Complete newbie here, just getting involved with a new IT Forensics department in our company.
We need to look through the files on the laptop of a user in one of our offices, but do it remotely by browsing to the C$) and without changing the Last Accessed timestamps. Also, we have no budget and so are restricted to OpenSource and freeware tools. Does anyone know of any suitable software?
Thanks, all.
A couple of things…
What is the OS of the remote system? If it's Vista or above, updating of the last access times on files is disabled by default.
Also, the requirement to not change last access times (if the remote system is XP) may have obviated you out of a solution that is free/open source. Tools like F-Response allow you to mount the remote drive read-only, but F-Response is neither free nor open source.
Good luck.
- Presuming Windows (C$)… but which version?
- Firewalls?
- Hostile or friendly?
[/listo]
Again, presuming Windows, friendly custodian, no firewall issues, you could use a secure fork of VNC…
Alternatively or in conjunction you could run a batch file and have the output returned back to you.
Something like the following. I wrote this in a pinch for a preservation-in-place verification. If the user has at least local admin rights, you get pretty much everything without loading any program.
Tested to work from Windows XP SP3 and up.
@ECHO OFF
REM Written by jhup 2012.IV.27
REM license - free - cannot charge in any way shape or form
ECHO .
ECHO Legal Hold Preservation-in-Place Information Indexing Utility
ECHO .
FOR /F "tokens=2,3,4 delims=/- " %%a IN ('DATE /t') DO SET collectiondate=%%c%%b%%a
FOR /F "tokens=1-4 delims=. " %%a IN ("%time%") DO SET collectiontime=%%a%%b%%c%%d
SET PIPinfo=%USERNAME%~%COMPUTERNAME%-%collectiondate%%collectiontime%.TXT
SET PIPregistryinfo=%USERNAME%~%COMPUTERNAME%-Registry-%collectiondate%%collectiontime%.TXT
ECHO - - - - BEGIN - - - %time%
ECHO - - - - BEGIN - - - %time% >> %PIPinfo%
ECHO Creating "%PIPinfo%"
ECHO Legal Hold Preservation-in-Place Information Indexing Utility > %PIPinfo%
ECHO version 1.4 >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN REGISTRY - - - %time%
ECHO - - - - BEGIN REGISTRY - - - %time% > %PIPinfo%
ECHO Creating "%PIPregistryinfo%"
ECHO REGEDIT /E "%PIPregistryinfo%" >> %PIPinfo%
REGEDIT /E "%PIPregistryinfo%" >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN ENVIRONMENT VARIABLES - - - %time%
ECHO - - - - BEGIN ENVIRONMENT VARIABLES - - - %time% >> %PIPinfo%
ECHO SET >> %PIPinfo%
ECHO . >> %PIPinfo%
SET >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN DOMAIN INFORMATION - - - %time%
ECHO - - - - BEGIN DOMAIN INFORMATION - - - %time% >> %PIPinfo%
ECHO NET USER %USERNAME% /DOMAIN >> %PIPinfo%
ECHO . >> %PIPinfo%
NET USER %USERNAME% /DOMAIN >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN MAPPED DRIVES - - - %time%
ECHO - - - - BEGIN MAPPED DRIVES - - - %time% >> %PIPinfo%
ECHO NET USE >> %PIPinfo%
ECHO . >> %PIPinfo%
NET USE >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN SUBSTITUDED DRIVES - - - %time%
ECHO - - - - BEGIN SUBSTITUDED DRIVES - - - %time% >> %PIPinfo%
ECHO SUBST >> %PIPinfo%
ECHO . >> %PIPinfo%
SUBST >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN C DRIVE DIRECTORY - - - %time%
ECHO - - - - BEGIN C DRIVE DIRECTORY - - - %time% >> %PIPinfo%
ECHO VOL C >> %PIPinfo%
ECHO DIR C\*.* /S >> %PIPinfo%
ECHO . >> %PIPinfo%
VOL C >> %PIPinfo%
DIR C\*.* /S >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN D DRIVE DIRECTORY - - - %time%
ECHO - - - - BEGIN D DRIVE DIRECTORY - - - %time% >> %PIPinfo%
ECHO VOL D >> %PIPinfo%
ECHO DIR D\*.* /S >> %PIPinfo%
ECHO . >> %PIPinfo%
VOL D >> %PIPinfo%
IF ERRORLEVEL 1 GOTO SKIPD
DIR D\*.* /S >> %PIPinfo%
SKIPD
ECHO %time% >> %PIPinfo%
ECHO . >> %PIPinfo%
ECHO - - - - BEGIN E DRIVE DIRECTORY - - - %time%
ECHO - - - - BEGIN E DRIVE DIRECTORY - - - %time% >> %PIPinfo%
ECHO VOL E >> %PIPinfo%
ECHO DIR E\*.* /S >> %PIPinfo%
ECHO . >> %PIPinfo%
VOL E >> %PIPinfo%
ECHO . >> %PIPinfo%
IF ERRORLEVEL 1 GOTO SKIPE
DIR E\*.* /S >> %PIPinfo%
SKIPE
ECHO %time% >> %PIPinfo%
SET PIPinfo=
SET PIPregistryinfo=
set collectiondate=
set collectiontime=
ECHO . >> %PIPinfo%
ECHO - - - - END - - - %time% >> %PIPinfo%
ECHO - - - - END - - - %time%
ECHO . >> %PIPinfo%
Thanks, both, for your replies and the info. Machine is Windows XP (SP3), no local firewall (ie XP's built-in one). Hostile or friendly?- well, the work is to be done without the user's knowledge, investigating whether there are files they shouldn't have on their laptop, so I'd say "hostile", if that's what the terms mean in this context.
Thanks for the batch file, jhup. A couple of questions on it, if I may-
- the time and date in the output looks like they're the "last modified" data. Is it possible to amend the script so that it also shows the created and last accessed timestamps?
- how should it be modified to report on the files on a remote computer? Say, name LAPTOP01 used by fred.bloggs? And how would it be run to do that? - I tried changing %username% and %computername%, copying it across to another machine and running it from mine using psexec, but it failed (no output created).
Thanks again.
You may want to consider Paraben's Shuttle Free. It will allow you to covertly mount a target machine on a network as a local drive while maintaining forensic integrity.
You can learn more and get the download here http//