F-Response Alternat...
 
Notifications
Clear all

F-Response Alternative?

21 Posts
16 Users
0 Likes
2,512 Views
BattleSpeed
(@battlespeed)
Posts: 36
Eminent Member
Topic starter
 

I need to perform a stealth HD acquisition via network (local subnet) and no way I can use anything requiring dongles like F-Response (even on examiner machine), nor am I $$$$loaded for the Enterprise version price anyway.

My first with this type of situation (yes, I intend to practice first! roll ), so any ideas mucho appreciatissimo!

(Don't care Linux, Windows exam platform. Target is Windows.)

 
Posted : 16/12/2010 11:19 am
(@jonathan)
Posts: 878
Prominent Member
 

Do you have access to FTK 3 - it has the same stealth network capability as F-Response; presumably you've got an account with admin rights on the target machine?

 
Posted : 16/12/2010 4:55 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

To be fair, FTK3 is not exactly stealthy in the sense most people think of it. The default agent is quite obvious, and although you can configure it to be less obvious, there's still a bit of a footprint. (I just watched AD demo the Enterprise product for the past 3 days.)

I'd make a suggestion, but you've already ruled out the enterprise products.

 
Posted : 17/12/2010 5:23 am
BattleSpeed
(@battlespeed)
Posts: 36
Eminent Member
Topic starter
 

Thanks, Jonathan - no FTK, but I'd heard the same as Patrick reports anyway (i.e., not that stealthy). I am obliged to be *very* stealthy in this situation.

Patrick - I'd appreciate your suggestion anyway if you wouldn't mind, especially if it doesn't use those blasted dongles. One utterly miserable (and very expensive) experience with dongles was enough to get them banned from our company altogether. In fact, I'd have to check the actual written policy, but I believe even mentioning the word is grounds for dismissal.

 
Posted : 17/12/2010 5:44 am
(@patrick4n6)
Posts: 650
Honorable Member
 

Well we haven't done our PoC with it yet, but I'm informed that EnCase Enterprise's agent is significantly more stealthy. We're doing our PoC next month so I'll know for sure after that. Of course, it does use a dongle, another reason why I didn't mention it. Plus if you can't afford F-Response, you absolutely can't afford a Guidance product. I know this doesn't help you, but you asked me to respond anyway.

 
Posted : 17/12/2010 7:44 am
(@rarosalion)
Posts: 28
Eminent Member
 

Depending on what remote access you have to the machine, and what virus protection may be in place, what about pushing netcat+dd to the machine?

 
Posted : 17/12/2010 9:20 am
(@dficsi)
Posts: 283
Reputable Member
 

In my experience there's a reason that enterprise products are so expensive - because they work.

You can create the same effect for cheap/free but doing it stealthily is going to be difficult.

Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.

 
Posted : 17/12/2010 2:19 pm
(@dficsi)
Posts: 283
Reputable Member
 

And personally I think dongle based software is fine. Sadly, even in this field, there are people that use pirated software to conduct investigations. Just because software uses a dongle doesn't mean that it is evil. F-Response is still one of the best pieces of software on the market and, even though some may consider it expensive, is still the cheapest solution on the market for such investigations.

 
Posted : 17/12/2010 2:22 pm
(@jelle)
Posts: 52
Trusted Member
 

You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).

 
Posted : 17/12/2010 2:53 pm
BattleSpeed
(@battlespeed)
Posts: 36
Eminent Member
Topic starter
 

Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.

Thanks for your comment. I think you are making more of my "first experience" comment than I intended. It's the situation that's unique.

 
Posted : 17/12/2010 8:25 pm
Page 1 / 3
Share: