Adapting Corporate Investigations Within A Pandemic

Alison: Hello everyone. Thank you for joining our webinar today. I’m Alison from the Magnet Forensics marketing team, and I’d like to be the first to welcome you to our session today with Trey Amick, manager of forensic consultants here at Magnet, and Andrew Roberts, our senior product manager at Magnet Forensics. 

Trey and Drew will be presenting on adapting corporate investigations within a pandemic, and they have a number of insights to share with us today. On a housekeeping note, we will be posting the recording of this webinar on our website within the next few days. If you have any questions, please submit them in the GoToWebinar question panel and Trey and Drew will do their best to respond during the session. If they don’t have a chance to get to your question, they will follow up afterwards. With that, I’d like to introduce you to Trey.

Trey: Awesome. Thank you, Alison, and thanks everyone for joining us today on a brisk December day here in Northern Virginia. As Alison said, we’re going to be talking about corporate investigations and how they kind of changed during this pandemic. We’re going to also talk about some upcoming features in AXIOM Cyber as a part of that as well. So just to kick it off, I’ll do a quick introduction then pass it over to Drew. 

My name is Trey Amick I’m manager of the forensic consultant team here at Magnet forensics. Been here already over two years. Time has flown. Previously I was with Capital One, doing technical investigations doing insider threat education and awareness team as well. Spent some time at Apple, and then prior to doing corporate investigations, I was a detective at Rockville police in South Carolina doing a variety of different types of casework.

Feel free to copy my information down, add me on LinkedIn on Twitter. Feel free to email me if you have any questions, happy to assist any way we can. As a part of Magnet, that’s what we are here for. We’re here for our community. So with that, I’m gonna go ahead and pass over to Drew so he can introduce himself. 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Andrew: Yeah. Hi, Drew here. I’m a part of the team at Magnet. Similarly about two years ago, maybe a month before kind of been here together in this ride. I come from a background in kind of software development and product management, spent some time in financial services software, and then I found DFIR, which is a pretty great transition compared to my past life. And you know, I think Trey’s pretty funny here with this last bullet. You know, just the joke here is the promoted to GoToWebinar Organizer. So just on the on the permissions. 

Trey: It’s a big, big responsibility.

[laughter]

Trey: Awesome. Thank you. So we’re going to start off talking about kind of the state of corporate digital forensics, you know, in 2020. And I’m going to go ahead, just to give us a little bit more room with the webinar. I’m going to go ahead and turn off my webcam. There we go. 

So that being said, we recently, a few weeks ago, we did a survey to the community of corporate digital forensic investigators, really to get a pulse of what challenges you’re generally facing in addition to some other questions about your casework and really some predictions about the future of digital forensics, you know, in the next five years. The top industries being represented in the survey are professional services, technology, financial services, you know, federal public sector and also health care. 

So that’s kind of where we’re starting our talk today and we’re going to kind of review a couple of the survey responses, just with… what the community is seeing within you know, operations within COVID 19.

So in the specific context of COVID-19 pandemic, do you agree or disagree that the following factors have been impacted your ability to perform digital forensics? So this was one of the questions we asked, and really we were just boiling it down to: how has the pandemic affected your work? 

And as you can see with these results you know, based on these answers, definitely really some interesting results here. So, you know, things such as, what’s the difficulty of performing collections and you know, shifting to work from home easy attack factors with unsecure wifi and IOT devices. You know, we wanted to get to general fatigue and distractions causing some of these vulnerabilities as well. And obviously, you can see with the color coding at the bottom, you know, gray being strongly disagree, dark dark blue being disagree, kind of the middle group being agree, and then the lighter ones being strongly agree.

So let’s kind of dive into these a little bit. So it’s not surprising that given the massive shift to working from home with employees connected to home networks, as opposed to, you know, the corporate networks that they’re used to, you know, plus what the lack of really reliable tools out there for you to reliably collect from those remote off network end points. Many of you said that the difficulties of performing off network collections were a big concern. 

And, you know, in fact, this has been the highest number of folks who strongly agreed with that statement. So definitely we’re hearing you loud and clear that performing off-network collections when someone is not connecting to VPN is definitely a a challenge right now for investigators in the corporate field. 

