Are you able to deploy software via the admin share? Basically, do you have admin access to the computer when it is online?
Many times issues are over thought from a technical standpoint when the easiest fix is a social engineering one from an investigative standpoint.
Based on the information you have provided, this is a fix by a phone call not a stealthy one which appears to have a very very high chance you will get caught.
Most IT managers who carry their laptops around know enough to know even if you think you are being stealthy, IMHO you wont be stealthy enough as you really don't know what to do and are asking others. While you have provided a lot of details, if you have left out one thing, even a small one, the advice you may have been given could be bad. Maybe the detail is something as small as a SP update, or a program like regmon, something else which is installed on the pc, and then what happens when the stealth aspect goes away. Someone has time to wipe the drive and concoct a story why it is wiped, or maybe you don't have the serial number of the drive written down so a mirror of the drive is made without the information you are looking for and you now have nothing.
You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?
On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?
Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).
To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.
This sounds like a difficult situation and one that will require some social engineering. I use fresponse as well as encase ent and they are both great tools. However, the main issue you will probably run into is keeping the mobile user online long enough to acquire the drive. It could take forever to actually get what you need this way. As others have mentioned it may be easier to push something out to the workstation to make it inoperable and then have it reimaged and returned to the user in working condition when they bring it in to be "repaired". We use Digital Guardian for this piece but there are many other things you can do with admin rights. If this could turn into a legal case I would also start a COC form with the swap of the hard drive as well so you may want the "break fix" person to be someone trusted.
Hope this information helps!
Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform…. right?). ESXi does not allow pass through of USB devices from the host to guest OSes. (
This has happened to me multiple times and is beyond annoying. With that we went to F-Response consultant so the licensing is all software and dongle just on examiners machine.
Simulated fire alarm. Have upper management send out emails indicating there will be random fire alarm tests and list procedures. One of the procedures could be to leave everything behind and exit immediately. It should give you enough time to install the client. Then the following day first thing start the acquisition. Could even have a scheduled staff meeting to assist while acquiring.
All that is, of course if the IT manager is not the upper management.
I know you said Enterprise tools are too expensive but Paraben Shuttle starts at under $4k, has completely stealth agents and can run from a key license. We have a free version you can test out as well.