Join Us!

F-Response Alternat...
 
Notifications
Clear all

F-Response Alternative?  

Page 1 / 2
  RSS
BattleSpeed
(@battlespeed)
Junior Member

I need to perform a stealth HD acquisition via network (local subnet) and no way I can use anything requiring dongles like F-Response (even on examiner machine), nor am I $$$$loaded for the Enterprise version price anyway.

My first with this type of situation (yes, I intend to practice first! roll ), so any ideas mucho appreciatissimo!

(Don't care Linux, Windows exam platform. Target is Windows.)

Quote
Posted : 16/12/2010 11:19 am
Jonathan
(@jonathan)
Senior Member

Do you have access to FTK 3 - it has the same stealth network capability as F-Response; presumably you've got an account with admin rights on the target machine?

ReplyQuote
Posted : 16/12/2010 4:55 pm
Patrick4n6
(@patrick4n6)
Senior Member

To be fair, FTK3 is not exactly stealthy in the sense most people think of it. The default agent is quite obvious, and although you can configure it to be less obvious, there's still a bit of a footprint. (I just watched AD demo the Enterprise product for the past 3 days.)

I'd make a suggestion, but you've already ruled out the enterprise products.

ReplyQuote
Posted : 17/12/2010 5:23 am
BattleSpeed
(@battlespeed)
Junior Member

Thanks, Jonathan - no FTK, but I'd heard the same as Patrick reports anyway (i.e., not that stealthy). I am obliged to be *very* stealthy in this situation.

Patrick - I'd appreciate your suggestion anyway if you wouldn't mind, especially if it doesn't use those blasted dongles. One utterly miserable (and very expensive) experience with dongles was enough to get them banned from our company altogether. In fact, I'd have to check the actual written policy, but I believe even mentioning the word is grounds for dismissal.

ReplyQuote
Posted : 17/12/2010 5:44 am
Patrick4n6
(@patrick4n6)
Senior Member

Well we haven't done our PoC with it yet, but I'm informed that EnCase Enterprise's agent is significantly more stealthy. We're doing our PoC next month so I'll know for sure after that. Of course, it does use a dongle, another reason why I didn't mention it. Plus if you can't afford F-Response, you absolutely can't afford a Guidance product. I know this doesn't help you, but you asked me to respond anyway.

ReplyQuote
Posted : 17/12/2010 7:44 am
rarosalion
(@rarosalion)
Junior Member

Depending on what remote access you have to the machine, and what virus protection may be in place, what about pushing netcat+dd to the machine?

ReplyQuote
Posted : 17/12/2010 9:20 am
DFICSI
(@dficsi)
Active Member

In my experience there's a reason that enterprise products are so expensive - because they work.

You can create the same effect for cheap/free but doing it stealthily is going to be difficult.

Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.

ReplyQuote
Posted : 17/12/2010 2:19 pm
DFICSI
(@dficsi)
Active Member

And personally I think dongle based software is fine. Sadly, even in this field, there are people that use pirated software to conduct investigations. Just because software uses a dongle doesn't mean that it is evil. F-Response is still one of the best pieces of software on the market and, even though some may consider it expensive, is still the cheapest solution on the market for such investigations.

ReplyQuote
Posted : 17/12/2010 2:22 pm
jelle
(@jelle)
Member

You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).

ReplyQuote
Posted : 17/12/2010 2:53 pm
BattleSpeed
(@battlespeed)
Junior Member

Best bet - psexec, netcat, and dd for windows.

I think there is a lesson to be learned in situations such as this, we as forensic examiners often take on jobs in areas where we lack either the tools or the appropriate experience to do a complete or effective job. I'm all for people getting experience and increasing their knowledge but taking on work where you don't know what you're doing is risky to you, your employers, and your clients.

Thanks for your comment. I think you are making more of my "first experience" comment than I intended. It's the situation that's unique.

ReplyQuote
Posted : 17/12/2010 8:25 pm
BattleSpeed
(@battlespeed)
Junior Member

You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?

On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?

Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).

To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.

ReplyQuote
Posted : 17/12/2010 8:28 pm
brianH
(@brianh)
New Member

There seems to be a misunderstanding between the different AccessData agents (sorry). The agent FTK uses to support live remote device acquisition and mounting (Physical device/logical volume/RAM) and the one with AccessData enterprise are very different. They share underlying code, however the FTK agent is a run time agent (single exe), does not have an installer and has a tiny footprint. The FTK agent (part of FTK 3) which supports RDMS (Remote Device Mounting Services) is a standard part of FTK and does not require any additional purchase. It also has a default lifetime so you do not have to remember to kill it when you are done (which we call dyeing agent). The AccessData Enterprise agent that has an installer and a more sizeable footprint supports a different set of capabilities and therefore has different requirements from an agent perspective (it has to be installed).

More information can be found here http//accessdata.com/downloads/media/How_to_use_Remote_Device_Mounting_Services.pdf we also have a webinar http//accessdata.com/resource-library#webinars “Live Remote Data Acquisition”

We also have a soft token for individuals that cannot support or do not want a physical dongle. No additional costs can be moved between machines.

Karney

ReplyQuote
Posted : 17/12/2010 9:57 pm
jekyll
(@jekyll)
Member

Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform…. right?). ESXi does not allow pass through of USB devices from the host to guest OSes. I had F-Response tactical there but was stuck because of the devs copy protection requiring a dongle. More organisations are locking out USB and when copy protection handicaps a product I have paid for, me not so happy. (

ReplyQuote
Posted : 12/01/2011 4:26 am
TonyC
(@tonyc)
Junior Member

Battlespeed,

Take a look at ProDiscover IR from Technology Pathways (www.techpathways.com). With it you can remotely install an agent to any Windows system that you have admin credentials for. The agent has a default port and name but both can be changed to whatever you want.

I have used it many times to remotely image systems.

Oh yeah, I almost forgot, no dongle!!

TonyC

ReplyQuote
Posted : 12/01/2011 9:40 am
MindSmith
(@mindsmith)
Active Member

If you're willing to use the Encase Enterprise agent; then take a look at their non-Enterprise version - Encase Forensic Consultant

http//www.guidancesoftware.com/computer-forensics-software-consultants.htm

BrianH, jelle and DFICSI have given you good alternative solutions to consider.

If you really need 'ultra block-ops type stealth' 😉 - look at Gamma Group's FinFisher intrusion suite for gaining access/preview, then consider running a 2nd tool to image the HD, but ….it's going to be pricey & any solution you use; the user may still notice slight performance degradation and excessive disk activity due to the imaging process. https://www.gammagroup.com/finfisheritintrusion.aspx

ReplyQuote
Posted : 12/01/2011 10:37 am
Page 1 / 2
Share: