Hello everyone,
I'm new to digital forensics and i've been recently given the task by my employer to conduct internal forensics investigations. The company has several sites spread across the country but there is only one security team at the headquarters.
I know that forensics investigations follow a well defined process and i know that evidence collection must come after securing the crime scene and documenting it.
My question is related to remote evidence collection and more specially about volatile data.
Since time is a key factor here, can i remotely collect volatile data before securing the crime scene and documenting it without puting the case in danger?
If so, what are some of the caveats i should pay attentions to (for instance psexec from sysinternals is a nice utility, but am i allowed to use it?)?
Thank you for your answers.
You have several options that you could use
1. Fancy and expensive technical solution that allows you to remotely gather data. It also needs to be secure against attackers as it pretty much means installing something like a legit backdoor onto the corporate network(!)
2. Delegate collection to local technical support. This requires training - and trust.
3. Travel to each location and gather the data yourself when something happens.
Ask yourself; Are you going to take people to court - or do internal investigations that could get people fired?
If the answer is primarily the latter, things are simpler. If the answer is the first and you have certain procedures to follow in your country (like chain of custody as they do in the US) then things can get complicated.
MDCR, thank you for your answer.
In my case, i mostly going to conduct investigations that might get people fired.
In my country (as i believe in most countries), people have the right to challenge their job dismissal in front of a court (unfair dismissal) even if it doesn't happen often, as far as i know.
Right now, we can't allow technicians on sites to perform evidence collection, because they don't have the proper training. What we can do is to train them to secure the scene and document it.
We can then travel to each location but my concerns about volatile data remains still.
We'll acquire next year an enterprise grade solution for remote evidence collection but for now we have nothing (we didn't have the buget for this year).
Given these infos my questions are the following
1 - If we acquire a forensics proof solution for remote evidence collection, can we start collecting data before the technician on site secures and documents the scene or should we stick to the process and wait until he's finished with his tasks (knowing that these first two steps might take a while and valuable information might be lost)?
2 - Since we don't have a forensics solution for now, can i use basic tools like psexec or powershell to gather evidence remotely (arp cache, tcp/udp connections, dns/arp cache, processes list….)?
Ottomatik,
Please see my responses below
1 - If we acquire a forensics proof solution for remote evidence collection, can we start collecting data before the technician on site secures and documents the scene or should we stick to the process and wait until he's finished with his tasks (knowing that these first two steps might take a while and valuable information might be lost)?
A Here are some tools that you might find useful for remote collection
FTK Imager by AccessData (http//
OSForensics by Passmark (http//
2 - Since we don't have a forensics solution for now, can i use basic tools like psexec or powershell to gather evidence remotely (arp cache, tcp/udp connections, dns/arp cache, processes list….)?
A FTK Imager is a free tool and OSForensics is inexpensive (US $500.00).
You will want to test both tools first before using them on a live case, but one item you will require is adequate IT administrative permissions within your network to perform remote collections.
In order to perform a remote network collection, you will typically need to assign the drive you want to collect with a relative drive letter such as "K", or "X".
If you are collecting a laptop or desktop computer's hard drive, the laptop or desktop will obviously have to be connected to your network during the entire collection process.
It is critical that whichever tool you use is able to document the collection process, typically through a collection "log" and use "Hash Value" calculations such as MD5 or SHA-1. Both FTK Imager and OSForensics use Hash Value calculations in the collection process.
Here are some other free forensic tool resources for you to download and test
https://
https://