HomeComputer Forensics BlogeDiscoveryHow is a Remote Forensic Collection or Analysis Conducted?

How is a Remote Forensic Collection or Analysis Conducted?

  • 17/07/2018
  • Posted by: Alistair Ewing
  • Categories: eDiscovery, Legal, Remote Collection
No Comments
Forensic Remote Data Collection

Compute Forensics have been to over 20 countries such as the UK, France, Thailand, Singapore and USA performing collections and on-site investigations. In person is the most straightforward way to reassure none of the actions of the forensic examiner is going to harm the data or the organisation’s network.

It is like having a computer forensic expert in your office! Alistair Ewing Director Compute Forensics Ltd

As technology advances remote forensic services are being more commonly utilised in the eDiscovery or forensic sphere. Compute Forensics can collect and triage data remotely either 1) On the corporate network to a server or system on the same local IP range in a live state but a blocked mode. 2) Across the internet with a secure AES encrypted connection using a forensic operating system with a remote connection. The original disk is untouched as the OS or method blocks writes to the drive. The image and working copy is made to a Bitlockered or Veracrypted disk connected to the system by the client.

Travel costs and board costs can be out of proportion to the case, or the data may reside on a home connection so it may be required to perform a remote collection.

Situations when a Remote Aquisition is Useful

  1. The budget doesn’t suit an onsite collection.
  2. The data is in a far away location.
  3. The data and the user is on the same corporate network. The physical and volatile data needs to be collected onsite but remotely without the culprit’s knowledge but with the authority of the organisation.
  4. The collection or triage is on a tight schedule.
  5. There are only 1 or 2 devices on the client site.

Is a Remote Collection Safe and Forensically Sound?

Yes, all the data packets sent and received during the remote collection at the client end including, keyboard and mouse signals, images and files transfers are encrypted. Only the Computer Forensic Expert has access to the AES-256 and RSA-1024 cryptographic keys. The internal disk is untouched should the instructions be executed diligently; a pre-briefing exercise ensures this.

The following steps display the methods entailed in a remote collection:

How a Remote Collection is Conducted on a Machine in an Off State

  1. The client gives us information about the machine model etc. A contract allowing us to make a remote collection is to be completed by both parties before the forensic imaging. The technique works on Intel Based Macs as well as most PC Laptop models and tower PCs.
  2. A bespoke digital forensic OS is uploaded to a secure location in an ISO format and made available for download. The client burns this to an optical disk or a USB using Rufus.
  3. The CD or USB is added to the system along with a USB 3.0 destination drive that is larger in capacity than the internal drives.
  4. The system is connected to an ethernet connection buy the client.
  5. When switching on the system, the user at the client side presses a key, DEL/F12/F8 or similar, during the power on self-test stage as the machine is waking up. On the system’s BIOS or the UFEI, the boot menu. The attached boot USB or CD is booted from bypassing the OS on the system but using the system’s hardware to function.
  6. In the forensic OS, the client right clicks and selects the ‘connect to network’ option.
  7. From there the forensic examiner takes over the system and begins the collection process.
  8. All system data such as disk serial numbers are seized by specialist software to help produce the analysis report.
  9. Any forensic images, logs or findings are exported to the encrypted attached USB stick or…
  10. Uploaded via SFTP to the eDiscovery firms remote storage box or direct to a cloud-based eDiscovery platform such as Goldfynch.

On an Apple Device

  1. Start OS X
  2. Hold the option key until CD is displayed as an option (takes a little bit to appear)
  3. Release the option key
  4. Use the arrow keys (or mouse) to select the CD
  5. Press Return.
  6. The investigation begins.

How a Remote Collection is Conducted onsite on a Machine in an On State

  1. A machine connected to the corporate network with Accessdata’s FTK installed is prepared.
  2. The IP of a culprit’s machine is entered onto the examination machine.
  3. The evidential disk is connected to remotely without the user’s knowledge after a remote agent is pushed to the machine remotely.
  4. The examiner gains access to the file system through the remote agent. The volatile data can be analysed for malware and passwords. The disk can be copied and triaged.

Should you require a forensic collection, please don’t hesitate to contact a member of our team.