtering dialog by clicking the Manage Custom Filters button on the
Configure tab. Use the following figure and table to understand the elements in the File
Filtering dialog.

FIGURE 3-5 File Filtering Dialog

TABLE 3-5 Elements of the File Filtering Dialog
Interface Element

Description

Existing Filters Pane

Lists the existing filters. Click the column header
to sort the list by that column.

Create New Filter Button

Getting Started

Click to create a new custom filter (see Creating

a Custom Filter page 41).

Delete Filter Button

Click to delete the selected filter.

Update Profile Button

Click to add the selected filter to a profile.

Copy Filter Button

Click to copy the selected filter.

Edit Filter Button

Click to edit the selected filter.

Import Filter Button

Click to import a filter from a file.

Export Filter Button

Click to export the selected filter.

Admin User Interface Overview

| 11

Regular Expression Dialog
Open the Regular Expression dialog by clicking the RegEx Groups button on the
Configure tab. Use the following figure and table to understand the elements in the Regular
Expression dialog.

FIGURE 3-6 Regular Expression Dialog

TABLE 3-6 Elements of the Regular Expression Dialog
Interface Element

Description

Regular Expression Pane

Lists existing groups.

Copy Group Button

Click to copy the selected group.

Edit Group Button

Click to edit the selected group.

Import Group Button

Click to import a group from file.

Export Group Button

Click to export the selected group to a file.

Add to Filters Button

Click to add filters to the selected group.

Delete Group Button

Click to delete the selected group.

Create New Group Button

Click to create a new Regular Expression group
(see Creating a Regular Expression Group
page 45).

Keywords Dialog
Open the Keywords dialog by clicking the Keyword Groups button on the Configure tab.
Use the following figure and table to understand the elements in the Keywords dialog.

Getting Started

Admin User Interface Overview

| 12

FIGURE 3-7 Keywords Dialog

TABLE 3-7 Elements of the Keywords Dialog
Interface Element

Description

Keywords Pane

Lists existing filters.

Copy Group Button

Click to copy the selected group.

Edit Group Button

Click to edit the selected group.

Import Group Button

Click to import a filter from file.

Export Group Button

Click to export a group to a file.

Add to Filter Button

Click to add filters to the selected group.

Delete Group Button

Click to delete the selected group.

Create New Group Button

Click to create a new Keyword group. (see

Creating a Keyword Group page 44)

Hash Filter Dialog
Open the Hash Filter dialog by clicking the Hash Groups button on the Configure tab. Use
the following figure and table to understand the elements in the Hash Filter dialog.

Getting Started

Admin User Interface Overview

| 13

FIGURE 3-8 Hash Filter Dialog

TABLE 3-8 Elements of the Hash Filter Dialog
Interface Element

Description

Hash Filter Pane

Lists existing groups. Click the column header to
sort the list by that column.

Copy Group Button

Click to copy the selected group.

Edit Group Button

Click to edit the selected group.

Import Group Button

Click to import a group from an existing file.

Export Group Button

Click to export the selected group to a file.

Add to Filters Button

Click to add filters to the selected group.

Delete Group Button

Click to delete the selected group.

Create New Group Button

Click to create a new Hash Filter Group (see

Creating a Hash Group page 45).

Default Collector Wizard Dialog
Open the Default Collector Wizard dialog by clicking the Standard Triage Device button
on the Devices tab of the Admin window. Use this dialog to apply the Default profile to a
licensed USB device (see Creating a Standard Triage Device page 25). Use the following
figure and table to understand the elements in the Default Collector Wizard dialog.

Getting Started

Admin User Interface Overview

| 14

FIGURE 3-9 Default Collector Wizard Dialog

TABLE 3-9 Elements of the Default Collector Wizard Dialog
Interface Element

Description

Case Name Field

Enter the name of the case (optional).

Agent Name Field

Enter the name of the agent (optional).

Select USB Device Pane

Select the USB to which you want apply the
Default profile.

Refresh List Button

Click to refresh the list of available devices.

Auto-Start Collection Check Box

Check to automatically start collection when
booting to the target system.

Auto-Export Collection Check Box

Check to automatically export collected data to
the USB device.

Finish Button

Click to make the selected USB device a Triage
device.

Custom Collector Wizard Dialog
Open the Custom Collector Wizard dialog by clicking the Custom Triage Device button on
the Devices tab of the Admin window. Use this wizard to apply one of your custom profiles
to a licensed USB device (see Creating a Standard Triage Device page 25).

Getting Started

Admin User Interface Overview

| 15

FIGURE 3-10 Custom Collector Wizard Dialog

Manage Triage Devices Dialog
Open the Manage Triage Devices dialog by clicking the Manage Triage Devices button on
the Devices tab of the Admin window. Use this window to save collected evidence, review
collected evidence, generate reports, and delete collected evidence (see Saving Collected
Data page 34). Use the following figure and table to understand the elements in the
Manage Triage Devices dialog.

Getting Started

Admin User Interface Overview

| 16

FIGURE 3-11 Manage Triage Devices Dialog

TABLE 3-10 Elements of the Manage Triage Devices Dialog

Getting Started

Devices Pane

Lists the connected Triage USB Devices.

Refresh Triage Devices Button

Click to refresh the Devices pane.

Profile on Triage Device

Lists the name of the profile on the selected
Triage device.

Collection Pane

Lists the Case Name, Agent Name, Profile
Name, Collection Size, and Collection Retrieved
Date for each collection on the selected Triage
device.

Save Collection Button

Click to save the selected collection in the Triage
files.

Review Collection Button

Click to review the selected collection.

Generate Report Button

Click to generate a report of the selected
collection.

Delete Collection Button

Click to delete the selected collection from the
USB device.

Evidence Pane

Lists file sizes for the selected USB device.

Format Drive Button

Click to reformat the selected USB device. This
will delete all existing data on the device.

License Count

This will appear at the bottom of the dialog if you
signed up for an unlimited amount of devices
license, but a limited amount of recoveries. The
count of total and available licenses are listed
here.

Admin User Interface Overview

| 17

Collection Interface Overview
The Collection interface is the what you see when you are collecting data on a target
system. You can either boot this interface from a shutdown system or launch the interface
from a Triage USB device on a live system. Use the following sections as a guide when
working with the Collection interface.
About Collecting Data on a Target System page 28
Collecting Data from a Live System page 29
Booting AD Triage on a Target System page 29
Automatically Collecting Data on a Target System page 30
Manually Collecting and Exporting Data on a Target System page 30
Use the following figure and table to understand the elements of the Triage Collection
interface.

FIGURE 3-12 Collection Interface Profile Tab

The tabs of the Collection interface can appear in the following colors:
Black: Indicates that collection has not yet begun.
Orange: Indicates that collection is in process.
Green: Indicates that collection is complete.
Red: Indicates that user action is still required.

TABLE 3-11 Elements of the Collection Interface
Case Name

Getting Started

Name saved to the Triage USB device when it
was created.

Collection Interface Overview

| 18

TABLE 3-11 Elements of the Collection Interface (Continued)

Getting Started

Profile

Name of the profile applied to the Triage USB
device.

Select Windows System Partition
Drop-down

Expand drop-down to select a Windows system
partition.

Select Users for User-specific
Action Data Pane

Check the items from which you want to collect
data.

Play Button

Click to start collection.

Action Pane

Lists the actions that will be performed during
collection.

Log of Profile Runs Pane

Lists the date and time information for actions
performed during collection.

Browser Tab

Displays the status of collection of Browser files.

Files Tab

Displays the status of collection of computer
files.

Software Tab

Displays the status of collection of software files.

System Tab

Displays the status of collection of system files.

Network

Displays the status of collection of network files.

Browse System Tab

Click to select specific collected data and create
AD1 and RAW files.

Evidence Tab

Click to export collected data, or to view the
status of exported collected data.

Settings Tab

Click to view and edit the settings of the
Collection interface.

Exit

Click to close the Collection interface.

Collection Interface Overview

| 19

Performing Basic Triage Tasks

This chapter explains the basic tasks that you can perform with Triage.

About Triage Profiles
Triage profiles allow you to hold and track all the collections for a single case. You can
create a new profile for every case and collect multiple target systems for each profile.
You can only have one profile on a USB device at a time. You must have a different USB
device for every profile.

Creating a Profile
Profiles are used to hold collections. Profiles can contain multiple collections. You can
create a new profile for each of your cases.

To create a profile
1. Open the AD Triage Admin main window (see Launching AD Triage Admin page 6).
2. Select the Configure tab.
FIGURE 4-1 AD Triage Admin Main Window Configure Tab

Performing Basic Triage Tasks

About Triage Profiles

| 20

3. Click Manage Profiles (see Profiles Dialog page 10).
4. In the Profiles dialog, click Create New Profile.

FIGURE 4-2 Custom Profile Wizard Welcome Screen

5. Click Next.

FIGURE 4-3 Custom Profile Wizard Profile Name Screen

6. In the Profile Name screen, enter a name and description for the profile and then click

Next.

Performing Basic Triage Tasks

About Triage Profiles

| 21

FIGURE 4-4 Custom Profile Wizard Standard Actions Screen

7. In the Standard Actions screen, check the actions from the default list that you want the

profile to perform during collection and then click Next.
Note: All standard actions are selected by default.

FIGURE 4-5 Custom Profile Wizard Custom File Filters Screen

8. In the Custom File Filters screen, check the custom filters that you want the profile to

apply during collection and then click Next.
Note: You may, at this time, create a custom filter by clicking the Create Your Own
Filter button. See Creating a Custom Filter page 41 for more information on how
to do this.

Performing Basic Triage Tasks

About Triage Profiles

| 22

FIGURE 4-6 Custom Profile Wizard Review Selections Screen

9. In the Review Selections screen, review the actions you have selected to ensure that

you want them applied to the profile. If you want to remove any of the actions, highlight
the item and click the Remove button.
10. Click Finish.
11. Click Yes.

Managing Licenses
Before you can apply a profile to a device for collection, you must first license the device.
You can use one license per device and one profile per device.
See Appendix A Managing Security Devices and Licenses page 51.
Note: Though you can only apply one profile to a device, devices can carry multiple
collections.
Triage provides a single licensed USB device. There is no limit to number of collections or
volume of data per collection
Note: Multiple licenses can be associated with a single admin console for large
organizations
If you have a license that limits the number of USB devices you can license, the available
license count appears at the top of the Manage Licenses dialog.

Performing Basic Triage Tasks

Managing Licenses

| 23

Note: If you run out of licenses for USB devices, contact the AccessData sales team for

information on how to get more licenses.

To license a device
1. On the Admin tab, click Manage Licenses (see Manage Licenses Dialog page 9).
2. In the Manage Licenses dialog, select the device you want to license from the lower
pane and click License.
FIGURE 4-7 Format Triage Device Dialog

3. In the Format Triage Device dialog, name the USB device in the Volume Label field.
4. Click the Format! button.

Triage will format the device. You can view the status of the device in the Status pane.
If an error occurs, follow the steps in the Status pane and attempt the format again. Or,
check Also Re-Partition Device and try to format the device again if formatting fails.
Formatting does the following things to the USB device:
 Formats the device as a single NTFS partition
Makes the device bootable
Adds a license file
Important: Formatting a USB device will remove all media currently on the device.
Make sure that you don’t have any wanted data on the USB device. You cannot
save more than one profile to a USB device. Each profile must have its own
device. However, you can collect multiple target systems to one USB device.
Note: Formatting the device makes the device bootable. So, when booting to a target
system, you can boot to the USB device and it will run the Triage collection
console. (See Booting AD Triage on a Target System page 29 for more
information on booting to a USB device.)
5. Click OK.
The USB device should now appear in the upper license pane of the Manage License
dialog.

Performing Basic Triage Tasks

Managing Licenses

| 24

Creating a Triage USB Device
When you create a Triage USB device, you save the profile and all of the actions
associated with the profile to the USB device. This allows you to collect data from a target
system using the criteria you set up on the selected profile.
There are two types of Triage device creation:
Standard Triage Device: This uses the Default profile automatically.
Custom Triage Device: This allows you to select a profile to save to the device.
Note: You can only create Triage USB devices using devices that you have already
licensed. See Managing Licenses page 23 for information on how to license your
device.

Creating a Standard Triage Device
The Standard Triage Device option uses the Default profile when initializing the USB
device. Any actions applied to the Default profile will be applied to the USB device. There
can only be one profile on a device at a time. Putting a new profile on a device with an
existing profile will delete any data you have on the device.
You can change the Default profile by using the Manage Profiles feature (see About Triage
Profiles page 20).
Note: Although you can edit the Default profile, you cannot change the name of the profile.

To create a standard USB device
1. In the AD Triage main window, click on the Devices tab.
2. Click on the Standard Triage Devices button (see Default Collector Wizard Dialog
page 14).
3. In the Default Collector Wizard dialog, enter a Case Name and Agent Name (optional).
4. Select the USB device that you want to make into a Triage device.
Note: If you do not see the device that you are looking for, ensure that the device is
attached to the computer. Then, ensure that the device is licensed (see Managing
Licenses page 23).
5. Check Auto-start collection if you want Triage to automatically collect data on the
target system upon start up.
Note: When a user selects the Auto-Start option, and the target has multiple partitions,
the Triage Agent will use the Registry from the partition with the most used space
and will use all partitions when performing custom file searches.
6. Check Auto-export if you want Triage to automatically export collected data to the
USB device.
7. Check Include File Slack Space to include slack-space on files during collection.
8. Check Include Deleted Files to include deleted files during collection.
9. Click Finish.
Note: If you already have a profile on the device, a message appears asking you if you
want to copy over the existing profile. Click Yes to delete the existing profile on the
device and apply the new one.
10. In the confirmation message that appears, click OK.

Creating a Custom Triage Device
The Custom Triage Device option allows you to select a custom profile that you want to
use for the USB device.

Performing Basic Triage Tasks

Creating a Triage USB Device

| 25

To create a custom USB device
1. In the AD Triage main window, click on the Devices tab.
2. Click on the Custom Triage Devices button.
FIGURE 4-8

Custom Collector Wizard Welcome Screen

3. In the Custom Collector Wizard Welcome screen, click Next.

FIGURE 4-9 Custom Collector Wizard Select Profile Screen

4. In the Select Profile screen, select the profile that you want to use during collection.

Performing Basic Triage Tasks

Creating a Triage USB Device

| 26

FIGURE 4-10 Custom Collector Wizard Review Triage Device Configuration Screen

5. Review the Triage device configuration and click Next.

FIGURE 4-11 Custom Collector Wizard Select Triage Device Screen

6. In the Select Triage Device screen, enter a Case Name and Agent Name for the

device.
7. Select the USB device that you want to make into a Triage device.
Note: If you do not see the device that you are looking for, ensure that the device is
attached to the computer. Then, ensure that the device is licensed (see Managing
Licenses page 23).

Performing Basic Triage Tasks

Creating a Triage USB Device

| 27

8. Check to Auto-start collection if you want Triage to automatically collect data on the

target system upon start up.

Note: When a user selects the Auto-Start option, and the target has multiple partitions, the

Triage Agent will use the Registry from the partition with the most used space and
will use all partitions when performing custom file searches.
9. Check Auto-export if you want Triage to automatically export collected data to the
USB device.
10. Check Include File Slack Space to include slack-space during collection.
11. Check Include Deleted Files to include deleted files during collection.
12. Click Next.

FIGURE 4-12 Custom Collector Wizard Finished Screen

13. Click Finish.

Creating a Bootable Disc
If you are collecting data in the field, it is important to have not only a bootable USB device,
but also a bootable copy of the Triage ISO on a disk. It is recommended that you use a disc
burning application to burn the Triage ISO to a disc. Use the ADTriageBootable.iso (found
on the disc you received with your software) to create a bootable disc.

About Collecting Data on a Target System
When you collect data on a Target System, you must have a USB device that is formatted
as a Triage USB device. You must perform the steps in Managing Licenses page 23 and
Creating a Triage USB Device page 25 to have a USB device that will collect data on a
target system.
Additionally, if you are collecting data in the field, it is recommended that you burn the
Triage ISO to a disk, and use the disk in the event that you cannot boot to your USB
device. See Creating a Bootable Disc on page 28.

Performing Basic Triage Tasks

Creating a Bootable Disc

| 28

Once you have completed those tasks, you are ready to collect data on a target system.
Triage is designed to collect data from a shut down or live system.
To collect data from a live system, see Collecting Data from a Live System page 29.
To perform a collection from a shut down system, you must first make the target system
boot to the USB device or a bootable CD/DVD. See Booting AD Triage on a Target System
page 29 for information on how to boot to the USB or CD/DVD drive.
After you have set the target system to boot to the USB device or CD/DVD drive, you can
then restart the system and collect data. See Automatically Collecting Data on a Target
System page 30 for information on what occurs during automatic collection.

Collecting Data from a Live System
You can use Triage to collect data from a live target system. To do this, you must have a
bootable USB device or bootable Triage disk. Use the following sections for information on
how to obtain these items:
Managing Licenses page 23
Creating a Triage USB Device page 25
Creating a Bootable Disc page 28

To collect data on a live system
1. Insert the Triage USB device into target system.
2. Do one of the following:
In the Windows prompt, select to run AD Triage.
Open the devices folder and run the TriageAgent.
3. In the Collection window, perform one of the following tasks:
Data will automatically be collected and exported if you selected Auto-Start
Collection and Auto-Export Collection. See Automatically Collecting Data on a
Target System page 30.
Manually collect the data from the target system. See Manually Collecting and
Exporting Data on a Target System page 30.

Booting AD Triage on a Target System
You can use Triage to collect data from a shut down system, but to do this, you will need to
boot the system to a Triage USB device, or a Triage disk. Use the following sections for
information on how to obtain these items:
Managing Licenses page 23
Creating a Triage USB Device page 25
Creating a Bootable Disc page 28
This section describes how to set up the target system to boot to the USB device or disk.

To boot AD Triage on a target system
1. Insert the bootable disk or bootable USB device. (See Creating a Bootable Disc
page 28 for more information on how to make a bootable disk.)
2. Start the target system and enter the BIOS.
Note: On Intel system boards, press F2 or F12 during start up to enter the BIOS. On
non-Intel systems, press Delete or Esc during start up to enter the BIOS.
3. Edit the BIOS boot sequence to one of the following:
Make the CD/DVD drive boot before the hard drive if you are booting using a disk.
Make the USB boot before the hard drive if you are booting using the USB device
(see Managing Licenses page 23 for making a bootable USB device).

Performing Basic Triage Tasks

About Collecting Data on a Target System

| 29

4. Save and exit the BIOS.
Note: Press CTRL > ALT > Delete if the system has trouble booting. If this does not

work, hold down the power button for 4 to 5 seconds.

Automatically Collecting Data on a Target System
The following steps occur after you have set the target system to boot to the USB device or
CD/DVD drive, and you have restarted the target system:
1. The target system boots into Windows.
2. The AD Triage collection application launches.
3. AD Triage detects drives.
4. AD Triage collects the data for the profile on the USB device (if Auto-Start Collection
was selected when creating a Triage USB).
5. AD Triage exports the data to the USB device (if Auto-Export Collection was selected
when creating a Triage USB).
6. Close the Collection window and shut down the system.

Manually Collecting and Exporting Data on a Target System
If you did not check to Auto-start collection when you created your Triage USB device, you
will need to manually start collection when on the target system.

To manually collect data from a target system
1. After setting up the target system to boot to the USB device or CD/DVD drive, restart
the computer.
The AD Triage Collections window opens.
Note: If the screen says that No Profiles Were Found, ensure that the licensed USB
(with a profile on it) is connected and click the Refresh Drives button on the
Settings tab.

