In civil litigation, the procedures for data collection are a little more relaxed as compared to criminal investigations, but cost is a huge factor. Typically, criminal suspects lose custody of their seized systems and won't necessarily cooperate with the seizure of electronic evidence. Civil litigants on the other hand, will usually maintain custody of their systems and cooperate with the data collection. With the costs of travel to simply image a hard drive or copy a folder, one hard drive can cost a client thousands of dollars in expenses.
But here is a neat trick.
1) Ship the custodian a customized WinFE CD and an external drive.
2) Over a phone call, walk the custodian (or IT staff) in booting the system to WinFE and plugging in the external USB hard drive.
3) Access the forensically booted drive remotely to image directly to the supplied USB external drive.
The external drive can be shipped back to you overnight. You can accomplish in minutes what would take hours and thousands of dollars (air-ground travel, meals, lodging), all without leaving the office.
There is more than one method of accessing the booted WinFE system remotely, either through Remote Desktop, VNC, or any number of commercial applications such as TeamViewer. Any of these methods allow for you to take control of the custodian system (in the WinFE OS), and run just about any Windows based forensic application to forensically image the custodian hard drive to the USB external drive. Or you could create containers of targeted files/folders. Or you can triage the computer to determine if it needs to be collected.
Should you decide to save your client or company thousands of dollars per case, here are some tips when using this WinFE "remote" collections method:
1) Build your WinFE with the forensic apps you need (FTK Imager, Encase, etc..).
2) Have a one-click connect icon on the desktop for the custodian to start the remote connection.
3) Run a system information application on the custodian machine (WinAudit) to identify the hardware in the system. Maybe even have the custodian or IT email you a photo of the system being imaged. Store the hardware scan with the image file.
3) Create two images (one to be shipped, one to be maintained at the premise in case the shipped image is lost in transit).
In practice, you can connect to as many WinFE booted computers as needing to be imaged, one after another, all imaging to external hard drives.
Of course, not everything always works out as planned.
Custodian machines may not have a CD drive - ship a WinFE CD and WinFE USB together, just in case....
Hard drives may be bitlocked-you can still access the drive for imaging through WinFE. Other encrypted drives may be accessed too, depends on the setup of the system.
Custodian machine may be broken - might have to ship the entire machine or hard drive/s, but that's still cheaper than travel expenses.
No internet access for the custodian machine - you need this for this method to work....you could always ship a wireless card with the WinFE CD and external drive.
If volatile memory is required to be captured, like RAM, this isn't your best option or even a good option. In fact, this is not the best 'live response' method at all.
And yes, this can also be done with many of the Linux forensic boot discs. But is certainly much easier for the majority of custodians to use a Windows FE OS if their everyday systems are also Windows. Plus, you can use just about any of your everyday Windows forensics applications.
[caption id="attachment_657" align="aligncenter" width="640"]
Well, you may miss out on traveling on the client's dime, but your client will be happy (that's the goal anyway, isn't?).
But here is a neat trick.
1) Ship the custodian a customized WinFE CD and an external drive.
2) Over a phone call, walk the custodian (or IT staff) in booting the system to WinFE and plugging in the external USB hard drive.
3) Access the forensically booted drive remotely to image directly to the supplied USB external drive.
The external drive can be shipped back to you overnight. You can accomplish in minutes what would take hours and thousands of dollars (air-ground travel, meals, lodging), all without leaving the office.
There is more than one method of accessing the booted WinFE system remotely, either through Remote Desktop, VNC, or any number of commercial applications such as TeamViewer. Any of these methods allow for you to take control of the custodian system (in the WinFE OS), and run just about any Windows based forensic application to forensically image the custodian hard drive to the USB external drive. Or you could create containers of targeted files/folders. Or you can triage the computer to determine if it needs to be collected.
Should you decide to save your client or company thousands of dollars per case, here are some tips when using this WinFE "remote" collections method:
1) Build your WinFE with the forensic apps you need (FTK Imager, Encase, etc..).
2) Have a one-click connect icon on the desktop for the custodian to start the remote connection.
3) Run a system information application on the custodian machine (WinAudit) to identify the hardware in the system. Maybe even have the custodian or IT email you a photo of the system being imaged. Store the hardware scan with the image file.
3) Create two images (one to be shipped, one to be maintained at the premise in case the shipped image is lost in transit).
In practice, you can connect to as many WinFE booted computers as needing to be imaged, one after another, all imaging to external hard drives.
Of course, not everything always works out as planned.
Custodian machines may not have a CD drive - ship a WinFE CD and WinFE USB together, just in case....
Hard drives may be bitlocked-you can still access the drive for imaging through WinFE. Other encrypted drives may be accessed too, depends on the setup of the system.
Custodian machine may be broken - might have to ship the entire machine or hard drive/s, but that's still cheaper than travel expenses.
No internet access for the custodian machine - you need this for this method to work....you could always ship a wireless card with the WinFE CD and external drive.
If volatile memory is required to be captured, like RAM, this isn't your best option or even a good option. In fact, this is not the best 'live response' method at all.
And yes, this can also be done with many of the Linux forensic boot discs. But is certainly much easier for the majority of custodians to use a Windows FE OS if their everyday systems are also Windows. Plus, you can use just about any of your everyday Windows forensics applications.
[caption id="attachment_657" align="aligncenter" width="640"]
Well, you may miss out on traveling on the client's dime, but your client will be happy (that's the goal anyway, isn't?).This may not be good news for anyone wanting to make easy money with travel, but in the long run, your clients (and boss perhaps) will appreciate the savings and speed at which this can be done. You'll also be to get more done in a shorter period of time. That is a good thing.
2760 Hits
Recent Comments
If you were to use something like Teamviewer, would this have to be installed on your WinFE setup?
Thursday, 12 July 2012 01:35
Not installed, only copied into the build or run from an external device. There are scripts on the reboot.pro website for Teamvie... Read More
Thursday, 12 July 2012 02:45
Hi Brett,
So I've tried running Teamviewer 5, 6 & 7 from a USB drive once booted into WinFE - both the portable and Quick support ... Read More
Thursday, 13 September 2012 05:14
2760 Hits
Gerald
jimmyweg
Derek Frawley
Scott Koehle