Kind of moving on down, another big one that corporate investigators strongly agreed with was that new cyber crime attacks are really capitalizing on the pandemic and that’s really impacted their ability to perform their jobs. You know, it’s a fact that cyber crime has definitely increased during the pandemic, being that phishing, social engineering attacks are definitely more common and are relatively easy to perform, you know, for bad actors, you know, with a lot of time on their hands. 

So as we see in some industries though, they’ve definitely been hit a lot harder than others with cybersecurity incidents. And unfortunately healthcare is one of those industries that have been really hit the hardest, between malware and ransomware attacks that have plagued healthcare even before COVID-19. But they definitely have increased in volume and complexity during the pandemic. 

And we also just received word within the last day that even organizations like FireEye, they just had a breach yesterday as well, you know, with red team operational tools being the target there. So I’m sure we’ll learn more about that breach over the course of the next couple of weeks and months as well. So it’s always something going on, especially, you know, with COVID-19 really ramping up attacks. 

Fortunately the largest number of folks who strongly disagreed or disagree with the statement were the resource restrictions or the backs affecting their jobs. That’s definitely a positive sign. You know, when we’re looking at… what the context of this question being, do you agree or disagree that, you know, following factors have impacted your ability to perform your job? 

So, you know, that that’s telling us it’s a positive sign that there’s recognition from those who are making the budget decisions on, you know, seeing the value of digital forensics, especially during COVID-19. So that’s definitely a positive that we took away from our survey here. 

Kind of moving on along here, we have questions around shifting to work from home. Also somewhat surprisingly, the second largest number of people who really strongly disagreed or disagreed with the statement was shifting to working from home. Most likely many of you on the line right now had to go through that transition.

And, you know, almost certainly have had to adjust your casework to account for larger working from home or remote working workforce. But, you know, given that shift, it seems it wasn’t too much of a challenge with cloud-based tools now with apps that really enable us to do our jobs pretty much anywhere with network connections, it could easily explain why this wasn’t much of a factor. So definitely really interesting insight there as well. 

And then, kind of looking at once again, kind of the broad spectrum here, I definitely want to get Drew’s thoughts here, because obviously we kind of look at some of this a little bit differently, you know, since he’s product management and I’m coming more from the examiner side, but Drew, do you have any thoughts on this?

Drew: Thanks, Trey. I guess the thing, when I started looking at this thing I focused in on, kind of your last couple of comments, was the disagree bar there. I found like it was a pretty good general indicator of outlooks. Well, the other question, the thing that stood out most to me and you called it out there was that contrast between the responses in the shift from working from home and the performing off-network response. So it seemed like people were like, yeah, the working from home shift wasn’t a huge impact, but you know, it’s a big problem performing off network collections. 

I think a lot of us in the industry thought that the shift from working from home would be a big gap, that it would present bigger challenges. And while we totally heard from customers who have had bigger challenges since we all went home at the end of March, you know, because maybe their end-user and always on the VPN, or even the Target’s ISP is really, really slow. 

I think what this tells me is that off-network devices is more of just a general industry problem than a COVID-19 problem and something that, you know, was a problem going into it and will be a problem coming out of it. 

[crosstalk]

Drew: Sorry. The other thing I wanted to bring up, and I don’t know if it’s necessarily captured here, it might be captured a little bit in that shift from working from home is to… you mentioned a lot of people have remote access to the labs. And we’ve heard from customers who do, but we’ve also heard from customers who maybe have imperfect access or don’t have access to the labs, and are starting to do things like replicate their labs in the cloud. Something that we’ve seen both in private sector, as well as law enforcement. I think the most interesting thing for us will be to see if that shift continues kind of post COVID as you know, I think a number of people think it will.

Trey: Awesome. Yeah. And that’s definitely, I’ve heard a lot about that as well, you know, kind of shifting to more cloud environments, but to your point, you know, performance of off network collections you know, back two and a half, three years ago when I was doing that on a daily basis. Yeah. Just sitting and waiting for someone to connect to the VPN when they weren’t at the facility, it was definitely, you know, part of the struggle, you know, completing our investigation. So totally get that. 

So that being said, I’m going to go ahead and we’re going to kind of keep marching forward here, and we’re going to talk about how Magnet is enabling you to adapt within the pandemic now. And this is pretty exciting stuff, definitely going to be talking about some new pieces to AXIOM here that will be coming out in the next release of AXIOM Cyber, 4.8.

But the first we want to talk about getting to the cloud. So we have the Cloud License Server, or the CLS, that really makes life much, much easier when you’re talking about dealing with licenses for your organization. So you’re really able to get the most value out of every license. 

Essentially, this is a concurrent usage methodology where you have a pool of licenses and you can kind of check them in and out as they are needed. And you can also, obviously you can check one out and then work offline if needed as well. 

And what this allows us to do is actually enables us to deploy AXIOM Cyber to cloud platforms like AWS EC2 for instance, so that you can run you know, AXIOM Cyber in the cloud, which is fantastic. And, you know, if you’re kind of looking at this visual representation on right here, you know, this is for a six seat CLS license, where all the seats are being currently used. And once one of the dark black icons checks their license back in, then one of these other end points can then connect and connect to that. So essentially you have your pool of licenses that you can very easily check in and out utilizing a CLS license model. 

So that’s really exciting, but what that does, like I said, it really opens us up to being able to run AXIOM Cyber in the cloud, which we’ve heard loud and clear, people wanting to utilize cloud infrastructure more and more being able to deploy AXIOM. That’s something that people have been very interested in. So we can definitely do that now. Utilizing that licensed server methodology. 

This really gives us greater flexibility, faster remote collections, maintaining that data residency as well, which is super important for a lot of organizations where you need to keep that data within a country versus traveling, potentially, across the globe when you’re doing these collections, you know, so that’s really important.

So, you know, the flexibility running AXIOM in the cloud can really be that game changer for us. And, you know, instead of perhaps not being able to scale for a large investigation that your team might encounter or not having a budget for, you know, another $10,000 or $15,000 forensic box, we can simply just check out a license with the CLS, we can spin up an additional EC2 instance and you know, put AXIOM Cyber to that for being able to do some of these investigations. 

Now, as you can see here, this last bullet point, this is what I’m really, really excited about. You know, we have some new collection possibilities that running AXIOM Cyber in the cloud gives us. And with that we have with AXIOM Cyber 4.8 customers who had that CLS licensing, they will easily be able to collect from off network end points by utilizing resources you know, like AXIOM Cyber in an EC2 instance. With our off-network collection capabilities, you’ll be able to collect from anywhere regardless of that end point is on the internal VPN or not. And, you know, being able to securely get that information. 

You’ll be able to acquire and create forensically sound, AFF4L containers of your evidence. And as always, AXIOM Cyber provides [indecipherable] capability. So you’re not going to be, you know, sending a hard drive to someone or a thumb drive saying, “Hey, plug this in and, you know, double click that executable so that we can get a collection of your end point.” We’re going to be able to deploy AXIOM Cyber to the cloud. You’re going to be able to connect two end points and do those off network collections without them being on an internal VPN as well. 

So that’s really, really exciting. And you know, really something that we know a lot of people have really wanted for quite a while when it comes to just doing investigations for corporate and having that need.

And as Drew said, this was a challenge before COVID, it’s obviously been challenge during COVID and it will definitely continue being a challenge. But with our new AXIOM Cyber off-network capabilities, that should be much, much easier. So with that, I’m going to actually go ahead and turn it over to Drew. So let me pass the presenter to you. Drew, there you go. And he’s going to walk us through a live demo of spinning up an EC2 instance, then being able to deploy to an off-network end point. So we can see your screen.

Drew: Thanks, Trey. And maybe you just keep… I’m going to… probably going to bounce across a few different apps. So if you don’t mind, just keep me honest on what you’re looking at. 

But thanks a lot. What we wanted to do was when we talk about running AXIOM in the cloud, running AXIOM EC2, for a lot of people who had some experience with Amazon, it’s pretty straight forward, but folks who haven’t, it can be a little bit daunting. You know, it’s kind of new it’s, I don’t want to say it’s scary, but like there’s a learning curve there, right? So we want to do is we wanted to really, really quickly give like a high level overview of what that’s like, what does that actually mean? And then we wanted to show you what it looks like to actually do an off network collection using an instance of AXIOM Cyber in the cloud.