Performing Basic Triage Tasks

About Collecting Data on a Target System

| 30

FIGURE 4-13 Collection Interface

2. Click the play button on the Profiles tab.

Collection begins. You can identify the progress of the collection by the colors of the
words on the tabs. Green indicates that the action has been completed.
Note: If you checked to Auto-Start Collection when creating a Triage USB device,
AD Triage will automatically collect data on the target system upon boot up. And
the play button will not be available.

Performing Basic Triage Tasks

About Collecting Data on a Target System

| 31

FIGURE 4-14 Collection Interface Browse System Tab

3. After collection is complete, you can select the Browse System tab and select the

specific system drives that you want to acquire and click Queue for Export (optional).

FIGURE 4-15 Queue Manual Item for Export Dialog

3a. In the Queue Manual Item for Export, do one of the following (optional):
In

the Logical Acquisition group box, click Queue Logical Image to capture the
selected files as an AD1 image. Exit the dialog.
In the Physical Acquisition group box, select the Output Type (E01, SMART, or
RAW) and Compression Level that you want to acquire and click Queue
Physical Image to create a physical evidence item. Exit the dialog.

Performing Basic Triage Tasks

About Collecting Data on a Target System

| 32

4. If there is data that has not been exported, the Evidence tab appears in red. Click on

the Evidence tab.

FIGURE 4-16 Collection Interface Evidence Tab

5. All data that still needs to be exported appears in the Pending Export pane. Select the

items you want to export, select the location where you want to export the data, and
click Export Now!.
Collected data and AD1 files are exported to the selected device/location. Data that
was successfully exported appears in the Successfully Exported pane. When all the
evidence has been exported, the Evidence tab appears in green.
6. After you have exported your data, you can pre-calculate the estimated size of the
export to determine the actual required destination storage size. But, pre-calculation
can take a long time, so it should only be used when necessary. Click Pre-Calculate
Size to perform this task.
7. Click Exit to close the Collection window. If you have not exported all your evidence,
you will be alerted that you have pending evidence.
8. Shut down the system.
Note: Remember to reset the BIOS on the target system to boot from the hard drive
first after you are done collecting data.

Using Kanguru and IronKey Encrypted Devices
If you are using a Kanguru and IronKey encrypted device when collecting data, the
process differs slightly from non-encrypted keys. To use an encrypted key on a shutdown
system, you must boot from a burned CD.

Performing Basic Triage Tasks

About Collecting Data on a Target System

| 33

Collecting data using an encrypted key
1. Boot to the target system using a burned CD. See Creating a Bootable Disc on
page 28.
2. Navigate to the helper application found on the cd-partition of the Kanguru or IronKey
device and run it to decrypt the device.
Note: You may receive warning messages following this step, but the message will not
prevent you from using the device. Close the message and continue to the next
step.
3. Click Rescan Drives.
4. In the Triage Collection window, start the collection. See Manually Collecting and
Exporting Data on a Target System on page 30.
5. After the collection is complete, click the Settings tab.
6. On the Settings tab, click Run Program.
7. Export the data to the device. See Manually Collecting and Exporting Data on a Target
System on page 30.

Saving Collected Data
If you exported your collected data from a target system to your Triage USB device, you
can save the data in Triage Admin, review the data, and generate reports.
Before saving a collection, ensure that you have enough available disk space on your
Admin computer. If you do not have sufficient disk space, collections will not import
completely.

To save collected data
1. Ensure that the USB device is connected to the computer.
2. In the Triage Admin console, click the Devices tab.
3. Click Manage Triage Devices.

Performing Basic Triage Tasks

Saving Collected Data

| 34

FIGURE 4-17 Manage Triage Devices Dialog

4. Select the USB device that contains the collections that you want to save from the
5.

6.
7.

upper pane.
Collections appear in the middle pane, select the collection that you want to save.
Note: You can review collections, generate reports and delete collections from this
dialog. More information on performing these tasks are covered in Managing
Saved Collections page 35.
Click Save Collection.
In the Save Collection dialog, browse to the location where you want the case data to
save.
The collection is saved in the designated location.
Close the dialog.

Managing Saved Collections
Once you have saved your collected data, you can then review it, generate reports, and
export the collection from the Manage Collections dialog. You can view a list of all the
saved collections in the Manage Collections dialog. This section will help you filter and
manage all your saved collections.

Filtering Saved Collections
The list of collections in the Manage Collections dialog is a list of ALL the collections saved
to AD Triage. If you are looking for a specific collection, you may need to filter the list to find
the collection you are looking for.

Performing Basic Triage Tasks

Managing Saved Collections

| 35

To filter saved collections
1. In the Admin console, click the Admin tab (see Triage Admin Main Window page 6).
2. Click the Manage Saved Collections button.
FIGURE 4-18

Manage Collections Dialog

3. In the Manage Collections dialog, you can filter the list of collections by specifying the

name of the profile, the name of the case, the name of the agent, and/or a specified
date range. Enter your filtering criteria and click Search.
4. Once you have found the collection(s) you are looking for, you can perform the
following actions:
Review the collection Reviewing Saved Collections page 36
Generate a report Generating Reports for Saved Collections page 37
Export the collection Exporting Saved Collections page 46
Delete the collection Deleting a Saved Collection page 47
Import a collection Importing a Saved Collection page 47
Recovering a Remote Collection Recovering a Remote Collection page 47

Reviewing Saved Collections
Once you have found the collection/s you are looking for in the Manage Collections dialog
using the filters (see Filtering Saved Collections page 35), you can then review the
collected data.

Performing Basic Triage Tasks

Managing Saved Collections

| 36

To review saved collections
1. In the Manage Collections dialog, select the collection that you want to review (see
Filtering Saved Collections page 35).
2. Click Review Collection.
FIGURE 4-19 Recover Evidence Dialog

3. In the Recover Evidence dialog, use the left panes to navigate the collected data and

the AD files created during collection. Check the files that you would like to include in a
custom report.
4. Click Generate Report to create a report of the collection, then follow the steps found
in Generating Reports for Saved Collections page 37.
5. Close the Recover Evidence dialog.

Generating Reports for Saved Collections
Once you have found the collection/s you are looking for in the Manage Collections dialog
using the filters (see Filtering Saved Collections page 35), you can then generate a report
of the collected data.

Performing Basic Triage Tasks

Managing Saved Collections

| 37

To generate a report for a saved collection
1. In the Manage Collections dialog, select the collection for which you want to generate a
report (see Filtering Saved Collections page 35).
2. Click Generate Report.
FIGURE 4-20 Generate Reports Dialog

3. Check whether you want to generate a Standard or Custom Report.
4. Highlight the collected data that you want to include in your report and click Add.
Note: Items in bold are those items that you selected when you reviewed your data.
5. Browse to the location where you would like to save the generated report.
6. Check View report after generating to open the report after it has been generated.
7. Click Generate Report.
8. Click OK.

If you checked to view the report, it opens in an internet browser.

Performing Advanced Triage Tasks

This chapter describes advanced tasks that can be performed using AD Triage.

Advanced Profile Tasks
In addition to creating a new profile (Creating a Profile page 20), you can also perform the
following tasks:
Copy a Profile Copying a Profile page 39
Edit a Profile Editing a Profile page 40
Delete a Profile Deleting a Profile page 41

Copying a Profile
If you want to create a profile that is very similar to an existing profile, but you don’t want to
have to go through the process of creating a new profile, you can use the copy profile
feature.

To copy a profile
1. Open the AD Triage Admin main window (see Launching AD Triage Admin page 6).
2. Select the Configure tab (see AD Triage Admin Main Window Configure Tab page 20).
3. Click Manage Profiles (see Profiles Dialog page 10).
4. In the Profile dialog, select the profile that you want to copy and then click Copy
Profile.

Performing Advanced Triage Tasks

Advanced Profile Tasks

| 39

FIGURE 5-1 Copy Profile Dialog

5. In the Copy Profile dialog, review the actions for the profile and enter a New Profile

Name and Description.

6. Click Copy Profile.
7. Click OK.

Editing a Profile
You may want to edit an existing profile to remove or add actions to the profile.
Note: You can edit the actions of the Default profile, but you cannot edit the profile name.

To edit an existing profile
1. Open the AD Triage Admin main window (see Launching AD Triage Admin page 6).
2. Select the Configure tab (see AD Triage Admin Main Window Configure Tab page 20).
3. Click Manage Profiles (see Profiles Dialog page 10).
4. In the Profile dialog, select the profile that you want to edit and click Edit Profile (see
Custom Profile Wizard Welcome Screen page 21).
5. Click Next (see Custom Profile Wizard Profile Name Screen page 21).
6. Edit the Profile Name or Description if desired, and click Next (see Custom Profile
Wizard Standard Actions Screen page 22).
7. Edit the standard actions that you want included with the profile and click Next (see
Custom Profile Wizard Custom File Filters Screen page 22).
8. Edit the custom file filters that you want included with the profile and click Next (see
Custom Profile Wizard Review Selections Screen page 23).
9. Review the actions applied to the profile and click Finish.
10. Click Yes.

Performing Advanced Triage Tasks

Advanced Profile Tasks

| 40

Deleting a Profile
If you want to remove a profile from Triage, you can delete it as long as it is not the default
profile.

To delete a profile
1. Open the AD Triage Admin main window (see Launching AD Triage Admin page 6).
2. Select the Configure tab (see AD Triage Admin Main Window Configure Tab page 20).
3. Click Manage Profiles (see Profiles Dialog page 10).
4. In the Profile dialog, select the profile that you want to delete and click Delete Profile.
5. Click Yes.

About Custom Filters
In the AD Triage Admin console, you can create custom filters, create and add custom
conditions to the filters, and add your custom filters to profiles as actions to be performed
during collection.
Note: Triage only supports binary / plain text keyword searching. Which means any
compound or compressed file will most likely not produce the desired results since
these files are searched from a binary perspective. FTK supports archive
expansion and filtered text searching of compound documents.

Creating a Custom Filter
Custom filters look for files that contain specified attributes when collecting data. You can
apply custom filters to profiles before creating a Triage device.

To create a custom filter
1. Open the AD Triage Admin main window (see Launching AD Triage Admin page 6).
2. Select the Configure tab (see AD Triage Admin Main Window Configure Tab page 20).
3. Click Manage Custom Filters (see File Filtering Dialog page 11).
4. In the File Filtering dialog, click Create New Filter.

Performing Advanced Triage Tasks

About Custom Filters

| 41

FIGURE 5-2 Custom Filter Wizard

5. In the Custom Filter Wizard, click Next.

FIGURE 5-3 Custom Filter Wizard Filter Name Screen

Performing Advanced Triage Tasks

About Custom Filters

| 42

In the Filter Name screen, enter a name and description for the filter and then click
Next.

FIGURE 5-4 Custom Filter Wizard Select Criteria Screen

7. In the Select Criteria screen, check the types of groups you want included in your

custom filter and then click Next.

FIGURE 5-5 Custom Filter Wizard Groups Screen

8. Depending on the groups that you checked, the next screen allows you to add the

specific criteria for each group to the custom filter. The following screens may appear:

Performing Advanced Triage Tasks

About Custom Filters

| 43

Keyword

(see Creating a Keyword Group page 44)
(see Creating a Hash Group page 45)
Regular Expression (see Creating a Regular Expression Group page 45)
File Size
Note: When applying a File Size filter, the filter will search for the “Size on Disk” file
capacity rather than the “Size” capacity when collecting data. Increase the size
of your file search accordingly to accommodate this.
Date Time
Extensions
Path
Illicit Images
Note: Multiple conditions added under a single group name are considered an “OR”
condition. Each separate group name added is considered an “AND” condition.
9. Add your criteria for each group and click Next until you reach the Review Custom File
Filter Constraints screen.
10. Click Finish.
11. Click OK.
Note: To add the filter to a profile, click the Update Profile button on the File Filtering
dialog.
Hash

Creating a Keyword Group
The keyword feature allows you to create a keyword group that can then be added to a
custom filter. Keyword conditions search for a specific word or term during collection.

To create a new keyword group
1. In the Configure tab, click Keyword Groups (seeKeywords Dialog page 12).
2. In the Keywords dialog, click Create New Group.
FIGURE 5-6 Create/Edit Keyword Dialog

3. Enter a Group Name and Description.
4. (Optional) Enter an Import File path or browse to a file that contains the keywords you

want to add to the group. Once found, click Import to add the keywords to the list.

5. Enter the keywords you want added to the condition in the keyword pane.
Note: Enter each keyword search term on its own line.
6. Click Save Filter.
7. Click OK to add the keyword to the existing filters list.
8. Click Yes to create another keyword group or No to close the dialog.
9. Add the group to a filter by following the steps in Creating a Custom Filter page 41.

Performing Advanced Triage Tasks

About Custom Filters

| 44

Creating a Hash Group
The Hash feature allows you to create a hash group that can then be added to a custom
filter. Hash conditions search for specified hashes during collection.

To create a hash group
1. In the Configure tab, click Hash Groups (seeHash Filter Dialog page 13).
2. In the Hash Filter dialog, click Create New Group.
FIGURE 5-7 Create/Edit Hash Dialog

3. In the Create/Edit Hash dialog, enter a Group Name and Description for the group.
4. Click the Import File Browse button to browse to the known file on your system. Then,

click Import File to add the file to the Hash pane.
5. Click the Source Dir Browse button to browse to the directory containing files to be
hashed.
6. Check the Hash Subdirectories as well check box to include child files for the
selected known file.
Note: Selecting a known file greatly increases the speed of the hashing when
collecting data.
7. Click Generate Hashes to add the hashes to the Hash pane.
Note: Clicking the Reset Form button clears all the fields in the dialog.
8. Click Save Filter.
9. Click Yes.
10. Click Yes again if you want to create a new Hash group or No to return to the Hash
Filter dialog.
11. Add the group to a filter by following the steps in Creating a Custom Filter page 41.

Creating a Regular Expression Group
The Regular Expression feature allows you to create a regular expression condition that
can then be added to a custom filter. Regular expression conditions search for a specified
expression during collection.

Performing Advanced Triage Tasks

About Custom Filters

| 45

To create a regular expression group
1. In the Configure tab, click RegEx Groups (seeRegular Expression Dialog page 12).
2. In the Regular Expression dialog, click Create New Group.
FIGURE 5-8 Create/Edit Regular Expression Dialog

3. In the Create/Edit Regular Expression dialog, enter a Group Name and Description

for the group.
4. Click the Import File Browse button and select a known file. Then, click Import File to
add the regular expression to the Regular Expression pane.
5. Enter an expression in the Regular Expression field.
6. Enter a Test String for the regular expression.
7. Click Test Regular Expression button to test if the expression matches the string.
8. Click Add Regular Expression.
Note: Clicking the Reset Form button clears all the fields in the dialog.
9. Click Save Filter.
10. Click Yes.
11. Click Yes again if you want to create a new Hash group or No to return to the Hash
Filter dialog.
12. Add the group to a filter by following the steps in Creating a Custom Filter page 41.

Advanced Saved Collections Tasks
Once you have saved a collection, you can use the Manage Saved Collections feature to
perform the following advanced tasks:
Export Saved Collections Exporting Saved Collections page 46
Delete Saved Collections Deleting a Saved Collection page 47
Import Saved Collections Importing a Saved Collection page 47

Exporting Saved Collections
Once you have found the collection/s you are looking for in the Manage Collections dialog
using the filters (see Filtering Saved Collections page 35), you can then export the
collection to a designated location. This makes a copy of the collection and saves it in the
location you select. You can then use the exported file and import it into another AD Triage
Admin system for others to review.

Performing Advanced Triage Tasks

Advanced Saved Collections Tasks

| 46

To export a saved collection
1. On the Admin tab of the Admin console, click Manage Saved Collections (see
Manage Collections Dialog page 8).
2. In the Manage Collections dialog, select the collection that you want to export (see
Filtering Saved Collections page 35).
3. Click Export Collection.
4. Browse to the location where you want to save the exported file.
5. Click OK.

Deleting a Saved Collection
Once you have found the collection/s you are looking for in the Manage Collections dialog
using the filters (see Filtering Saved Collections page 35), you can then delete the
collected data from your saved collection file. This will not remove the collected data from
the USB device that it originated from.

To delete a saved collection
1. On the Admin tab of the Admin console, click Manage Saved Collections (see
Manage Collections Dialog page 8).
2. In the Manage Collections dialog, select the collection that you want to delete (see
Filtering Saved Collections page 35).
3. Click Delete Collection.
4. Click OK.

Importing a Saved Collection
If you want to import a collection that is saved from another Triage Admin console, you can
use the Import Collection feature.

To import a saved collection
1. On the Admin tab of the Admin console, click Manage Saved Collections (see
Manage Collections Dialog page 8).
2. In the Manage Collections dialog, click Import Collection.
3. Browse to the file that you want to import and click OK.
4. In the Import Collection dialog, select the collection(s) that you want to import and click
Import Collections.
5. In the message box that appears, click Yes.
The collection is added to your saved collections.

Recovering a Remote Collection
If you want to recover a collection that is saved on a remote share, you can use the
Recover Remote Collection feature.
Note: You can only use this feature with collections you have mounted to a remote share.
This feature will not work for data collected using the Triage Receiver.

To import a remote collection
1. On the Admin tab of the Admin console, click Manage Saved Collections (see
Manage Collections Dialog page 8).
2. In the Manage Collections dialog, click Recover Remote Collection.
3. Browse to the location of the remote directory and click OK.

Performing Advanced Triage Tasks

Advanced Saved Collections Tasks

| 47

Note: To import data from a remote directory, the directory must have the following

folder structure: triage > remote > casedata. Triage will not recognize directories
that have an altered folder structure naming convention.

FIGURE 5-9 Import Collections Dialog

4. In the Import Collections dialog, select the collection(s) that you want to import and click

Import Collections.

5. In the message box that appears, click Yes.

The collection is imported.

Using the Triage Receiver
The Triage Receiver can be used to export collected data directly from the target system to
a designated location on the same network, using the Triage Receiver.

To export data to a designated location
1. Select Start > Programs > AccessData > ADTriage >TriageReceiver.exe.

Performing Advanced Triage Tasks

Using the Triage Receiver

| 48

FIGURE 5-10 Triage Receiver Window

In the Triage Receiver, click the Data Destination Folder browse button.
Select the location where you want to save the collection.
Click the Start Listening button.
Collect data from the target system, but do not export it yet (see Manually Collecting
and Exporting Data on a Target System page 30).
6. In the Collection interface, click the Evidence tab.
7. Click the Manually Specify Remote Destination... link.
2.
3.
4.
5.

Performing Advanced Triage Tasks

Using the Triage Receiver

| 49

FIGURE 5-11 Manually Specify Destination Dialog

8. Enter the IP Address of the computer where you want to export the collection.
9. Enter the Port number where you want to export the collection.
10. Click Test Connection.

The pane below the Test Connection button displays whether or not the connection is a
success. You can also see the connection status in the Triage Receiver window.
11. If the test connection worked, click Add.
12. Click Done.
13. Select the computer in the Select Destination pane.
14. Click Export Now!
The data is exported to the location that you designated.
Note: To import the collection into the Triage Admin console, see Importing a Saved
Collection page 47.

Mounting to a Remote Share
When you are manually specifying a destination to export your collection, you can mount
exported data to a remote share before bringing the data into the Admin console.

To mount collected data to a remote share
1. Run the Triage Collection interface on the target system with your Triage USB device
(see Manually Collecting and Exporting Data on a Target System page 30).
2. Collect data from the target system, but do not export it yet (see Manually Collecting
and Exporting Data on a Target System page 30).
3. In the Collection interface, click the Evidence tab.
4. Click the Manually Specify Remote Destination link.
5. Enter the Share Path of the remote share folder where you want to export the
collection.
6. Click Add Share.

