±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 87

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Remote forensic imaging tools?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

jaclaz
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 08, 19 09:04

- Belkasoft

Great point. That's why it is more and more common to have partial acquisitions.


I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right):
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Belkasoft
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 08, 19 09:11

- jaclaz
- Belkasoft

Great point. That's why it is more and more common to have partial acquisitions.


I guess it depends a lot on the specific kind of forensic work, but "partial acquisition" doesn't sound good.

"Full" acquisition and transfer of partial data sounds already better, but essentially (if I get it right):
1) perform full acquisition (remotely, with the assistance of the customer, or of a "corresponding agent" or whatever)
2) have the customer send via UPS or DHL (or *whatever*) the actual disk with the actual "full" image
3) in the meantime (let's say 2 or 3 days at the most) have the "partial" data of interest extracted and transmitted and start analysing this "partial" data
4) verify the findings (if any, i.e. if the partial data actually contains something relevant) against the "full" image that already arrived to the lab or analyse anyway the "full" image to look for *anything else* not included in the "partial" data.

At first sight it seems to me a lot like a few hours difference at the most.

And the actual procedure (think of "chain of custody") is a tad bit flaky, if there isn't anyone qualified remotely "on site", anything can happen.

jaclaz


I don't object your points - all valid. We just offer additional options to the standard process and this could be good enough in a corporate environment. And, to your suggested process, we also support that: the remote acquisition with Belkasoft can be done to a local drive to be then sent using a courier.
_________________
Computer, Mobile, RAM and Cloud Forensics In a Single Tool
belkasoft.com 
 
  

xandstorm
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 08, 19 18:06

You could look at F-Response f-response.com.  
 
  

Passmark
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 09, 19 03:21

If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.  
 
  

Belkasoft
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 09, 19 09:41

- Passmark
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.
_________________
Computer, Mobile, RAM and Cloud Forensics In a Single Tool
belkasoft.com 
 
  

jaclaz
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Jul 09, 19 19:30

- Belkasoft
- Passmark
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.

Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. Shocked

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Belkasoft
Senior Member
 

Re: Remote forensic imaging tools?

Post Posted: Aug 27, 19 11:20

- jaclaz
- Belkasoft
- Passmark
If partial acquisition is all that was required (e.g. the User folder) then why not just remote desktop into the machine, zip up the files and upload to the cloud? No special software required.

Could be a good option if you are working with one computer only. If you have multiple computers and/or repeating extractions and/or want to schedule uploading of required files, it is better to do with a specialized software.

Well this latter seems to me more "backup to the cloud" (or "backup locally then send to remote") than anything else and I see very little "forensics" in the process. Shocked

jaclaz


Well, the software is the same forensic software which is used for perfectly forensic acquisition locally. It calculates checksums and verifies output. If needed, you can secure chain of custody.

That's not the question of how software works, this more relates to the process of how you use it.
_________________
Computer, Mobile, RAM and Cloud Forensics In a Single Tool
belkasoft.com 
 

Page 2 of 3
Page Previous  1, 2, 3  Next