Hi,
First off, thank you to the contributors of this board. I find more and more value just reading through some of the threads each week. I appreciate the time the members put in responding and keeping relevant content on the board.
For those of you that have worked in the corporate world and been tasked with performing remote forensics at a non-integrated work site I'm sure you feel my pain.
I'm trying to develop a 'forensics-in-a-box' program in which I can drop a forensic acquisition/network analysis capable laptop (or system–"Dropkit") at a remote work site that is not integrated with the corporate office (no WAN/LAN or VPN connections). I want a system with forensic and network tools physically at the remote work site in order to respond to events that require capturing both host and network events (memory, pcap, logs). I'd like to replicate the process of deploying this "Dropkit" to new work sites that spin up around the world.
I've used solutions like EnCase Portable with varying degrees of success; with this task however, I'd like to position my team to be closer to the action on the remote network without having to dispatch and analyst to physically be on site.
Without adding thousands of dollars to our budget buying commercial tools or outsourcing to a forensic firm, has anyone ever been successful at attempting a similar task?
Thank you in advance!
Have you considered F-Response? This product was developed _exactly_ to address issues such as what you describe.
Once you have F-Response, you can get all sorts of free and open source tools to add to your kit.