im working for a workshop to develop remote forensics concept, shall we discuss about the materials about remote forensic investigation on how to investigate a remote live victim system from my own lab. tools used, methodology, imaging process, valued information, tutorials abt it.. pls participate actively… thnks…
In the past, I've been interested in such concept for remote data recovery and performed some tests locally.
The idea was to use a SSH client like Putty on the computer that the investigator uses and have a SSH server on the remote machine.
Ultimately, the concept was to remotely pass commands to a Linux Live-CD distribution.
I hoped on could use a service like whatsmyip.org to find the IP of the remote computer.
But I'm not IP skilled enough in public vs private IP addresses and I could not find the time to bring the proof of concept.
I remember that one challenge was passing through the router firewall, which involved removing protection on port 22, a procedure that may vary from router to router.
I believe the IT competency of the remote customer can be a bottleneck that is not to neglect.
For some people, following a procedure can be hugely complicated, even if it seems easy to you. That said, I'm still intested in the question.
If the remote computer is running fine, and of course depending on what kind of investigation you want to do, you might consider using tools like TeamViewer(.com). Of course, it's not suitable for serious forensics.
You really have two teaching points, how to connect remotely and what to do once you connect.
For the remote connection F-Response is an easy choice and has been covered in a number of previous posts What is F-Response?
F-Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool. F-Response is a utility that allows you to make better use of the tools and training that you already have.
Once connected you need to define what you want to do on the remote target which will define what tools to use.
F-Response is the way to go.
add X-Ways and its total win!
I strongly like the F-Response concept but does it work in practice?
I don't mean technical way, as i'm pretty sure it does the job but I'm curious about the dongle concept implemented in lower product versions.
For enterprise version it's a breeze I believe as only the agent runs on the target machine. But what about the simple budget version of F-Response? You need to attach a dongle to the target machine so it looks there's no option to perform a covert data colection, am I correct?
One can just hope the subject doesn't notice the dongle - doable for PCs but not for laptops I believe…
Can anyone comment on that?
I strongly like the F-Response concept but does it work in practice?
I don't mean technical way, as i'm pretty sure it does the job but I'm curious about the dongle concept implemented in lower product versions.
For enterprise version it's a breeze I believe as only the agent runs on the target machine. But what about the simple budget version of F-Response? You need to attach a dongle to the target machine so it looks there's no option to perform a covert data colection, am I correct?
One can just hope the subject doesn't notice the dongle - doable for PCs but not for laptops I believe…
Can anyone comment on that?
Fraudit
A few weeks ago I tested F-Responce, regarding a covert acquisition of data.
Upon My own network (home) worked easily, fantastic …….
Upon My Works network bloody nightmare, opened all recommended ports etc, still failed.
covert operation - Failed
So really if you have FULL control and FULL knowledge of the said network then its superb.
BigFix, on target and then extract what you need.
I strongly like the F-Response concept but does it work in practice?
I don't mean technical way, as i'm pretty sure it does the job but I'm curious about the dongle concept implemented in lower product versions.
For enterprise version it's a breeze I believe as only the agent runs on the target machine. But what about the simple budget version of F-Response? You need to attach a dongle to the target machine so it looks there's no option to perform a covert data colection, am I correct?
I would then respectfully suggest that you're using the wrong version of F-Response, fraudit.
The approach you use depends upon your needs and your budget. If by "remote forensics", you mean something like simple data collection with little potential for legal proceedings (perhaps for an internal HR investigation, particularly in an at-will work state), then mapping a drive to the remote system, or using WMI, would work just fine. ProDiscover IR provides some valuable functionality, but F-Response enterprise version, along with the use of open source and/or free tools, is much more cost effective.
If you need covert data collection, then clearly, any version of F-Response (or any other tool) that requires that you attach a dongle to the remote system is not suitable…it's not the right tool for the job.
I ran across two major problem with covert collection.
Getting a software piece onto the machine, and reaching the said software.
The best solution I could find in corporate environment is GPO, login script or similar to get the stub onto the machine and then that machine logging into an external server.
That is, the target initiates the communication. This is necessary as the path to between two machines in corporate environment can include half a dozen firewalls, segments, and similar.
The biggest headache remaining is manipulating the A/V/Firewall software on the machine to not set off alarms.
mitch,
We are very sorry you didn't have the experience you were hoping for with F-Response. We do our best to be available to assist if you are experiencing difficulties with our product via phone, webchat, or email. With that being said I would be happy to arrange a brief GoToMeeting where we could go over the issues you were having and perhaps suggest a few alternate deployment options for the next covert situation.
Regardless, thanks Mitch, we appreciate you bringing this to our attention. Please feel free to contact me via PM should you have further questions or should you like to move forward with that GoToMeeting.
Warmest Regards,
Sean Lynch, F-Response