Remote Forensics Ac...
 
Notifications
Clear all

Remote Forensics Acquisation

5 Posts
4 Users
0 Likes
1,323 Views
(@davieboy27)
Posts: 9
Active Member
Topic starter
 

Hi,

Obviously using remote forensics gives you the ability to remotely acquire data from multiple Hosts and view this in your local location as a share for example.

Options

Now i have looked at a view options for remote acquisation and the one i like is F response tool

https://www.f-response.com/software/univ It is fairly priced as well for the tasks it does.

Also i know Paraban do a good solution for remote forensics as well but it is double the price.

My question is really does anyone know of any other options? Also a company informed me that they use open source tools for remote acquisition, are there any recommended free tools for this?

We have encase forensic version currently. If you upgraded to encase enterprise version and used the remote acquisition tool within this software, is it any good?

thanks for any help,

David

 
Posted : 05/02/2015 8:20 pm
(@kmizota)
Posts: 4
New Member
 

Full disclosure I work for Guidance Software.

Since you already have EnCase Forensic, you could try the "Direct Network Preview" tool. You can perform remote forensics, on one endpoint at a time.

I wrote a blog post on this a while back describing on how to use it.

It allows remote preview, full disk or logical acquisition as well as volatile data capture (running processes, open ports, live ram dump, etc.). Hope this helps.

Regards,

Ken Mizota

 
Posted : 05/02/2015 9:13 pm
(@davieboy27)
Posts: 9
Active Member
Topic starter
 

Hi,

Thanks for the response.

The problem with the "Direct Network Preview" is although it works well. Don't you have to get the user to install the installer onto their laptop? I can't do that remotely?

If i am investigating someone i can't ask them to install the installer. Maybe i am wrong here?

thanks for your help,

David

 
Posted : 05/02/2015 9:54 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Passmark's OSForensics may be worth looking at

http//www.osforensics.com/faqs-and-tutorials/imaging-a-network-location.html

 
Posted : 06/02/2015 4:17 am
(@kbertens)
Posts: 88
Trusted Member
 

David you mentioned EnCase needs to setup an installer but I assume every piece of software needs to be run on the suspects computer.
You need some kind of access/rights to push a servlet. Same problem with f-response or any other piece of software.

 
Posted : 06/02/2015 6:28 pm
Share: