This is regarding the HBGAry product recently released called "FGET"
"HBGary is very pleased to announce of the availability of FGET.exe to the general public. FGET which is short for “Forensic Get” is a network-capable forensic data acquisition tool. It’s primary function is collecting sets of forensicly interesting files from one or more remote windows machines. FGET starts off by creating a local repository folder @ C\FGETREPOSITORY\ and from there it will automatically create named sub-folders, one for each machine you run FGET against. By default, FGET is able to obtain a forensicly sound copy of any file on the system, including those that are locked and in use (pagefiles, registry hives, etc)……"
…I have recently run this tool and guess what? Once it authenticates to the IPC$ share of the remote machine, it creates a folder in \Windows called "FGD". In this folder it PUSHES(WRITES) a copy of the fget.exe and stores local copies of the files it is "collecting". After all is said and done(ie transfer back to the originating computer is done) the FGD folder is deleted/removed.
I'm not sure I want a tool writing to a remote location….and if it's going to do that, it should at least be documented…I'm just saying……
That said, I like that its free and can access/copy locked files….and its free, did I say that?
So, if for example, to validate the tool in your own environment, show that this is what it is done. Document with your lab procedures and methodologies. Be able to falsify any claims of authenticity of results then it is still a very viable option just as any other tool.
VMs would be good for this. Could test it on multiple platforms and see what it does. Record screen shots or videos. Before and after snap shots. Analyze drive, partitions, file systems, regisrty, etc to see what it does.
But it is good that you are testing AND sharing. Much obliged as I am just starting to play with the tool myself.
–
EDIT My post in general and rant below not directed at du212 - just post hijacked because PERFECT example of why to test tools prior to case work. There has been a lot of forum posts lately asking "what's the best tool" with no context or clarity of application. When questions are posed like this it makes me SO nervous that they will just take what ever answer they get as fact and run with it.
—
If testing tools seems like a lot of work - tough - you should be doing testing with ALL your tools to know what they do. I am not going to take the stand and say, "Well GoogleToolKit says its the court validated tool for examinations. So there, I didn't have to test it."
There are no forensic tools.
There are tools that forensic practitioners use in the course of gathering evidence and performing analysis.
It might make some changes to the remote system, but for an enterprise or corporate environment that's certainly acceptable if the changes are understandable, verified and documented.
I currently use psexec now for an initial triage of remote machines on the network, and it uses a similar method, and the FBGary tool might be easier to explain if it came to trial.