Performing Advanced Triage Tasks

Using the Triage Receiver

| 50

Appendix A Managing Security Devices
and Licenses

This chapter expands on the licensing information needed to run AccessData products,
including AccessData product licenses, Virtual CodeMeter activation, and Network License
Server configurations.

AccessData Product Licenses
This section acquaints you with managing AccessData product licenses. Here you will find
details regarding the LicenseManager interface and how to manage licenses and update
products using LicenseManager.

Installing and Managing Security Devices
Before you can manage licenses with LicenseManager, you must install the proper security
device software and/or drivers. This section explains installing and using the Wibu
CodeMeter Runtime software and USB CmStick, as well as the Keylok USB dongle drivers
and dongle device.

Installing the Security Device
As discussed previously, AccessData products require a licensing security device that
communicates with the program to verify the existence of a current license. The device can
be the older Keylok dongle, or the newer WIBU-SYSTEMS (Wibu) CodeMeter (CmStick).
Both are USB devices, and both require specific software to be installed prior to connecting
the devices and running your AccessData products. You will need:
The WIBU-SYSTEMS CodeMeter Runtime software with a WIBU-SYSTEMS
CodeMeter (CmStick), either the physical USB device, or the Virtual device.
The WIBU-SYSTEMS CodeMeter Runtime software, and the AccessData Dongle
Drivers with a Keylok dongle
Note: Without a license security device and its related software, you can run PRTK or
DNA in Demo mode only.
The CmStick or dongle should be stored in a secure location when not in use.
You can install your AccessData product and the CodeMeter software from the shipping
CD or from downloadable files available on the AccessData website at
www.accessdata.com.
Click Support > Downloads, and browse to the product to download. Click the download
link and save the file locally prior to running the installation files.

Installing the CodeMeter Runtime Software
When you purchase the full PRTK package, AccessData provides a USB CmStick with the
product package. The green Keylok dongles are no longer provided, but can be purchased
separately through your AccessData Sales Representative.
Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 51

To use the CmStick, you must first install the CodeMeter Runtime software, either from the
shipping CD, or from the setup file downloaded from the AccessData Web site.

Locating the Setup File
To install the CodeMeter Runtime software from the CD, you can browse to the setup file,
or select it from the Autorun menu.

To download the CodeMeter Runtime software
1. Go to www.accessdata.com and do the following:
2. Click Support > Downloads.
3. Find one of the following, according to your system:
CodeMeter Runtime 4.20b (32 bit)
MD5: 2e658fd67dff9da589430920624099b3
(MD5 hash applies only to this version)
CodeMeter Runtime 4.20b (64 bit)
MD5: b54031002a1ac18ada3cb91de7c2ee84
(MD5 hash applies only to this version)
4. Click the Download link.
5. Save the file to your PC and run after the download is complete.
When the download is complete, double-click on the downloaded file.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 52

To run the CodeMeter Runtime Setup
1. Double-click the CodeMeterRuntime[32 or 64]_4.20b.exe.
2. In the Welcome dialog, click Next.
3. Read and accept the License Agreement

FIGURE A-1 CodeMeter Runtime Setup: License Agreement.

4. Click Next.
5. Enter User Information.

FIGURE A-2 CodeMeter Runtime Setup: User Information

6. Specify whether this application should be available only when you log in, or for anyone

who uses this computer.

7. Click Next.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 53

FIGURE A-3 CodeMeter Runtime Setup: Select Features

8. Select the features you want to install.
9. Click Disk Cost to see how much space the installation of CodeMeter software takes,

and drive space available This helps you determine the destination drive.

FIGURE A-4 CodeMeter Runtime Setup: Disk Cost

10. Click OK.
11. Click Next.

FIGURE A-5 CodeMeter Runtime Setup: Ready to Install

12. When you are satisfied with the options you have selected, click Next.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 54

FIGURE A-6 CodeMeter Runtime Setup: Successfully Installed

13. Installation will run its course. When complete, you will see the “CodeMeter Runtime

Kit v4.20b has been successfully installed” screen. Click Finish to exit the installation.

The CodeMeter Control Center
When the CodeMeter Runtime installation is complete, the CodeMeter Control Center
pops up. This is a great time to connect the CmStick and verify that the device is
recognized and is Enabled. Once verified, you can close the control center and run your
AccessData product(s).
When the software is installed, but the CmStick is not connected, you will see a system
tray icon that looks like this:

When the software is installed, and the CmStick is connected and recognized, you will see
a system tray icon that looks like this:

For the most part there is nothing you need to do with this control center, and you need
make no changes using this tool with very few exceptions. If you have problems with your
CmStick, contact AccessData Support and an agent will walk you through any
troubleshooting steps that may need to be performed.

Installing Keylok Dongle Drivers
To install the Keylok USB dongle drivers
1. Choose one of the following methods:
If installing from CD, insert the CD into the CD-ROM drive and click Install the
Dongle Drivers.
If auto-run is not enabled, select Start > Run. Browse to the CD-ROM drive and
select Autorun.exe.
If installing from a file downloaded from the AccessData Web site, locate the
Dongle_driver_1.6.exe setup file, and double-click it.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 55

FIGURE A-7 Dongle Driver Setup

2. Click Next.

FIGURE A-8 Dongle Driver Setup: Choose Setup Type for Dongle

3. Select the type of dongle to install the drivers for.
4. Click Next.

FIGURE A-9 Dongle Driver Setup: Ensure USB Device is not Plugged In

5. If you have a USB dongle, verify that it is not connected.
6. Click OK.

A message box appears telling you that the installation is progressing.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 56

FIGURE A-10 Setup Progress Message Box.

7. When you see the Dongle Driver Setup window that says, “Finished Dongle

Installation,” click Finish.

FIGURE A-11 Dongle Driver Setup: Finished

8. Connect the USB dongle. Wait for the Windows Found New Hardware wizard, and

follow the prompts.

Important: If the Windows Found New Hardware wizard appears, complete the wizard. Do

not close without completing, or the dongle driver will not be installed.

Windows Found New Hardware Wizard
When you connect the dongle after installing the dongle drivers, you should wait for the
Windows Found New Hardware Wizard to open. It is not uncommon for users to disregard
this wizard, and then find that the dongle is not recognized and their AccessData software
will not run.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 57

To configure the dongle using the Found New Hardware Wizard
1. When prompted whether to connect to Windows Update to search for software,
choose, “No, not this time.”
FIGURE A-12 Found New Hardware Wizard: Welcome

2. Click Next.
3. When prompted whether to install the software automatically or to install from a list of

specific locations, choose, “Install the software automatically (Recommended).”

FIGURE A-13 Found New Hardware Wizard: Install Automatically

4. Click Next.
5. Click Finish to close the wizard.

Appendix A Managing Security Devices and Licenses

AccessData Product Licenses

| 58

FIGURE A-14 Found New Hardware Wizard: Complete

Once you have installed the dongle drivers and connected the dongle and verified that
Windows recognizes it, you can use LicenseManager to manage product licenses.

Installing LicenseManager
LicenseManager lets you manage product and license subscriptions using a security
device or device packet file.

To download the LicenseManager installer from the AccessData web site
1. Go to the AccessData download page at:
http://www.accessdata.com/downloads.htm.
2. On the download page, click the LicenseManager Download link.
3. Save the installation file to your download directory or other temporary directory on
your drive.
3a. The current version information is as follows:
License Manager version 3.1.1 (LicenseManager_3.1.1.exe)
Release Date: March 25, 2010
MD5: 2e645ca8b0ca57aafbc156213be2147f (for this version only)

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 59

To install LicenseManager
1. Navigate to, and double-click the installation file.
2. Wait for the Preparing to Install processes to complete.
3. Click Next on the Welcome screen
FIGURE A-15 LicenseManager Setup: Welcome.

4. Read and accept the License Agreement
5. Click Next.

FIGURE A-16 LicenseManager Setup: License Agreement.

6. Accept the default destination folder, or select a different one.
7. Click Next.
8. In the Ready to Install the Program dialog, click Back to review or change any of the

installation settings. When you are ready to continue, click Install.
9. Wait while the installation completes.
10. If you want to launch LicenseManager after completing the installation, mark the
Launch AccessData LicenseManager check box.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 60

FIGURE A-17 LicenseManager Setup: Completed

11. Select the Launch AccessData LicenseManager check box to run the program upon

finishing the setup.
12. Click Finish to finalize the installation and close the wizard.

Starting LicenseManager
To launch LicenseManager
1. Launch LicenseManager in any of the following ways:
Execute LicenseManager.exe from C:\Program Files\AccessData\Common
Files\AccessData LicenseManager\.
Click Start > All Programs > AccessData > LicenseManager >
LicenseManager.
Click or double-click (depending on your Windows settings) the LicenseManager
icon on your desktop
.
From some AccessData programs, you can run LicenseManager from the Tools >
Other Applications menu. This option is not available in PRTK or DNA.
When starting, LicenseManager reads licensing and subscription information from the
installed and connected WIBU-SYSTEMS CodeMeter Stick, or Keylok dongle.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 61

If using a Keylok dongle, and LicenseManager either does not open or displays
the message, “Device Not Found”
1. Make sure the correct dongle driver is installed on your computer.
2. With the dongle connected, check in Windows Device Manager to make sure the
device is recognized. If it has an error indicator, right click on the device and choose
Uninstall.
3. Remove the dongle after the device has been uninstalled.
4. Reboot your computer.
5. After the reboot is complete, and all startup processes have finished running, connect
the dongle.
6. Wait for Windows to run the Add New Hardware wizard. If you already have the right
dongle drivers installed, do not browse the internet, choose, “No, not this time.”
7. Click Next to continue.
8. On the next options screen, choose, “Install the software automatically
(Recommended)
9. Click Next to continue.
10. When the installation of the dongle device is complete, click Finish to close the wizard.
11. You still need the CodeMeter software installed, but will not need a CodeMeter Stick to
run LicenseManager.
If using a CodeMeter Stick, and LicenseManager either does not open or
displays the message, “Device Not Found”
1. Make sure the CodeMeter Runtime 4.20b software is installed. It is available at
www.accessdata.com/support. Click Downloads and browse to the product. Click
on the download link. You can Run the product from the Website, or Save the file
locally and run it from your PC. Once the CodeMeter Runtime software is installed and
running, you will see a gray icon in your system tray: .
2. Make sure the CodeMeter Stick is connected to the USB port. When the CmStick is
then connected, you will see the icon change to look like this: .
If the CodeMeter Stick is not connected, LicenseManager still lets you to manage licenses
using a security device packet file if you have exported and saved the file previously.
To open LicenseManager without a CodeMeter Stick installed
1. Click Tools > LicenseManager.
LicenseManager displays the message, “Device not Found”.
2. Click OK, then browse for a security device packet file to open.
Note: Although you can run LicenseManager using a packet file, AccessData products
will not run with a packet file alone. You must have the CmStick or dongle
connected to the computer to run AccessData products that require a license.

