±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36487
New Yesterday: 5 Visitors: 189

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

F-Response Alternative?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

MindSmith
Senior Member
 

Re: F-Response Alternative?

Post Posted: Jan 12, 11 10:37

If you're willing to use the Encase Enterprise agent; then take a look at their non-Enterprise version - Encase Forensic Consultant:

www.guidancesoftware.c...ltants.htm

BrianH, jelle and DFICSI have given you good alternative solutions to consider.

If you really need 'ultra block-ops type stealth' Wink - look at Gamma Group's FinFisher intrusion suite for gaining access/preview, then consider running a 2nd tool to image the HD, but ....it's going to be pricey & any solution you use; the user may still notice slight performance degradation and excessive disk activity due to the imaging process. www.gammagroup.com/fin...usion.aspx
_________________
#include <std.disclaimer.H> 
 
  

Rossetoecioccolato
Member
 

Re: F-Response Alternative?

Post Posted: Jan 13, 11 21:53

Are you able to deploy software via the admin share? Basically, do you have admin access to the computer when it is online?  
 
  

forensicakb
Senior Member
 

Re: F-Response Alternative?

Post Posted: Jan 15, 11 03:53

Many times issues are over thought from a technical standpoint when the easiest fix is a social engineering one from an investigative standpoint.

Based on the information you have provided, this is a fix by a phone call not a stealthy one which appears to have a very very high chance you will get caught.

Most IT managers who carry their laptops around know enough to know even if you think you are being stealthy, IMHO you wont be stealthy enough as you really don't know what to do and are asking others. While you have provided a lot of details, if you have left out one thing, even a small one, the advice you may have been given could be bad. Maybe the detail is something as small as a SP update, or a program like regmon, something else which is installed on the pc, and then what happens when the stealth aspect goes away. Someone has time to wipe the drive and concoct a story why it is wiped, or maybe you don't have the serial number of the drive written down so a mirror of the drive is made without the information you are looking for and you now have nothing.



- BattleSpeed
- jelle
You probably considered this - but just to be sure: isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response: note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).


To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.
 
 
  

TDISCO
Newbie
 

Re: F-Response Alternative?

Post Posted: Jan 17, 11 18:27

Hello,

This sounds like a difficult situation and one that will require some social engineering. I use fresponse as well as encase ent and they are both great tools. However, the main issue you will probably run into is keeping the mobile user online long enough to acquire the drive. It could take forever to actually get what you need this way. As others have mentioned it may be easier to push something out to the workstation to make it inoperable and then have it reimaged and returned to the user in working condition when they bring it in to be "repaired". We use Digital Guardian for this piece but there are many other things you can do with admin rights. If this could turn into a legal case I would also start a COC form with the swap of the hard drive as well so you may want the "break fix" person to be someone trusted.

Hope this information helps!  
 
  

douglasbrush
Senior Member
 

Re: F-Response Alternative?

Post Posted: Jan 18, 11 18:38

- jekyll
Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform.... right?). ESXi does not allow pass through of USB devices from the host to guest OSes. (


This has happened to me multiple times and is beyond annoying. With that we went to F-Response consultant so the licensing is all software and dongle just on examiners machine.  
 
  

josefk
Newbie
 

Re: F-Response Alternative?

Post Posted: May 18, 11 13:50

Simulated fire alarm. Have upper management send out emails indicating there will be random fire alarm tests and list procedures. One of the procedures could be to leave everything behind and exit immediately. It should give you enough time to install the client. Then the following day first thing start the acquisition. Could even have a scheduled staff meeting to assist while acquiring.

All that is, of course if the IT manager is not the upper management.  
 
  

paraben
Member
 

Re: F-Response Alternative?

Post Posted: May 18, 11 18:37

I know you said Enterprise tools are too expensive but Paraben Shuttle starts at under $4k, has completely stealth agents and can run from a key license. We have a free version you can test out as well.  
 

Page 3 of 3
Page Previous  1, 2, 3