±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 100

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Remote forensic imaging tools?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

CFEx
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Aug 29, 19 04:58

- Belkasoft
- jaclaz
- Belkasoft

Great point. That's why it is more and more common to have partial acquisitions.


I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

jaclaz


I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that: the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.


Partial acquisitions are ok but it depends on the forensic work or case category.

In law enforcement or in litigation, full acquisition is the norm, and if you do partial, you'd better be prepared to convince the judge/jury why you did not do a full image. Your work will be challenged for sure.

In a corporate environment, we are likely to do full acquisitions if the device is locally available or do partial acquisitions to overcome challenges. But again, it depends on the case and why we are trying to do forensic work. For example,

In cases of trade secrets theft, hacking, or any case that is like to affect the company negatively, we''ll do full acquisitions, regardless of where the device/user is.

Contrast that with cases where I only need to prove an employee violated company policy where I'm only interested in "user behavior" (user data, browsing history, app data, etc.). Do I care about operating system files? No, I don't and so partial acquisition is perfectly fine; if the device is locally available we'll do full acquisition because I care about unallocated space, but I still don't care about OS files. So partial acquisitions are ok depending on several variables.

Here is another variable: still violation of company policy case, user works remotely by himself out of his home, in an African country where we don't have an office and I'm in the US. Our closest IT staff is either in Europe or Dubai. We may do one of or several things but the point of this is that in a corporate setting, we end up evaluating the risk of a partial acquisition and make a judgement call after vetting.  
 
  

sovietpecker
Member
 

Re: Remote forensic imaging tools?

Post Posted: Aug 29, 19 06:04

All these discussions on remote forensics and I did not see anyone mention F-Response. They are pretty good when it comes to remote/partial acquisition.

Give them a try.  
 
  

sec0987
Newbie
 

Re: Remote forensic imaging tools?

Post Posted: Aug 29, 19 09:03

- sovietpecker
All these discussions on remote forensics and I did not see anyone mention F-Response. They are pretty good when it comes to remote/partial acquisition.

Give them a try.


F-response was mentioned earlier Smile

But nobody mention a EnCase Enterprise solution. Big tool.  
 
  

passcodeunlock
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Aug 29, 19 09:17

I built a fully functional remote acquisition method (mobile both logical + physical or any USB attached device), without the need of any kind of forensic client / server setup.

If LE or enterprise business are interested, feel free to contact me.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 

Page 3 of 3
Page Previous  1, 2, 3