Remote Forensics

I would then respectfully suggest that you're using the wrong version of F-Response, fraudit.

It is true indeed, however to some extent. I realize that in order to perform a covert data collection I need something more that the basic version of (almost) any tool that can do so. Unfortunately, the budget here is always a problem causer… ( The old issue budget vs. needs strikes again…

Many of forum members would probably agree that we're often called to make a covert initial case screening to see i.a. whether something interesting can be found on the target's HDD and only later perform a full acquisition, if necessary. By all means it can be partly done by using any remote connection but it's more accurate (those locked system files and so on!) and safe to have a forensically sound evidence from such remote review just in case our target decides to clean his drive.

I'm aware of legal constraints but in my country it's still possible to use such evidence (it's enough for one side - i.e. employer - to be aware of such covert operation, only limit is analysis of employee's private data but it has to be precisely marked as private). It may be questionable but that's the local law at the moment.

I would love to have all F-Response versions being capable of installing a secret agent on a target machine and differ only by the number of concurrent connections and maybe some other functionality - it's my little dream… 😉 On the other hand I'm fully aware of the developer's need to differentiate its tool versions and make money for a living and further tool development.

The approach you use depends upon your needs and your budget. If by "remote forensics", you mean something like simple data collection with little potential for legal proceedings (perhaps for an internal HR investigation, particularly in an at-will work state), then mapping a drive to the remote system, or using WMI, would work just fine. ProDiscover IR provides some valuable functionality, but F-Response enterprise version, along with the use of open source and/or free tools, is much more cost effective.

If you need covert data collection, then clearly, any version of F-Response (or any other tool) that requires that you attach a dongle to the remote system is not suitable…it's not the right tool for the job.

Amen, enough said )

(those locked system files and so on!)

With some attention they are not particularly an issue, JFYI (cannot say how much suited to "remote" and to your particular *needs*), check my "poor man's way" 😯 and the nice tools by erwan.l and joakim
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/?p=172732
http//reboot.pro/topic/18579-rawcopy/

jaclaz

With some attention they are not particularly an issue, JFYI (cannot say how much suited to "remote" and to your particular *needs*), check my "poor man's way" 😯 and the nice tools by erwan.l and joakim
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/?p=172732
http//reboot.pro/topic/18579-rawcopy/

jaclaz

Well, that's THE solution for budget constraint!
I didn't know those particular tools, so many thanks for the tip, jaclaz!

Jerry Hatchett and other Certified Computer Examiners (CCEs) are using a tool called BlackBox. Check it blackboxforensics.com, and email info@blackboxforensics.com for a free demo (pending verification that you are an industry professional).