±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 36303
New Yesterday: 2 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

F-Response Alternative?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

DFICSI
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 14:22

And personally I think dongle based software is fine. Sadly, even in this field, there are people that use pirated software to conduct investigations. Just because software uses a dongle doesn't mean that it is evil. F-Response is still one of the best pieces of software on the market and, even though some may consider it expensive, is still the cheapest solution on the market for such investigations.
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 
 
  

jelle
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 14:53

You probably considered this - but just to be sure: isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response: note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).  
 
  

BattleSpeed
Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 20:25

- DFICSI
Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.


Thanks for your comment. I think you are making more of my "first experience" comment than I intended. It's the situation that's unique.  
 
  

BattleSpeed
Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 20:28

- jelle
You probably considered this - but just to be sure: isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response: note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).


To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.  
 
  

brianH
Newbie
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 21:57

There seems to be a misunderstanding between the different AccessData agents (sorry). The agent FTK uses to support live remote device acquisition and mounting (Physical device/logical volume/RAM) and the one with AccessData enterprise are very different. They share underlying code, however the FTK agent is a run time agent (single exe), does not have an installer and has a tiny footprint. The FTK agent (part of FTK 3) which supports RDMS (Remote Device Mounting Services) is a standard part of FTK and does not require any additional purchase. It also has a default lifetime so you do not have to remember to kill it when you are done (which we call dyeing agent). The AccessData Enterprise agent that has an installer and a more sizeable footprint supports a different set of capabilities and therefore has different requirements from an agent perspective (it has to be installed).

More information can be found here: accessdata.com/downloa...rvices.pdf we also have a webinar accessdata.com/resourc...y#webinars “Live Remote Data Acquisition”

We also have a soft token for individuals that cannot support or do not want a physical dongle. No additional costs can be moved between machines.

Karney  
 
  

jekyll
Senior Member
 

Re: F-Response Alternative?

Post Posted: Jan 12, 11 04:26

Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform.... right?). ESXi does not allow pass through of USB devices from the host to guest OSes. I had F-Response tactical there but was stuck because of the devs copy protection requiring a dongle. More organisations are locking out USB and when copy protection handicaps a product I have paid for, me not so happy. Sad
_________________
Paul Pratley
Head of Investigations & Incident Response
MWR InfoSecurity 
 
  

TonyC
Member
 

Re: F-Response Alternative?

Post Posted: Jan 12, 11 09:40

Battlespeed,

Take a look at ProDiscover IR from Technology Pathways (www.techpathways.com). With it you can remotely install an agent to any Windows system that you have admin credentials for. The agent has a default port and name but both can be changed to whatever you want.

I have used it many times to remotely image systems.

Oh yeah, I almost forgot, no dongle!!

TonyC  
 

Page 2 of 3
Page Previous  1, 2, 3  Next