If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.
Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.
Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.
Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. 😯
jaclaz
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.
Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.
Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. 😯
jaclaz
Well, the software is the same forensic software which is used for perfectly forensic acquisition locally. It calculates checksums and verifies output. If needed, you can secure chain of custody.
That's not the question of how software works, this more relates to the process of how you use it.
Great point. That's why it is more and more common to have partial acquisitions.
I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.
jaclaz
I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.
Partial acquisitions are ok but it depends on the forensic work or case category.
In law enforcement or in litigation, full acquisition is the norm, and if you do partial, you'd better be prepared to convince the judge/jury why you did not do a full image. Your work will be challenged for sure.
In a corporate environment, we are likely to do full acquisitions if the device is locally available or do partial acquisitions to overcome challenges. But again, it depends on the case and why we are trying to do forensic work. For example,
In cases of trade secrets theft, hacking, or any case that is like to affect the company negatively, we''ll do full acquisitions, regardless of where the device/user is.
Contrast that with cases where I only need to prove an employee violated company policy where I'm only interested in "user behavior" (user data, browsing history, app data, etc.). Do I care about operating system files? No, I don't and so partial acquisition is perfectly fine; if the device is locally available we'll do full acquisition because I care about unallocated space, but I still don't care about OS files. So partial acquisitions are ok depending on several variables.
Here is another variable still violation of company policy case, user works remotely by himself out of his home, in an African country where we don't have an office and I'm in the US. Our closest IT staff is either in Europe or Dubai. We may do one of or several things but the point of this is that in a corporate setting, we end up evaluating the risk of a partial acquisition and make a judgement call after vetting.
All these discussions on remote forensics and I did not see anyone mention F-Response. They are pretty good when it comes to remote/partial acquisition.
Give them a try.
All these discussions on remote forensics and I did not see anyone mention F-Response. They are pretty good when it comes to remote/partial acquisition.
Give them a try.
F-response was mentioned earlier )
But nobody mention a EnCase Enterprise solution. Big tool.
I built a fully functional remote acquisition method (mobile both logical + physical or any USB attached device), without the need of any kind of forensic client / server setup.
If LE or enterprise business are interested, feel free to contact me.