Scenario
A forensics shop that uses EnCase Enterprise is looking for another method of pulling data over the wire in the event EnCase fails. The server must stay online and not experience any disruption in services. The situation could also be resolved by physical access to the server if necessary. Extracting key artifacts would be the initial goal and then possibly imaging the disk would be secondary.
What software tools, hardware, and methods would other digital forensics experts recommend?
Other alternatives thus far include;
1) Using F-Response and then launching EnCase or IEF.
2). Using EnCase Portable
Thanks for any and all recommendations in advance.
As an alternate to tools, having procedures in place will also be helpful. You can use FTK or FResponse since both have remote agent capability. However, remote access tools like Powershell, SysInternals, Robocopy, PSTools, etc.. could be used as long as you have a SOP in place that outlines how they should be used in a response scenario. It may not be as forensically sound, but you are following an internal method that can be repeatable and documented (which can identify it as an alternate investigation capability).
And the venerable 'netcat' too.