Using LicenseManager
LicenseManager provides the tools necessary for managing AccessData product licenses
on a WIBU-SYSTEMS CodeMeter Stick security device, a Keylok dongle, a Virtual Dongle,
or in a security device packet file.
LicenseManager displays license information, allows you to add licenses to or remove
existing licenses from a dongle or CmStick. LicenseManager, and can also be used to
export a security device packet file. Packet files can be saved and reloaded into
LicenseManager, or sent via email to AccessData support.
In addition, you can use LicenseManager to check for product updates and in some cases
download the latest product versions.
LicenseManager displays CodeMeter Stick information (including packet version and serial
number) and licensing information for all AccessData products. The Purchase Licenses
button connects directly to the AccessData website and allows you to browse the site for

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 62

information about products you may wish to purchase. Contact AccessData by phone to
speak with a Sales Representative for answers to product questions, and to purchase
products and renew licenses and subscriptions.

The LicenseManager Interface
The LicenseManager interface consists of two tabs that organize the options in the
LicenseManager window: the Installed Components tab and the Licenses tab.

The Installed Components Tab
The Installed Components tab lists the AccessData programs installed on the machine.
The Installed Components tab is displayed in the following figure.

FIGURE A-18 LicenceManager Installed Components

The following information is displayed on the Installed Components tab:

TABLE A-1 LicenseManager Installed Components Tab Features
Item

Description

Program

Lists all AccessData products installed on the host.

Installed Version

Displays the version of each AccessData product installed on the host.

Newest Version

Displays the latest version available of each AccessData product installed
on the host. Click Newest to refresh this list.

Product Notes

Displays notes and information about the product selected in the program
list.

AccessData Link

Links to the AccessData product page where you can learn more about
AccessData products.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 63

The following buttons provide additional functionality from the Installed Components tab:

TABLE A-2 LicenseManager Installed Components Buttons
Button

Function

Help

Opens the LicenseManager Help web page.

Install Newest

Installs the newest version of the programs checked in the product window, if
that program is available for download. You can also get the latest versions
from our website using your Internet browser.

Newest

Updates the latest version information for your installed products.

About

Displays the About LicenseManager screen. Provides version, copyright,
and trademark information for LicenseManager.

Done

Closes LicenseManager.

Use the Installed Components tab to manage your AccessData products and stay up to
date on new releases.

The Licenses Tab
The Licenses tab displays CodeMeter Stick information for the current security device
packet file and licensing information for AccessData products available to the owner of the
CodeMeter Stick, as displayed in the following figure.

FIGURE A-19 LicenseManager Licenses Tab

The Licenses tab provides the following information:

TABLE A-3 LicenseManager Licenses Tab Features
Column

Description

Program

Shows the owned licenses for AccessData products.

Expiration Date

Shows the date on which your current license expires.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 64

TABLE A-3 LicenseManager Licenses Tab Features (Continued)
Column

Description

Status

Shows these status of that product’s license:

• None: the product license is not currently owned
• Days Left: displays when less than 31 days remain on the license.
• Never: the license is permanently owned. This generally applies to Hash
Tables and Portable Office Rainbow Tables.
Name

Shows the name of additional parameters or information a product requires
for its license.

Value

Shows the values of additional parameters or information a product
contained in or required for its license.

Show Unlicensed

When checked, the License window displays all products, whether licensed
or not.

The following license management actions can be performed using buttons found on the
License tab:

TABLE A-4 License Management Options
Button

Function

Remove License

Removes a selected license from the Licenses window and from the
CodeMeter Stick or dongle. Opens the AccessData License Server web
page to confirm success.

Refresh Device

Connects to the AccessData License Server. Downloads and overwrites the
info on the CodeMeter Stick or dongle with the latest information on the
server.

Reload from Device

Begins or restarts the service to read the licenses stored on the CodeMeter
Stick or dongle.

Release Device

Click to stop the program reading the dongle attached to your machine,
much like Windows’ Safely Remove Hardware feature. Click this button
before removing a dongle.
This option is disabled for the CodeMeter Stick.

Open Packet File

Opens Windows Explorer, allowing you to navigate to a .PKT file containing
your license information.

Save to File

Opens Windows Explorer, allowing you to save a .PKT file containing your
license information. The default location is My Documents.

Finalize Removal

Finishes the removal of licenses in the unbound state. Licenses must be
unbound from the CmStick or dongle before this button takes effect.

View Registration Info Displays an HTML page with your CodeMeter Stick number and other license
information.
Add Existing License

Allows you to bind an existing unbound license to your CodeMeter Stick,
through an internet connection to the AccessData License Server.

Purchase License

Brings up the AccessData product page from which you can learn more
about AccessData products.

About

Displays the About LicenseManager screen. Provides version, copyright,
and trademark information for LicenseManager.

Done

Closes LicenseManager.

Opening and Saving Dongle Packet Files
You can open or save dongle packet files using LicenseManager. When started,
LicenseManager attempts to read licensing and subscription information from the dongle.
If you do not have a dongle installed, LicenseManager lets you browse to open a dongle
packet file. You must have already created and saved a dongle packet file to be able to
browse to and open it.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 65

To save a security device packet file
1. Click the Licenses tab, then under License Packets, click Save to File.
2. Browse to the desired folder and accept the default name of the .PKT file; then click
Save.
Note: In general, the best place to save the .PKT files is in the AccessData
LicenseManager folder. The default path is C:\Program Files\AccessData\Common
Files\AccessData LicenseManager\.

To open a security device packet file
1. Select the Licenses tab.
2. Under License Packets, click Open Packet File.
3. Browse for a dongle packet file to open. Select the file and click Open.
FIGURE A-20 LicenseManager Open Packet File

Adding and Removing Product Licenses
On a computer with an Internet connection, LicenseManager lets you add available
product licenses to, or remove them from, a dongle.
To move a product license from one dongle to another dongle, first remove the product
license from the first dongle. You must release that dongle, and connect the second dongle
before continuing. When the second dongle is connected and recognized by Windows and
LicenseManager, click on the Licenses tab to add the product license to the second
dongle.

Removing a License
To remove (unassociate, or unbind) a product license
1. From the Licenses tab, mark the program license to remove.
This action activates the Remove License button below the Program list box.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 66

2. Click Remove License to connect your machine to the AccessData License Server

through the internet.

3. When you are prompted to confirm the removal of the selected license(s) from the

device, click Yes to continue, or No to cancel.

FIGURE A-21 LicenseManager Confirm License Release

4. Several screens appear indicating the connection and activity on the License Server,

and when the license removal is complete, the following screen appears.

FIGURE A-22 LicenseManager Packet Update Successful

5. Click OK to close the message box.

Another internet browser screen appears from LicenseManager with a message that
says, “The removal of your license(s) from Security Device was successful!” You may
close this box at any time.

Adding a License
To add a new or released license
1. From the Licenses tab, under Browser Options, click Add Existing License.
The AccessData LicenseManager Web page opens, listing the licenses currently
bound to the connected security device, and below that list, you will see the licenses
that currently are not bound to any security device. Mark the box in the Bind column for
the product you wish to add to the connected device, then click Submit.
2. An AccessData LicenseManager Web page will open, displaying the following
message, “The AccessData product(s) that you selected has been bound to the record
for Security Device nnnnnnn within the Security Device Database.
“Please run LicenseManager’s “Refresh Device” feature in order to complete the
process of binding these product license(s) to this Security Device.” You may close this
window at any time.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 67

FIGURE A-23 LicenseManager: Associate Successful?

3. Click Yes if LicenseManager prompts, “Were you able to associate a new product with

this device?”
4. Click Refresh Device in the Licenses tab of LicenseManager. Click Yes when
prompted.

FIGURE A-24 LicenseManager: Continue Updating Security Device?

You will see the newly added license in the License Options list.

Adding and Removing Product Licenses Remotely
While LicenseManager requires an Internet connection to use some features, you can add
or remove licenses from a dongle packet file for a dongle that resides on a computer, such
as a forensic lab computer, that does not have an Internet connection.
If you cannot connect to the Internet, the easiest way to move licenses from one dongle to
another is to physically move the dongle to a computer with an Internet connection, add or
remove product licenses as necessary using LicenseManager, and then physically move
the dongle back to the original computer. However, if you cannot move the dongle—due to
organization policies or a need for forensic soundness—then transfer the packet files and
update files remotely.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 68

Adding a License Remotely
To remotely add (associate or bind) a product license
1. On the computer where the security device resides:
1a. Run LicenseManager.
1b. From the Licenses tab, click Reload from Device to read the dongle license
information.
1c. Click Save to File to save the dongle packet file to the local machine.
2. Copy the dongle packet file to a computer with an Internet connection.
3. On the computer with an Internet connection:
3a. Remove any attached security device.
3b. Launch LicenseManager. You will see a notification, “No security device found”.
3c. Click OK.
3d. An “Open” dialog box will display. Highlight the .PKT file, and click Open.
3e. Click on the Licenses tab.
3f. Click Add Existing License.
3g. Complete the process to add a product license on the Website page.
3h. Click Yes when the LicenseManager prompts, “Were you able to associate a new
product with this dongle?”
3i. When LicenseManager does not detect a dongle or the serial number of the
dongle does not match the serial number in the dongle packet file, you are
prompted to save the update file, [serial#].wibuCmRaU.
3j. Save the update file to the local machine.
4. After the update file is downloaded, copy the update file to the computer where the
dongle resides:
5. On the computer where the dongle resides:
5a. Run the update file by double-clicking it. ([serial#].wibuCmRaU is an executable
file.)
5b. After an update file downloads and installs, click OK.
5c. Run LicenseManager.
5d. From the Licenses tab, click Reload from Device to verify the product license has
been added to the dongle.

Removing a License Remotely
To remotely remove (unassociate, or unbind) a product license
1. On the computer where the dongle resides:
1a. Run LicenseManager.
1b. From the Licenses tab, click Reload from Device to read the dongle license
information.
1c. Click Save to File to save the dongle packet file to the local machine.
2. Copy the file to a computer with an Internet connection.
3. On the computer with an Internet connection:
3a. Launch LicenseManager. You will see a notification, “No security device found”.
3b. Click OK.
3c. An “Open” dialog box will display. Highlight the .PKT file, and click Open.
3d. Click on the Licenses tab.
3e. Mark the box for the product license you want to unassociate; then click Remove
License.
3f. When prompted to confirm the removal of the selected license from the dongle,
click Yes.
Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 69

3g. When LicenseManager does not detect a dongle or the serial number of the

dongle does not match the serial number in the dongle packet file, you are
prompted save the update file.
3h. Click Yes to save the update file to the local computer.
3i. The Step 1 of 2 dialog details how to use the dongle packet file to remove the
license from a dongle on another computer.
3j. Save the update file to the local machine.
4. After the update file is downloaded, copy the update file to the computer where the
dongle resides.
5. On the computer where the dongle resides:
5a. Run the update file by double-clicking it. This runs the executable update file and
copies the new information to the security device.
5b. Run LicenseManager
5c. On the Licenses tab, click Reload from Device in LicenseManager to read the
security device and allow you to verify the product license is removed from the
dongle.
5d. Click Save to File to save the updated dongle packet file to the local machine.
6. Copy the file to a computer with an Internet connection.

Updating Products
You can use LicenseManager to check for product updates and download the latest
product versions.

Checking for Product Updates
To check for product updates, on the Installed Components tab, click Newest. This
refreshes the list to display what version you have installed, and the newest version
available.

Downloading Product Updates
To install the newest version, mark the box next to the product to install, then click Install
Newest.
Note: Some products, such as FTK 2.x, Enterprise, and others, are too large to download,
and are not available. A notification displays if this is the case.

To download a product update
1. Ensure that LicenseManager displays the latest product information by clicking the
Installed Components tab. Click Newest to refresh the list showing the latest releases,
then compare your installed version to the latest release.
If the latest release is newer than your installed version, you may be able to install the
latest release from the AccessData website.

Appendix A Managing Security Devices and Licenses

Installing LicenseManager

| 70

2. Ensure that the program you want to install is not running.
3. Mark the box next to the program you want to download; then click Install Newest.
4. When prompted, click Yes to download the latest install version of the product.
4a. If installing the update on a remote computer, copy the product update file to

another computer.

5. Install the product update. You may need to restart your computer after the update is

installed.

Purchasing Product Licenses
Use LicenseManager to link to the AccessData website to find information about all our
products.
Purchase product licenses through your AccessData Sales Representative. Call 801-3775410 and follow the prompt for Sales, or send an email to sales@accessdata.com.
Note: Once a product has been purchased and appears in the AccessData License
Server, add the product license to a CodeMeter Stick, dongle, or security device
packet file by clicking Refresh Device.

Sending a Dongle Packet File to Support
Send a security device packet file only when specifically directed to do so by AccessData
support.

To create a dongle packet file
1. Run LicenseManager
2. Click on the Licenses tab.
3. Click Load from Device.
4. Click Refresh Device if you need to get the latest info from AD’s license server.
5. Click Save to File, and note or specify the location for the saved file.
6. Attach the dongle packet file to an e-mail and send it to:
support@accessdata.com.

Virtual CodeMeter Activation Guide
Introduction
A Virtual CodeMeter (VCM) allows the user to run licensed AccessData products without a
physical CodeMeter device. A VCM can be created using AccessData License Manager,
but requires the user to enter a Confirmation Code during the creation process.
The latest revision of this guide can be found at:
http://accessdata.com/downloads/media/VCM_Activation_Guide.pdf

Preparation
Contact

your AccessData sales rep to order a VCM confirmation code.
Install CodeMeter Runtime 4.10b or newer (available on the AccessData download
page).
Install the latest release of License Manager (available on the AccessData download
page).

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 71

The

following steps are to be run on the system where you want to permanently attach
the VCM.
Note: Once created, the VCM cannot be moved to any other system.
AD LAB WebUI and eDiscovery administrators, please also follow steps outlined under
in Additional Instructions for AD LAB WebUI and eDiscovery (page 77) in order to
enable VCM licensing on the AccessData License Service.

Setup for Online Systems
To set up a Virtual CodeMeter
1. Unplug any AccessData dongles you currently have connected.
2. Launch License Manager.
Note: When creating a VCM on Windows Server 2003 or 2008, please refer to the
special set of steps written for those platforms. See Creating a Virtual CM-Stick
with Server 2003/2008 Enterprise Editions (page 75).
3. Select Create A Local Virtual CMStick.
FIGURE A-25 Virtual CodeMeter Setup: Create a Local Virtual CmStick

Click OK.
The Confirmation Code Required dialog appears.

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 72

FIGURE A-26 Virtual CodeMeter Setup: Confirmation Code Required

5. Enter your confirmation code.
6. Click OK, AccessData License Manager will automatically synchronize with the

License Server over the Internet.

7. Click OK when the update completes. License Manager will then create the VCM on

your system.

8. At this point, AccessData License Manager now displays a serial number for the VCM

on the Licenses tab and the VCM can now operate in a similar way to a hardware
CodeMeter device.

Setting up VCM for Offline Systems
You can setup a Virtual CodeMeter on a system that is not connected to the internet
(offline). You must also have one machine that connects to the internet to perform certain
steps. This section details what to do on which machine.

Perform these steps on the Online system
1. Unplug any AccessData dongles you currently have connected.
2. Launch License Manager.
Note: When creating a VCM on Windows Server 2003 or 2008 Enterprise Edition,
please refer to the special set of steps written for those platforms. See Creating a
Virtual CM-Stick with Server 2003/2008 Enterprise Editions (page 75).

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 73

3. Select Create Empty Virtual CMStick (offline).

FIGURE A-27 Virtual CodeMeter Setup: Create Empty Virtual CMStick (offline)

Click OK.

5. The resulting dialog prompts you to save the *.wibucmrau file. Enter a name and path

for the file, then click Save.

6. Transfer the *.wibucmrau to the Online system.

Perform these steps on the Online system
7. Unplug any AccessData dongles you currently have connected.
8. Launch License Manager.
9. Select Create Activation File (online).
FIGURE A-28 Virtual CodeMeter Setup: Create Activation File (online)

10.

Click OK.
The Confirmation Code Required dialog appears.

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 74

11. Enter your confirmation code and click OK.
12. AccessData License Manager will automatically synchronize with the License Server

over the internet. Data synchronized from the server will be written to the
*.wibucmrau file. Click OK when the update completes.
13. Transfer *.wibucmrau back to the offline system.

Perform these steps on the Offline system
14. Unplug any AccessData dongles you currently have connected.
15. Launch License Manager.
16. Select Create Activate Virtual CMStick (offline).
FIGURE A-29 Virtual CodeMeter Setup: Activate Virtual CMStick (offline)

17. Click OK.
18. The resulting dialog prompts you to browse to the location of the newly updated

*.wibucmrau file. Locate the file, then click Open. License Manager creates the VCM
on your system.
19. 19.At this point, AccessData License Manager should now display a serial number for
the VCM on the "Licenses" tab and the VCM can now operate in a similar way to a
hardware CodeMeter device.

Creating a Virtual CM-Stick with Server 2003/2008 Enterprise Editions
This section contains special instructions for using a VCM with Windows Server 2003 or
2008 Enterprise Editions. Complete each section in order.

To Create an Empty CodeMeter License Container
1. On the Server 2003/2008 machine, unplug any CodeMeter devices.
2. Open the CodeMeter Control Center. Make sure the window on the License tab is,
empty indicating that no licenses are currently loaded.
3. Select File > Import License.
4. Browse to the License Manager program files directory.
32 bit systems: C:\Program Files\AccessData\LicenseManager\
64 bit systems: C:\Program Files (x86)\ AccessData\LicenseManager\

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 75

5. Highlight the TemplateDisc5010.wbb file, then click Import.
6. Click the Activate License button.
7. When the CmFAS Assistant opens, click Next.
8. Select Create license request, and click Next.
9. Confirm the desired directory and filename to save .WibuCmRaC. (Example:

Test1.WibuCmRaC)
10. Click Commit.
11. Click Finish.

To Copy to another machine
1. Copy the new .WibuCmRaC to another machine that is not running Windows Server

2003/2008 Enterprise.
Note: The destination system must have an active internet connection.
2. Unplug any AccessData dongles you currently have connected.
3. Launch License Manager.
4. Select Create Activation File (online).

FIGURE A-30 Virtual CodeMeter Setup: Create Activation File (online)

5. Click OK..
6. In the Confirmation Code Required dialog enter your confirmation code and click OK.
7. AccessData License Manager will automatically synchronize with the License Server

over the internet. Data synchronized from the server will be written to the
*.wibucmrau file. Click OK when the update completes.

To Finish the activation on the Windows Server 2003/2008 Enterprise system
1. Copy the activated .WibuCmRaC file to the Server 2003/2008 machine.
2. On the Server 2003/2008 machine, unplug any CodeMeter devices.
3. Open the CodeMeter Control Center. Make sure the window on the License tab empty
indicating that no licenses are currently loaded.
4. Select File > Import License.
5. Browse to the location where the activated .WibuCmRaC is stored. Click Import.
6. AccessData License Manager now displays a serial number for the VCM on the
Licenses tab and the VCM can now operate in a similar way to a hardware CodeMeter
device.

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 76

Additional Instructions for AD LAB WebUI and eDiscovery
This section provides additional information for enabling the Web User Interface to
recognize a VCM.

To enable AD Lab WebUI and eDiscovery to use VCM
1. Open Registry Editor.
2. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products
3. Add the following DWORD registry string to the key and set the value to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products | EnableACTTest
FIGURE A-31 Registry Editor: Add a DWORD String

FIGURE A-32

Registry Editor: Add a DWORD Value

The AccessData License Service will know to expect a VCM when EnableACTTest is set to
"1."

Virtual CodeMeter FAQs
Q: How do I get a Virtual CodeMeter (VCM)?
A: Contact your AccessData product sales representative. They will provide you with a
VCM confirmation code.
Q: How do VCMs work?
A: A VCM operates in almost exactly the same way as a hardware CodeMeter device,
except that they exist as a file stored on the hard disk. During activation, the VCM file
(named with a WBB extension) is tied to the hardware of the system using unique
hardware identifiers. Those unique identifiers make VCMs non-portable. When
AccessData License Manager is launched, it will automatically load the VCM and display
its license information. From there, you can refresh, remove, add existing licenses, etc just
the same you would with a hardware security device.

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 77

Q: Are VCMs supported on virtual machines (VM)?
A: No. Due to the fact that virtual machines are portable and VCMs are not, VCMs are not
supported on virtual machines. Currently it is recommended to use AccessData Network
License Service (NLS) to license systems running as virtual machines. CLICK HERE for
more information.
Q: Does the AccessData Network License Service (NLS) support VCMs?
A: The current release of NLS does not support using VCM as a network dongle.
AccessData is considering this support for a future release.
Q: How can I “unplug” a VCM?
A: If you want to prevent License Manager from automatically loading the VCM you can
"unplug" it by stopping the CodeMeter Runtime Service server and then moving (cut and
paste) the WBB file to a new location (renaming the file does not suffice). By default the
WBB file is located at:
32 bit systems:

C:\Program Files\CodeMeter\CmAct\
64 bit systems:
C:\Program Files (x86)\CodeMeter\CmAct\
Q: I have activated a VCM on my system, but now I need to activate it on a different
system. What should I do?
A: Since a VCM is uniquely tied to the system on which it is activated, it cannot be moved
to any other system. If you need to activate a VCM on a different system, you need to
contact your AccessData Sales Representative.
Q: What if I need to reinstall Windows, format my drive, change my system's hardware, or
back up my VCM in case of a disaster? Will the VCM still work?
A: The VCM can be backed up by simply copying the WBB file to a safe location. It can be
restored by copying the WBB file to the CmAct folder. The VCM cannot be restored
without a WBB file. If you do not have a back up of your WBB file, you will need to get a
new confirmation code from your AccessData Sales Representative.
Q: My AccessData product does not seem to recognize the license stored on a VCM.
What am I doing wrong?
A: VCMs are supported by the following versions of AccessData products:
FTK 1.81.6 and newer
FTK 3.1.0 and newer
PRTK 6.5.0 and newer
DNA 3.5.0 and newer
RV 1.6.0 and newer
eDiscovery 3.1.2 and newer
AD Lab 3.1.2 and newer
AD Enterprise 3.1.0 and newer
MPE+ 4.0.0.1 and newer
Ensure that the version of the product you are running support VCMs. If the version you
are running is listed as supported, verify that according to License Manager, the release
date of the version you are running falls before the expiration date of the license.

Appendix A Managing Security Devices and Licenses

Virtual CodeMeter Activation Guide

| 78

Network License Server (NLS) Setup Guide
Introduction
This section discusses the installation steps and configuration notes needed to
successfully setup an AccessData Network License Server (NLS).
Note: Click on this link to access the latest version of this guide:
Network License Server (NLS) Setup Guide.

Preparation Notes
CodeMeter

Runtime 3.30a or newer must be installed on all Client and Server systems
License Manager must be used to prepare the network dongle. The system
running License Manager must have internet access and have CodeMeter Runtime
installed.
The current release of NLS supports the following versions of Windows:
Windows XP 32/64 bit
Windows Server 2003 32/64 bit
Windows Vista 32/64 bit
Windows Server 2008 R1 32/64 bit
Windows 7 32/64 bit
Windows Server 2008 R2 64 bit
AccessData

Setup Overview
To setup NLS
1. Download the latest release of NLS located in the utilities section of the AccessData
download page.
2. Extract contents of ZIP to a folder of your choice.
3. On the NLS server system, run through the NLS Installation MSI and accept all
defaults.
4. Prepare network dongle:
4a. Provide the serial number to AD Support and request to have the “Network
Dongle Flag” applied.
4b. Migrate any additional licenses to the network dongle
4c. Refresh the network dongle device using AccessData License Manager.
5. Launch the AccessData product on the NLS client system.
6. Enter the NLS server configuration information:
 IP address or hostname of NLS server system
Port 6921
7. Click, OK.
If you encounter any problems, please read the notes below for troubleshooting
information.

Network Dongle Notes
AccessData

License Manager 2.2.6 or newer should be installed in order to manage
licenses on the network dongle.

Appendix A Managing Security Devices and Licenses

Network License Server (NLS) Setup Guide

| 79

Network

dongles can hold up to 120 physical licenses. Each License has a capacity to
hold thousands of sub licenses (i.e. Client count or worker count).
Contact AccessData Technical Support to have your CodeMeter device flagged as a
Network Dongle (required for NLS).

NLS Server System Notes
Make

sure the CodeMeter device is flagged as Network Dongle (i.e. License Manager
will show the serial as "1181234N". To have this flag set on your CodeMeter device,
please contact AccessData Technical Support).
Server system must be configured to allow incoming and outgoing traffic on TCP port
6921.
A web interface to view and revoke licenses all licenses is accessible at

http://localhost:5555
This page can be reached only from a web browser running locally on the NLS server
system.
A Network Dongle cannot be used to run AccessData products locally unless the NLS
server is running locally.
Some versions of Windows may not find a local NLS server when the DNS hostname of
the server is provided. In those cases, it is recommended to use a static IP address.
When using the NLS across domains, users must have permissions to access
resources on both domains (either by dual-domain membership or cross-domain trust).
When running NLS on Windows Server 2008, Terminal Services must be installed and
accepting connections. If Terminal Services is not configured it will not open the port
and share out the licenses correctly.
The name of the service according to Windows is “AccessData Network License
Service.”

NLS Client System Notes
When

launched, any NLS client application that needs to lease a license from the NLS
server will automatically check for the following values within the Windows Registry.

FIGURE A-33 Windows Registry Editor: AccessData NetDonglePath Key

NetDonglePath:

The IP address or DNS hostname of the system hosting the
Network License Server service which is found in the following registry key on the
client system:

HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products\Common
The TCP port number through which the client and server systems
have been configured to use. This value is located in the same key as
NetDonglePath.

NetDonglePort:

Appendix A Managing Security Devices and Licenses

Network License Server (NLS) Setup Guide

| 80

uniqueId:

In order to lease a license from the server, the client system must first
posses a unique identification value. This value is automatically generated by
applications such as FTK 3, PRTK, or DNA. (Registry Viewer and FTK 1.x cannot
be used setup initial client NLS configuration at this time.)
You can find the each client system's uniqueId by inspecting the following registry
key: HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Shared
The Client system must be configured to allow all incoming and outgoing traffic on TCP
port 6921.
The following products support the ability to lease a license from a NLS server:
FTK 2.2.1 and newer
FTK 1.81.2 and newer
FTK Pro 3.2 and newer
PRTK 6.4.2 and newer
DNA 3.4.2 and newer
Registry Viewer 1.5.4 and newer
AD Enterprise 3.0.3 and newer
AD Lab 3.0.4 and newer
AD Lab Lite 3.1.2 and previous
Mobile Phone Examiner 3.0 and newer
Explicit Image Detection (EID) Add-on
Glyph Add-on
Use AccessData License Manager (ver. 2.2.4 or newer) to migrate licenses off other
devices and onto a network device.
When running AccessData products on Windows Vista, 7, or Server 2008 you must
choose Run as administrator at least once in order to lease a license from a NLS
server.
If the NLS client application is having trouble leasing a license either from the NLS
server, AccessData recommends that you reset the licensing configuration to default.
To reset the licensing configuration, delete and recreate the NLS registry key located at:

HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products\Common

Appendix A Managing Security Devices and Licenses

Network License Server (NLS) Setup Guide

| 81

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
XMP Toolkit                     : Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18
Creator Tool                    : FrameMaker 9.0
Modify Date                     : 2011:07:26 11:16:38-06:00
Create Date                     : 2011:07:26 10:22:33Z
Metadata Date                   : 2011:07:26 11:16:38-06:00
Format                          : application/pdf
Title                           : Triage User Guide.book
Creator                         : rkimball
Producer                        : Acrobat Distiller 9.4.5 (Windows)
Document ID                     : uuid:6a732759-a01f-46b9-80e1-ab39f37eed38
Instance ID                     : uuid:d198a282-1f2c-4127-9419-1940cdc243ef
Page Mode                       : UseOutlines
Page Count                      : 91
Author                          : rkimball

EXIF Metadata provided by EXIF.tools

Triage User Guide 1.1

Navigation menu

Versions of this User Manual:

Views

Navigation