Remote forensic ima...
 
Notifications
Clear all

Remote forensic imaging tools?  

Page 1 / 2
  RSS
joey2011
(@joey2011)
New Member

I'm trying to expand the companies I work with, and in order to do that I need to either fly or or have a way to remotely image phones, SD, USB, laptops and desktops. One way is to outfit a laptop with the necessary plugs and connections to do this or, find sobering that is already made to do this. So, I wanted to see if anyone knew of choices for this that work. I've Google and looked at the results but I'm not sure if I'm seeing all of it. Any help would be greatly appreciated.

Thanks

Quote
Posted : 09/06/2019 4:59 pm
Belkasoft
(@belkasoft)
Active Member

I'm trying to expand the companies I work with, and in order to do that I need to either fly or or have a way to remotely image phones, SD, USB, laptops and desktops. One way is to outfit a laptop with the necessary plugs and connections to do this or, find sobering that is already made to do this. So, I wanted to see if anyone knew of choices for this that work. I've Google and looked at the results but I'm not sure if I'm seeing all of it. Any help would be greatly appreciated.

Thanks

Belkasoft Evidence Center (make sure you get Remote Forensics module). The trial is available at https://belkasoft.com/get

ReplyQuote
Posted : 09/06/2019 6:03 pm
dandaman_24
(@dandaman_24)
Active Member

Evimentry - this offers a boot disk option where it can remotely connect and image to your storage destination.

ReplyQuote
Posted : 09/06/2019 8:54 pm
joey2011
(@joey2011)
New Member

Thanks for the info, I've just requested a price from Belkasoft. I'm also looking at Sumuri Recon Imager and Recon Triage bundle.

ReplyQuote
Posted : 09/06/2019 10:58 pm
Belkasoft
(@belkasoft)
Active Member

Thanks for the info, I've just requested a price from Belkasoft. I'm also looking at Sumuri Recon Imager and Recon Triage bundle.

How was your Belkasoft trial?

ReplyQuote
Posted : 07/07/2019 5:14 pm
Passmark
(@passmark)
Active Member

How well does this work in practice?

If you have to image a 4TB drive remotely at 10Mbit/sec it is going to take 910 hours (38 continuous days). And this assumes there are no drop outs on either end for the duration, which of course there will be.

It is more more practical for a small half full 128GB drive (only 1 day). But not many machines have drives this small.

I know someone will say that 10Mbit/s is slow, but many people an asymmetrical internet connections. e.g. 50 down and 10 up.

And with self booting solutions, you are regularly going to come across machines with slightly unusual network environments, and device drivers will be missing for the network hardware in the self booting solution.

ReplyQuote
Posted : 08/07/2019 2:51 am
Belkasoft
(@belkasoft)
Active Member

How well does this work in practice?

If you have to image a 4TB drive remotely at 10Mbit/sec it is going to take 910 hours (38 continuous days). And this assumes there are no drop outs on either end for the duration, which of course there will be.

It is more more practical for a small half full 128GB drive (only 1 day). But not many machines have drives this small.

I know someone will say that 10Mbit/s is slow, but many people an asymmetrical internet connections. e.g. 50 down and 10 up.

And with self booting solutions, you are regularly going to come across machines with slightly unusual network environments, and device drivers will be missing for the network hardware in the self booting solution.

Great point. That's why it is more and more common to have partial acquisitions. Belkasoft supports both full acquisition (compression is supported) and only selected folders or even selected types of artifacts transfer.

ReplyQuote
Posted : 08/07/2019 5:56 am
jaclaz
(@jaclaz)
Community Legend

Great point. That's why it is more and more common to have partial acquisitions.

I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right)
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz

ReplyQuote
Posted : 08/07/2019 10:04 am
Belkasoft
(@belkasoft)
Active Member

Great point. That's why it is more and more common to have partial acquisitions.

I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right)
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz

I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.

ReplyQuote
Posted : 08/07/2019 10:11 am
xandstorm
(@xandstorm)
Member

You could look at F-Response f-response.com.

ReplyQuote
Posted : 08/07/2019 7:06 pm
Passmark
(@passmark)
Active Member

If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

ReplyQuote
Posted : 09/07/2019 4:21 am
Belkasoft
(@belkasoft)
Active Member

If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.

ReplyQuote
Posted : 09/07/2019 10:41 am
jaclaz
(@jaclaz)
Community Legend

If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.

Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. 😯

jaclaz

ReplyQuote
Posted : 09/07/2019 8:30 pm
Belkasoft
(@belkasoft)
Active Member

If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.

Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. 😯

jaclaz

Well, the software is the same forensic software which is used for perfectly forensic acquisition locally. It calculates checksums and verifies output. If needed, you can secure chain of custody.

That's not the question of how software works, this more relates to the process of how you use it.

ReplyQuote
Posted : 27/08/2019 12:20 pm
CFEx
 CFEx
(@cfex)
Member

Great point. That's why it is more and more common to have partial acquisitions.

I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

jaclaz

I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.

Partial acquisitions are ok but it depends on the forensic work or case category.

In law enforcement or in litigation, full acquisition is the norm, and if you do partial, you'd better be prepared to convince the judge/jury why you did not do a full image. Your work will be challenged for sure.

In a corporate environment, we are likely to do full acquisitions if the device is locally available or do partial acquisitions to overcome challenges. But again, it depends on the case and why we are trying to do forensic work. For example,

In cases of trade secrets theft, hacking, or any case that is like to affect the company negatively, we''ll do full acquisitions, regardless of where the device/user is.

Contrast that with cases where I only need to prove an employee violated company policy where I'm only interested in "user behavior" (user data, browsing history, app data, etc.). Do I care about operating system files? No, I don't and so partial acquisition is perfectly fine; if the device is locally available we'll do full acquisition because I care about unallocated space, but I still don't care about OS files. So partial acquisitions are ok depending on several variables.

Here is another variable still violation of company policy case, user works remotely by himself out of his home, in an African country where we don't have an office and I'm in the US. Our closest IT staff is either in Europe or Dubai. We may do one of or several things but the point of this is that in a corporate setting, we end up evaluating the risk of a partial acquisition and make a judgement call after vetting.

ReplyQuote
Posted : 29/08/2019 5:58 am
Page 1 / 2
Share: