You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?
On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?
Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).
To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.
There seems to be a misunderstanding between the different AccessData agents (sorry). The agent FTK uses to support live remote device acquisition and mounting (Physical device/logical volume/RAM) and the one with AccessData enterprise are very different. They share underlying code, however the FTK agent is a run time agent (single exe), does not have an installer and has a tiny footprint. The FTK agent (part of FTK 3) which supports RDMS (Remote Device Mounting Services) is a standard part of FTK and does not require any additional purchase. It also has a default lifetime so you do not have to remember to kill it when you are done (which we call dyeing agent). The AccessData Enterprise agent that has an installer and a more sizeable footprint supports a different set of capabilities and therefore has different requirements from an agent perspective (it has to be installed).
More information can be found here http//
We also have a soft token for individuals that cannot support or do not want a physical dongle. No additional costs can be moved between machines.
Karney
Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform…. right?). ESXi does not allow pass through of USB devices from the host to guest OSes. I had F-Response tactical there but was stuck because of the devs copy protection requiring a dongle. More organisations are locking out USB and when copy protection handicaps a product I have paid for, me not so happy. (
Battlespeed,
Take a look at ProDiscover IR from Technology Pathways (
I have used it many times to remotely image systems.
Oh yeah, I almost forgot, no dongle!!
TonyC
If you're willing to use the Encase Enterprise agent; then take a look at their non-Enterprise version - Encase Forensic Consultant
http//
BrianH, jelle and DFICSI have given you good alternative solutions to consider.
If you really need 'ultra block-ops type stealth' 😉 - look at Gamma Group's FinFisher intrusion suite for gaining access/preview, then consider running a 2nd tool to image the HD, but ….it's going to be pricey & any solution you use; the user may still notice slight performance degradation and excessive disk activity due to the imaging process. https://
Are you able to deploy software via the admin share? Basically, do you have admin access to the computer when it is online?
Many times issues are over thought from a technical standpoint when the easiest fix is a social engineering one from an investigative standpoint.
Based on the information you have provided, this is a fix by a phone call not a stealthy one which appears to have a very very high chance you will get caught.
Most IT managers who carry their laptops around know enough to know even if you think you are being stealthy, IMHO you wont be stealthy enough as you really don't know what to do and are asking others. While you have provided a lot of details, if you have left out one thing, even a small one, the advice you may have been given could be bad. Maybe the detail is something as small as a SP update, or a program like regmon, something else which is installed on the pc, and then what happens when the stealth aspect goes away. Someone has time to wipe the drive and concoct a story why it is wiped, or maybe you don't have the serial number of the drive written down so a mirror of the drive is made without the information you are looking for and you now have nothing.
You probably considered this - but just to be sure isn't there any way to covertly image the machine in a 'traditional' way, for example by doing it overnight or by faking some maintenance activity by IT for which the machine has to be handed in?
On F-Response note that the Consultant edition does require a dongle, but only at the Analyst machine and not at the Target machine. Assuming you can stealthily start the agent on the Target machine, this might be a solution?
Alternatively, if you can arrange remote access via VNC/RDP or some other tool (assuming this is some sort of corporate situation, the helpdesk will likely use something like this anyway), you could use that to start FTK Imager Lite on the target machine and image to a network share somewhere (of course, this would have to be done at a moment when the user is not there - but then again, if there is such a moment you might just as well remove the machine for a couple of hours and image it at another location).
To be a bit less obtuse, we're dealing with an IT manager and a laptop that goes everywhere with him when not at the facility. We've not been able to invent any scenarios that would not rouse suspicion and the concern is increased by the possibility of another IT employee's participation in the adverse activity.
Hello,
This sounds like a difficult situation and one that will require some social engineering. I use fresponse as well as encase ent and they are both great tools. However, the main issue you will probably run into is keeping the mobile user online long enough to acquire the drive. It could take forever to actually get what you need this way. As others have mentioned it may be easier to push something out to the workstation to make it inoperable and then have it reimaged and returned to the user in working condition when they bring it in to be "repaired". We use Digital Guardian for this piece but there are many other things you can do with admin rights. If this could turn into a legal case I would also start a COC form with the swap of the hard drive as well so you may want the "break fix" person to be someone trusted.
Hope this information helps!
Another downside of dongles I came to appreciate recently is when I tried to image a server running on VMWare ESXi (very common platform…. right?). ESXi does not allow pass through of USB devices from the host to guest OSes. (
This has happened to me multiple times and is beyond annoying. With that we went to F-Response consultant so the licensing is all software and dongle just on examiners machine.
Simulated fire alarm. Have upper management send out emails indicating there will be random fire alarm tests and list procedures. One of the procedures could be to leave everything behind and exit immediately. It should give you enough time to install the client. Then the following day first thing start the acquisition. Could even have a scheduled staff meeting to assist while acquiring.
All that is, of course if the IT manager is not the upper management.