So you can see here, I’m actually logged into an AWS management console on one of our accounts. Like I said, it can be pretty scary. There’s a lot of stuff you can do in AWS, but EC2 is basically Amazon’s virtual machine infrastructure. So you click on an EC2 link and then again, you get a lot of options over here, but you can start to look at instances that are running or that have been previously created. I guess I’ll go to all of them. 

And basically these are just VMs. And so if you want to spin up a new one, you kind of just run through this little wizard, you go and hit launch instances. It’s interesting.

So the first step in running a new instance is you pick an AMI. So basically AMI, it’s just kind of Amazon speak for the base image, right? So it can be anything from just a Windows server OS, right, clean install, to base images that have extra stuff installed. So you can do things like… you can even create your own where you have things like, you know, software pre-installed. 

I have one where I’ve got AXIOM Cyber pre-installed and all the ports and everything opened up. And then basically you select your operating system. Next step is you’re presented with like, how big of a machine do you want to run? You want four CPUs and 16 gigs of RAM? How fast of internet do you want? et cetera. There’s, you know, there’s a whole host of options here. And obviously the pricing, the complete pricing that, that you end up paying, is going to depend on the instance that you select. 

We’re going to be posting some information to to the customer portal on recommended configuration for AXIOM in the cloud. But kind of the general purpose or compute optimized one, as well as the storage one. I’m gonna pick the compute optimized one, which is a C5 two extra-large. So I got a C5, two extra large. It’s got eight CPU, 16 gigs of RAM, up to 10 gigabytes. 

You can see… again, if you’re not familiar with the way storage works, there’s basically two options: there’s EBS which I don’t know if you know, what that stands, for trying to think… [indecipherable] basically, the difference is, EBS lives for the lifetime of your VM. Once you terminate it, that storage goes away. Whereas when you have SSDs, I think that those things actually persist and you can do things like that. We’ve got a mastery buckets of stuff through it. 

So for today, I’m just going to go do a real quick EBS. It’s just a wizard you go through. I’m not going to go through all of these specifics. Just the two things I wanted to call out. Obviously it would be the size of your drive — by default, it generally goes to the 30. I like to bump it up to a hundred, at least. Obviously, you’re going to want enough storage to acquire whatever it is that you’re trying to acquire.

And, you know, it can be challenging to know that ahead of time, but you can definitely always come back and increase these things or add volumes to those virtual machines.

The other thing I want to talk about was the security group. So basically a great thing. And the whole reason that this enables off-network collections is, these things are internet-facing, right? They’re not sitting behind… they’re sitting behind a firewall, but they’re not sitting behind multiple layers of firewalls the way things are in a corporate environment. 

And so, the last of the process is like, Hey, you know, this is going to sit behind a firewall, but what do you want to walk through? And this is where we can say, okay, well I know that AXIOM Cyber, the way it works is when I deploy an agent, that agent attempts to make an outbound connection back to AXIOM. And all I need to do is allow that agent through. Then I get to define them a range when I create that agent. 

So I’m going to pick four, three, two, one is that port range. They give you some control here around like how open do you want that to be? You can, you can narrow that down to a specific IP or IP range. So maybe stuff that’s, you know, known to your corporate environment, and to try and prevent any additional access from people who might be trying to sneak in. 

But I’m just going to go ahead and do a set of zeros, which is basically anywhere, and I’m going to tear this down afterwards. But basically what this is going to do is, this is going to allow traffic to get through. And then I’m going to, Hey, review launch, and then I’m going to launch. 

Interesting thing here again: you know, something you’ll learn as you start to play more and more with AWS, the way they secure these things is, they have you create this private key file. And that’s how they’ve gotten that, right. That password VMs. So right now there’s not like a default password on the thing. I’m going to use one of my existing private keys.

And what happens is, once it launches — and it takes a couple of minutes for it to be available, but basically once it launches — you’re going to see it as this guy down here. Maybe I’ll filter this back down to just those that are running. So it’s a little bit cleaner. 

See this guy with a little dot? Now, I’ve got a VM running in the cloud. I want to connect to it. I right click on it. I go to connect. Basically, all you’re going to do is you’re going to remote desktop, remote desktop to it, right? Windows RDP, just like any other VM in any other environment.

So I have downloaded that remote desktop file. I’m just going to throw that in downloads for now, and I’m going to get that password for it. So it says ‘get password.’ You have to wait four minutes for that. So… but basically what happens is, when you click on that and get password, once it’s available, you select that file that you previously created, saved to your desktop and it  it generates a password for you and you can copy and paste that into your remote desktop client when you going to connect to it. 

I think for the sake of moving on with a demo, what I’ll do is I’m going to bounce over. So at this point you have a clean Windows environment. Let me try one more time… 

You have a clean Windows environment and then you’d log into it, install everything you needed, install AXIOM, install any other tools you want to install on it, set up all your rules. 

The other cool thing about Amazon, again, if you don’t have experience with it, if you’ve ever heard of AMIs — and we talked a little bit about when you want to create the thing — it’s really, really easy, once you have your VM all set up to basically say, save this. 

So the next time I create, I want to spin up a new instance because you don’t need to leave these things running. You can take them up and down and you can then create new one, where you go over into this VM. Once it’s all set up, you see two instances, and you go down to image and templates and you say, create image. And basically that saves kind of that state previously done that. So I’ve got a couple different AMIs where I previously installed Cyber, previously configured all of the firewall rules and anything that needed to be there. And then away I go. 

So I’m going to go ahead and I’m going to skip over. I’ve got one that I actually previously set up. And like I said, when you go to connect it… actually maybe I had it set up. Oh, I’ll walk you through it, but basically just go and say connect. And you say, I want to download the remote desktop file, and so on, and download that remote desktop file. I’m not going to show you me getting the password, cause that would be terrible security practice. But basically you double-click on that desktop connection. It’s going to prompt you for credentials there over here. So I’m going to go ahead and pop in my credentials. My number here, grab them… 

And then… oh, I think it might have popped it on the wrong screen. So I’m going to bring it back over. You’re just remote desktopping into a Windows server, right? Like it’s all it is. It’s a Windows server that’s publicly facing to the internet. You can kind of see some information about it, it has a public IP address, and that’s going to be really important later. 

So again, this is what I previously set up. I guess the key here is, basically it’s got a clean version of Windows, installed the AXIOM, opened up my port four three two one in Windows firewall, and I can now try and do a remote collection. 

So I’m going to walk through that with you now. So basically again I’m going to kind of assume that, you know a little bit. I definitely encourage you to go and take a look at some of the previous webinars that we’ve done on AXIOM Cyber, cause I’m going to fly through some of these details. 

But what I wanted to really focus on is creating that agent that enables you to do an off-network collection and actually showing you how it works. So I’m going to go in here, I’m going to create a new agent. What we create a new agent in AXIOM Cyber, we’re telling that agent, where do you want to connect to? Right? We don’t try to connect down to the agent. If we were doing it that way, you know, if you think about if you were to pull an agent, that’s like a servlet, that’s listening for a connection, we couldn’t get to it. If it was behind a firewall of any kind, whether it be someone’s personal internet, whether it be a coffee shop, you can’t connect down to something over the internet.

The way we designed the AXIOM Cyber agent is, it’s going to connect back out to where you’re listening to that connection from, which is a publicly facing EC2 server. So when I go to that agent I’m going to grab that IP. It’s really good, in AWS, they give you that public IP address, and a lovely little copy button on there. Copy that over, paste it in. If you remember, in that security group definition, I’ve put four, three, two, one as my server, and I’m going to say, I want a Windows agent. So create that agent. 

This is where, in an off-network scenario, there’s a bit of a challenge, right? So how do we get that agent on the machine? That machine is somewhere over the internet. You know, we cannot deploy it from within AXIOM Cyber. Again, I just, we can’t push down on the internet. There’s a couple different options here though. 

One is if you’re using a cloud-based EDR. So we’ve heard a lot of examples of folks using like clouds, CrowdStrike, Falcon, or Tanium where it’s cloud-based and they can access any end point that’s connected to the internet. You can use that EDR tool to deploy that agent. 

Alternatively, if you have a willing participant, you’re doing ediscovery, or you’re a consultant or something like that, tou can just send them the agent and have them put it on the machine. So I’m going to go ahead and just copy this agent for the example I’ve got here, what I’ve got is…  basically I’ve got — I’m just copying this agent onto a junk folder here — I’ve got a VM.

And the special thing about this VM: I wanted to demonstrate how we can do an off network collection. So I set this VM up with a Nat network adapter. So basically what that means is it can get internet out. Nothing can get in, even though this VM is sitting on my desktop, it’s got a 10.0.4 IP, I’ve got a 172 IP and a 192 IP. I can not ping that guy. Yeah. I tried to ping him earlier, it times out. He is unreachable for me to reach into him, but he can reach out, right? He can go out and get to the internet. So what I can do is can get that agent on the device. 

This isn’t the right one. That one. I’m going to go grab this one, pop it anywhere. The other thing you can do is, you know, if you are working with… when you’re using EDR tools to deploy agents, it will run, generally speaking, will run silent in the background and some other tips and tricks you can use to work on… but for the purpose of the demo today, I’m just going to double click it. So it’s going to be a little bit of an [indecipherable] example because the, you know, the end user could see this thing running. But basically the agent is running on a target and it’s already attempting to connect it to AXIOM Cyber. 

So I jump back over to AXIOM Cyber, I hit connect. And basically again, that agent is on that target, is trying to reach out over the internet every, I think, 10 seconds was what I configured on that agent and after 10 seconds or so, it should be able to connect. 

Attempting to connect, connecting to, okay. I’m not sure what’s going on here. Let me go back and try this. There we go. 

So I’m not sure what happened to the first one there. So again, basically I’ve connected, you can see a remote computer, Selena. This is the target I was looking at. That’s the… user Selena on a soap and I’ve got a not network VM, nothing can get in, but it can get out and I can connect to it. Again, this is where I wasn’t going to spend a ton of time on once we’re connected, you know, we’ve got targeted location, so pre-packaged things that you can grab. We’ve got the ability for you to either grab an entire drive if you want, or go ahead and just peruse the file system and be very targeted about what you want to grab.

So, you know, I can go and start to dig into her user folders, dig in her documents, you know, pull down these customer contracts, start to look at the processes that are running on her machine. If I want to grab an individual process memory, or just do a full memory acquisition. 

A couple of things I wanted to touch on: one of the benefits here is, you’re not using VPN for this, right? So if you have a slow VPN, you’re not limited by the speed of your VPN. One of the cool things, I didn’t really touch on it when I was creating the instance is, you can actually target where you want that instance to run. So if this target was somewhere else, geographically in the world, you can run the EC2 instance in a different Amazon data center that’s closer geographically to the target. So you know, you kind of get the shortest path to maximum of speed. 

And then three — and I think, I want to say AXIOM 4.6, AXIOM Cyber 4.6 — we added some compression capability to the collection. So if we want to compress it further, it works best with kind of big sparse things like full discs or RAM. But we can get that small as possible. So by the time you combine those three things, get it as close as possible to target, get as fast as internet as possible and make it as small as possible, ideally we’re going to have, you know, a relatively fast acquisition. 

The other thing I’ll touch on is, AXIOM cyber is designed around kind of a never quit mentality. If this agent goes down, actually, and I can simulate that right now. So let me go, I’m going to pick something big-ish. If this target goes down, because I kill the agent, what’s going to happen is, it’s going to disconnect and it’s going to take a second for it to realize that it’s disconnected, but it’s going to disconnect, but it’s not going to give up, it’s going to stay on this screen indefinitely. And basically the way we built AXIOM Cyber is when the machine, that’s my problem…  

There, you can see it actually disconnected now. So it’s going to sit here and it’s the say ‘attempting to connect,’ I’m going to stay downloading. And if that agent comes back up, as you’d expect it to, then what’s going to happen is this is going to automatically reconnect and it’s going to pick up where it left off. We’re not going to restart. We’re not going to, you know, kick the whole thing out and have you set it back up again. It’s going to, like I said, automatically pick back up and reconnect. So, you know, if there’s a blip in the network or, like I said, if you have an issue, you know, I kind of force killed the agent and restarted it. Then it’s going to automatically jump back in, reconnect and start downloading again. 

So, like I said, super flexible, doing it over the internet. And you know, if anything goes wrong but it’ll just pick back up again. No, no nothing needed from the end user to kind of intervene.

And that’s kind of what I had planned. Like I said, I totally recommend if you haven’t seen AXIOM Cyber before, we’ve got other webinars up on our YouTube that go into far more detail on some of the configurability around the agent, around some of the power, around some of these specific types of evidence that we can capture remotely. I highly recommend you check that out, but what I really want to do here, show off the ability when you put AXIOM Cyber EC2 instance and expose it to the internet. The ability to basically collect from anything that’s internet connected. 

Trey? I’m not sure if you are just coming off mute.

Drew: Okay, great. Well, while we wait for Trey, maybe we’ll go ahead and take a look at the questions. See if there’s anything in here.

There’s a problem with my question now, it’s not it’s not expanding.

Trey: Can you hear me now?

Drew: Yeah. Yeah, you’re there, Trey. 

Trey: All right. Sorry. I had to swap out headsets. My apologies there. So I wanted to kind of start jumping into some of these questions and I was going to pass some to you, but you reiterated this first one kind of at the end, but you know, if the connection gets interrupted, does the acquisition resume when that connection is reestablished? And, yes. So essentially, AXIOM will keep trying to connect back to that agent. And once it is picked back up, you know, we’ll finish that acquisition. 

Now that being said, if we are doing a memory acquisition, that’s going to be where you’re possibly going to want to go ahead and we’re going to kind of kick that process over, just because obviously with volatile memory, you’re going to want the latest and greatest, so just kind of keeping that in mind. But yes, we will pick up right where we left off. 

And you’ll know actually from within the view, as you can see the items being downloaded, you’ll know what’s been complete and what’s not. And that’s one thing that I really like about AXIOM Cyber is that, you know the data that you have, so you don’t have to worry about trying to figure out where you need to kind of pick it back up on that. 

Another question: what format will the data collection be in? So there’s a couple options here. You can pull this data and put it into a zip, and we will ha hash the zip for you, but you can also use AFF4L, which is an open source logical containerized format. You do have the option of being able to go into AXIOM process settings and change that. But obviously if AFF4L is what I would recommend being… it’s open source and that other tools would accept that, but obviously a zip, you know, other tools can accept that as well. 

Grab a question for you Drew, apologies, I’m kind of sliding through, we’ve got a bunch. So, you know, when selecting files to grab, can the cyber agent copy locked files like OST files?

Drew: Yeah, for sure. So for Windows, absolutely. Basically we are not relying on Windows to give us those files. We’re using our own file system technology that we’re using, the AXIOM scanning. So we attached straight to the unencrypted volume rebuild at file system. So we can grab any file that is on file system. Even if it’s Windows locked. On Mac, it’s a little bit different scenario. We can’t rebuild from the raw data due to T2 encryption and things like that. So we’re a little bit more limited on things that the OS will give us, but Windows. We have full range.

Trey: Perfect. And then one of the questions: does the agent require local admin to run on the source device?

Drew: Yeah, absolutely. So you saw that demo in order to get raw access to that drive, to get kind of that, that an unlimited access to the drive. We absolutely need admin rights. So it’s local domain admin, whatever that process needs to be run, as an admin, run as administrator.

Trey: Perfect. And then, you know, on the Mac side, obviously we’re essentially kind of SSHing into the box, and essentially we’ll try and promote that user to be able to go ahead and, you know, run a pseudo to grab as much as possible. But that’s one of those that really depends on the pseudo file and how you have that set up in your local network. But yeah, definitely need the admin. 

Another question — and I can take this one —  as far as the AWS recommended config being published online, that will be coming up within the next week or two with our 4.7 AXIOM Cyber release. So like I said, this was kind of a pre-showing of what’s coming with AXIOM Cyber. So that will be coming out in the very near future. 

And we’re going to actually make sure that everyone who came to the webinar today will also get that as a part of the resources and the recording from the webinar as well. So you’ll definitely get that. 

Does the… let’s see… the collection of off-network end points, not on VPN, where does the collection output to, and what protocols use since the SMB Windows share is blocked by most ISPs? So kind of a two-part question yeah, Drew, if you want to go for it.

Drew: Yeah, I was just going to say so we’re not using SMB or Windows shares to do the collection. Basically, once we get the agent running on that end point there’s a proprietary DLS socket based connection between the agent the target and the machine running AXIOM. So we’re going to pull all that data over that connection and then save it on the AXIOM Cyber side, wherever the examiner has specified to save it on the Cyber side.

