Suggestions for remote forensics

Have you taken a look at Cyber Securities OnlineDFS?

http//www.cyberstc.com/products.asp

Is that the same tool as LiveWire? Just wondering because I noticed that it links to their page under the law enforcement section.

LiveWire is OnlineDFS. LiveWire was the software re-branded for WetStone. They sold it with training and were focusing on police applications.

Would like to re-visit this thread.

Are there any other tools out there for remote imaging?

I have ran into several cases where routing in a complex network will not allow imaging. -/

Greetings,

That's exactly what F-Response is designed to handle.

-David

Hmmm….

On a screen shot where ports were to be entered . . .
(https://www.f-response.com/images/stories/fk-3.09.jpg)

Anything that high would set off the desktop firewalls, intra-network firewalls, and most likely would be blocked by both…

Is there any compression built into the tunnel?

Greetings,

So you want something capable of handling a routed network but that cannot be detected by firewalls?

I've not had desktop firewalls block it. I've had corporate security policies that made it difficult to install.

No, it isn't stealthy. No compression last I checked. And you'd not want to image an entire drive across the Internet, but you could preview the drive and pull selected information.

It'll not work in every situation, but when it works, it works very well.
-David

Hmmm….

On a screen shot where ports were to be entered . . .
(https://www.f-response.com/images/stories/fk-3.09.jpg)

Anything that high would set off the desktop firewalls, intra-network firewalls, and most likely would be blocked by both…

Is there any compression built into the tunnel?

No need.

You can also have the firewall updated to allow the passage of the data.

I think what's missing here is an understanding of what F-Response is for and what it does.

Once installed, F-Response gives you read-only access to the remote drive, and with Windows, memory. So it appears on your desktop as a read-only disk. What you do with it at that point is totally up to you.

Now, I have not idea why anyone in their right mind would want to image a system, via ANY method, over the Internet. It simply doesn't make sense. However, you can be 'stealthy' (been there, done that…) by being inside the corporate network and deploying F-Response (or whichever solution) from there.

Okay, you're connect to the drive…now what? Well, at this point, you use whichever tool you choose…FTK Imager, EnCase in acquisition mode, dd, whatever…to acquire your image. Or, as was suggested, you simply grab selected files, so that you can perform a triage. Or, you run tools like RegRipper to grab some subset of the data that you're interested in.

I am aware what it does, but good you reminded us.

I must be out of my mind, but I really would not want to fly to Asia, Africa, Australia, South America, etc. just to image a couple of drives. It might be slightly cheaper running it through our private cloud.

Dumb eDisc. around ESI is crazy. Everyone from foreign corporations to fired janitors are issuing requests to preserve.

Most of the time they amount to nothing. I imaged all the fun things as unused insurance. But, on the rare occasion they become linchpins of cases.

I love to travel, but the costs are getting ridiculous! (I am also tired of US airports oops )

So, yes, if I can suck 120GB through a straw… I will.

I think what's missing here is an understanding of what F-Response is for and what it does.

Once installed, F-Response gives you read-only access to the remote drive, and with Windows, memory. So it appears on your desktop as a read-only disk. What you do with it at that point is totally up to you.

Now, I have not idea why anyone in their right mind would want to image a system, via ANY method, over the Internet. It simply doesn't make sense. However, you can be 'stealthy' (been there, done that…) by being inside the corporate network and deploying F-Response (or whichever solution) from there.

Okay, you're connect to the drive…now what? Well, at this point, you use whichever tool you choose…FTK Imager, EnCase in acquisition mode, dd, whatever…to acquire your image. Or, as was suggested, you simply grab selected files, so that you can perform a triage. Or, you run tools like RegRipper to grab some subset of the data that you're interested in.

Greetings,

I'm still missing something. Are you looking for a solution for an internal network where you can control access to the systems and firewalls? You mentioned "private cloud", which is why I ask.

If so, F-Response still seems like the right solution, or EnCase Enterprise (costly, but could pay for itself over time).

I'm kinda missing traveling to those places to do imaging, so if you want to hire it out ….

-David

Yeah David, I still need a job - but will keep you in mind. wink

Yes, private cloud which is often passed through public/government networks, and all locations have firewalls on both at the edge location, and the edge of the cloud.

What is even more cumbersome, the firewalls (FWs) are managed all over the place. The cloud FWs by the cloud management, but local FWs may or may not be managed by the local IT, or some other country IT, or some other third party. It is a mess of responsibilities and authorities. It can take weeks to get a ticket in the right queue just to consider making a FW change . . . by then it would be hardly "timely", and most everyone and their neighbor would know about it.

I guess I will just have to try it out.