±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

F-Response Alternative?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

BattleSpeed
Member
 

F-Response Alternative?

Post Posted: Dec 16, 10 12:19

I need to perform a stealth HD acquisition via network (local subnet) and no way I can use anything requiring dongles like F-Response (even on examiner machine), nor am I $$$$loaded for the Enterprise version price anyway.

My first with this type of situation (yes, I intend to practice first! Rolling Eyes ), so any ideas mucho appreciatissimo!

(Don't care Linux, Windows exam platform. Target is Windows.)  
 
  

Jonathan
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 16, 10 17:55

Do you have access to FTK 3 - it has the same stealth network capability as F-Response; presumably you've got an account with admin rights on the target machine?
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

Patrick4n6
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 06:23

To be fair, FTK3 is not exactly stealthy in the sense most people think of it. The default agent is quite obvious, and although you can configure it to be less obvious, there's still a bit of a footprint. (I just watched AD demo the Enterprise product for the past 3 days.)

I'd make a suggestion, but you've already ruled out the enterprise products.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 


Last edited by Patrick4n6 on Dec 19, 10 01:07; edited 1 time in total
 
  

BattleSpeed
Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 06:44

Thanks, Jonathan - no FTK, but I'd heard the same as Patrick reports anyway (i.e., not that stealthy). I am obliged to be *very* stealthy in this situation.

Patrick - I'd appreciate your suggestion anyway if you wouldn't mind, especially if it doesn't use those blasted dongles. One utterly miserable (and very expensive) experience with dongles was enough to get them banned from our company altogether. In fact, I'd have to check the actual written policy, but I believe even mentioning the word is grounds for dismissal.  
 
  

Patrick4n6
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 08:44

Well we haven't done our PoC with it yet, but I'm informed that EnCase Enterprise's agent is significantly more stealthy. We're doing our PoC next month so I'll know for sure after that. Of course, it does use a dongle, another reason why I didn't mention it. Plus if you can't afford F-Response, you absolutely can't afford a Guidance product. I know this doesn't help you, but you asked me to respond anyway.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

rarosalion
Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 10:20

Depending on what remote access you have to the machine, and what virus protection may be in place, what about pushing netcat+dd to the machine?  
 
  

DFICSI
Senior Member
 

Re: F-Response Alternative?

Post Posted: Dec 17, 10 15:19

In my experience there's a reason that enterprise products are so expensive - because they work.

You can create the same effect for cheap/free but doing it stealthily is going to be difficult.

Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 
 

Page 1 of 3
Page 1, 2, 3  Next