Trey: Perfect. And then last question right now — might have couple more coming in — but will Cyber prompt for a BitLocker key? If you want to talk about that, Drew?

Drew: Sure. Yeah. So what I’ll say is, if you were trying to do a targeted collection, so you know, when you go through files and drives, you see files and folders, if this C DRive was BitLocker encrypted, we won’t need to prompt for a BitLocker key because the machine is running and there’s an unencrypted volume sitting there that we can access. So we’re just grabbing the unencrypted volume. 

If you go to drives and you say, give me the full physical drive, what’s going to happen is, you’re going to get the raw binary data that is sitting on the disc, which is encrypted. And after you acquire that and you move on to the next step in the evidence, you kind of go next and we package it up and you go to add to the case, AXIOM Cyber will recognize that that raw data is BitLocker encrypted, and it will prompt you for a BitLocker key to decrypt it. 

So the answer ism  it basically depends on what you grab. If you grabb raw data and then going to be encrypted, we’ll probably ask for a key; if you’re just doing a targeted collection we can get around any of that key management stuff, because it’s sitting there, you know, the volume is sitting there unlocked.

Trey: Perfect. so next question, we could probably tag team this. So what are the benefits of running AXIOM Cyber on AWS instead of a dedicated forensic machine? So kind of the start obviously you can absolutely run AXIOM Cyber, you know, on your forensic box and you can, you know, do your collections, especially when the end points are on your network. Absolutely. You know, that’s definitely one way to take this. 

But a lot of customers have asked and been interested in running within AWS environments, especially when they need to scale their investigative powers, and essentially being able to collect from more end points, and do more investigations or have, you know, a larger, faster box where they can essentially, instead of, you know, buying a new box that, you know, is more powerful that they can actually just use a one pre-built within EC2.

But, you know, to the point where we’re talking about today, when it comes to off-network collections, being able to expose that EC2 to the internet, to be able to then collect and pull from those end points is definitely, you know, really important. You know, it makes life much, much easier when it comes to dealing with the ports, and dealing with some of the security protocols that if you were trying to do that with your forensic box, that’s, you know, set within that… the firewall and set within the, you know, the perimeter of your organization it gets a lot more difficult, but Drew, you want to add anything?

Drew: No, I guess the other thing I’d add again, I think the biggest thing we’re we’re promoting is that once you put an EC2 [indecipherable] internet, you can do off-network collections, but it also gives you a little bit more flexibility apart from folks would talk about, you know, we’re widely geographically distributed. I may be sitting in Texas and I want to acquire an end point somewhere in, you know, the continent of Asia. EC2 gives you the power to spin up your AXIOM Cyber in an Amazon data center, somewhere in on the continent of Asia. So you can get the target a little bit closer to the AXIOM Cyber end point. 

The other thing I was going to say is, we’ve actually talked to a couple of customers. The great thing in Cyber — Trey mentioned it — there’s… you get, you can unlock a lot of flexibility. You don’t have to leave these running, right? You can spin them up and take them down. You can create an AMI. We talked to a customer the other day who was saying, you know, we’re very highly segmented, but when I go to an acquisition, I’ll spin up a Cyber VM in the segmented network, do my thing and then tear it down. So it just gives you a lot of flexibility.

Trey: Yep. Somebody is asking about, you know, with what ports on the end points, you know, being needed, used for communication. That’s definitely something that you can set up and you can configure. That’s the great part about creating the agent within AXIOM Cyber, where you can designate and what port you want that agent to be pushed out through in terms of being able to, for us to then connect back. So that being said, you can configure that and set that up, to best suit the needs of your environment and your organization. 

Let’s see here. One second. All right. 

Any other questions? I think we are mostly… I think we’ve caught up on questions here. If we don’t have any other questions, give it one more second. Yeah, it looks like we are good on questions. So, that being said, Alison, we’ll turn it back over to you.

Alison: Thanks so much. Thanks everyone for participating in today’s webinar. We are very grateful for your time. We will be sending out an email with the recording of this webinar within the next few days. So please keep an eye out for that. There were also a number of questions captured during today’s session, and I think we answered most of them, but if any were missed, I will follow up with you directly in the next couple of days. We hope you enjoyed this session today, and we hope you’ll join us again for another webinar soon. Thanks.

Leave a Comment