Remote forensic ima...
 
Notifications
Clear all

Remote forensic imaging tools?

18 Posts
10 Users
0 Likes
5,520 Views
(@joey2011)
Posts: 9
Active Member
Topic starter
 

I'm trying to expand the companies I work with, and in order to do that I need to either fly or or have a way to remotely image phones, SD, USB, laptops and desktops. One way is to outfit a laptop with the necessary plugs and connections to do this or, find sobering that is already made to do this. So, I wanted to see if anyone knew of choices for this that work. I've Google and looked at the results but I'm not sure if I'm seeing all of it. Any help would be greatly appreciated.

Thanks

 
Posted : 09/06/2019 3:59 pm
(@belkasoft)
Posts: 169
Estimable Member
 

I'm trying to expand the companies I work with, and in order to do that I need to either fly or or have a way to remotely image phones, SD, USB, laptops and desktops. One way is to outfit a laptop with the necessary plugs and connections to do this or, find sobering that is already made to do this. So, I wanted to see if anyone knew of choices for this that work. I've Google and looked at the results but I'm not sure if I'm seeing all of it. Any help would be greatly appreciated.

Thanks

Belkasoft Evidence Center (make sure you get Remote Forensics module). The trial is available at https://belkasoft.com/get

 
Posted : 09/06/2019 5:03 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

Evimentry - this offers a boot disk option where it can remotely connect and image to your storage destination.

 
Posted : 09/06/2019 7:54 pm
(@joey2011)
Posts: 9
Active Member
Topic starter
 

Thanks for the info, I've just requested a price from Belkasoft. I'm also looking at Sumuri Recon Imager and Recon Triage bundle.

 
Posted : 09/06/2019 9:58 pm
(@belkasoft)
Posts: 169
Estimable Member
 

Thanks for the info, I've just requested a price from Belkasoft. I'm also looking at Sumuri Recon Imager and Recon Triage bundle.

How was your Belkasoft trial?

 
Posted : 07/07/2019 4:14 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

How well does this work in practice?

If you have to image a 4TB drive remotely at 10Mbit/sec it is going to take 910 hours (38 continuous days). And this assumes there are no drop outs on either end for the duration, which of course there will be.

It is more more practical for a small half full 128GB drive (only 1 day). But not many machines have drives this small.

I know someone will say that 10Mbit/s is slow, but many people an asymmetrical internet connections. e.g. 50 down and 10 up.

And with self booting solutions, you are regularly going to come across machines with slightly unusual network environments, and device drivers will be missing for the network hardware in the self booting solution.

 
Posted : 08/07/2019 1:51 am
(@belkasoft)
Posts: 169
Estimable Member
 

How well does this work in practice?

If you have to image a 4TB drive remotely at 10Mbit/sec it is going to take 910 hours (38 continuous days). And this assumes there are no drop outs on either end for the duration, which of course there will be.

It is more more practical for a small half full 128GB drive (only 1 day). But not many machines have drives this small.

I know someone will say that 10Mbit/s is slow, but many people an asymmetrical internet connections. e.g. 50 down and 10 up.

And with self booting solutions, you are regularly going to come across machines with slightly unusual network environments, and device drivers will be missing for the network hardware in the self booting solution.

Great point. That's why it is more and more common to have partial acquisitions. Belkasoft supports both full acquisition (compression is supported) and only selected folders or even selected types of artifacts transfer.

 
Posted : 08/07/2019 4:56 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Great point. That's why it is more and more common to have partial acquisitions.

I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right)
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz

 
Posted : 08/07/2019 9:04 am
(@belkasoft)
Posts: 169
Estimable Member
 

Great point. That's why it is more and more common to have partial acquisitions.

I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right)
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz

I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.

 
Posted : 08/07/2019 9:11 am
(@xandstorm)
Posts: 56
Trusted Member
 

You could look at F-Response f-response.com.

 
Posted : 08/07/2019 6:06 pm
Page 1 / 2
Share: