Short ppt about remote digital forensics

1. REMOTE FORENSICS
Draft 1.0
Damir Delija
1

2. What is a remote forensics
• What exactly remote forensics means for digital forensics ?
• digital forensics is simply the application of computer investigation
and analysis techniques in the interest of determining potential
legal (digital) evidence (Judd Robbins)
• digital evidence or electronic evidence is any probative information
stored or transmitted in digital form that a party to a court case
may use at trial.
• Remote digital forensics is application of digital forensics at
remote device or remote location. In practice it mostly
means we don’t have physical access to media which
contains digital evidence
• From digital evidence viewpoint it is acquiring digital
evidence on remote device or location

3. Remote forensics is often
understood only as live forensics
• live forensics can overlap with remote forensics
• forensic tools for live access over net is the first idea you have
• but there are examples where it is not live forensic but still
remote
• boot from forensic Linux distribution and access data
• linen access to internal disk REMOTE but NOT live
• TD3 in network preview mode
• same with forensic tool on remote machine and local access to devices
with evidence
• very special situation
• expert guiding over phone no-expert to do evidence acquisition / triage
• where this fits ?

4. Remote forensics fields
• Ediscovery or Electronic discovery refers to discovery in
legal proceedings such as litigation, government
investigations, or Freedom of Information Act requests,
where the information sought is in electronic format
(often referred to as electronically stored information or
ESI).
• external and internal documents
• system state analyses
• incident response
• Enterprise forensic
• Network forensics
• Dark web forensics
• Cloud forensic as newest child
• Unborn yet: forensic tools for mobile devices with
remote access

5. Importance
• With spread of systems all over world and cloud
services it is very important ... or it should be
• It is close to method how attackers are working

6. History and tools
• Plenty of tools, mostly commercials tools
• and not known in Europe
• my experience
• X1
• Encase enterprise version and derivate
• FTK enterprise version and derivate
• X-Ways + F-secure
• Concordance
• GRR from Google
• CF engine deep in ancestry of many tools

7. How to do it ?
• make a plan
• make estimates on volume and type of data
• define tool
• do testing
• and measure impact
• correct plan to include lessons from testing
• apply
• document everything
• remove tool artifacts from system

8. Remote access to data
• Various possibilities depending on many factors
• low level/raw access
• kernel/system level tool
• agent level – independent process
• service level access
• API level access
• Communication protocol
• standard
• https, issci, ssh
• proprietary
• encase

9. Use and practice
• Ediscovery is used a lot mostly in US
• legal environment and practice which requires
eDiscovery
• Other branches less used
• What about enterprise forensic tools (my favorites)
• extremely useful addition to security
• allows preventive forensic
• speed up incident detection and incident response
• almost not used at all

10. Enterprise level forensic tools
• Law enforcement is not using it at all
• no classic forensic for this tools
• reasons budget, knowledge, SOP, type of investigations, legal
problems ..
• Government organizations - yes
• US State Department is one of the causes for development of
EnCase Enterprise
• Big companies - yes , just some of them, not all
• very complex environments
• usually very hostile organizational structure and legal
concerns which blocks effective usage of tools
• main reasons lack of resources for implementation and usage

11. Example EnCase Enterprise
EnCase Enterprise Components
The SAFE (Secure Authentication For EnCase®)
• Authenticates users, administers access rights, retain logs of EnCase transactions, brokers
communications and provides for secure data transmission
• The SAFE communicates with Examiners and Target Nodes using encrypted data streams,
ensuring no information can be intercepted and interpreted
The Examiner
• Installed on a computer where authorized investigators perform examinations and audits
• Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition
product, with network enhanced capability for security and administration
The Servlet
• A small, passive software agent that gets installed on network workstations and servers
• Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise
Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections
• Enterprise Concurrent Connections are secure parallel connections established between
the Examiner & servers, desktops or laptops that are being searched or investigated
Snapshot
• The “Snapshot” technology enables the user to scan thousands of computers to detect,
collect, preserve and remediate any network intrusion on an enterprise-wide scale

12. EnCase implementation

13. Example FTK enterprise version
13

14. Example X1
• Web and service spider
• Different level of access to remote evidence
• Action: Content into digital evidence

15. Example: TD3 Triage/Collect as network write blocker

16. Conclusion
• Very useful idea
• I should say essential for future survival
• At them moment not much in use or in favor
• Future with IOTs will be probably live automatic
remote forensic ...
• In sense of Forensic Computing: „Gathering and
analyzing data in a manner as free from distortion
or bias as possible to reconstruct data or what has
happened in the past on a system.” (V.Venema,
D.Farmer late) It is only way to keep control of the
system

17. Questions ?
• damir.delija@insig2.eu