Hello,
I am interested in setting up a process that will allow me to perform forensic acquisitions of computers remotely. Currently, I am performing on-site acquisitions, but am interested in building a platform that will allow me to perform the collections remotely if possible. My basic outline or idea for this is as follows:

1. Use a Microsoft Azure VM as my forensic machine.
2. Use the Microsoft Azure VM to remotely access a client computer.
3. Perform a forensic acquisition of that client computer.
4. Have the forensic image created and stored on the VM (not the client computer).
5. Make sure I am leaving a light footprint on the client computer during the whole process.

Note that these are external acquisitions, meaning that I am not remoting into computers that are part of the same organization or on the same network.

I am trying to build a forensically sound and secure approach to this and would like some opinions on approaches.

Thanks!

Hi Justin,

I personally consider such engagements in two main categories:

1. Remote Forensic Imaging

When I am after acquiring forensic images of targets (i.e., full physical images or targeted images), I usually prefer to be on the same local network as the target computers—mainly for performance reasons. It is fairly straightforward to set up an independent computer on the target network which you can pivot off of, or send the target company a preconfigured headless computer (e.g., Intel NUC) for this purpose.

If you will be using tools that require dongles, you can virtualize and connect them to the pivot computer over the internet with something along the lines of USB over Ethernet or Eltima. I would make sure the software’s EULA doesn’t disallow the virtualization of its dongles.

I’ve found that it is often best to store the acquired images on two encrypted external drives (or arrays, depending on data size) attached to the pivot computer. Once the imaging is complete, you can have the target company keep one of the drives, and ship you the other. Whole disk encryption not only makes the shipping part safer (in case the drive falls into the wrong hands) but also provides protection from on-site interference since the pivot computer and the attached drives are not in your physical control.

As for the data acquisition, I usually prefer F-Response with my tool of choice or FTK. Unfortunately, the agent-based network acquisition functionality in FTK has been moved to AD Enterprise AFAIK. Two of the other viable options are Evimetry and EnCase Endpoint Investigator

2. Remote Artifact Collection

On the other hand, if you are after collecting distinct artifacts rather than disk images, setting up a server on a remote network as in your Azure example might be a viable option provided that the data is transferred between the endpoints and your server in an encrypted manner. You can configure an encrypted disk or container on your virtual server to store the collected data.

There are quite a few options in this area as well, but the one I find most interesting right now is Velociraptor. You can read more here:

I was fortunate to catch Nick and Mike’s presentation live during the SANS DFIR Summit last year. You can find a copy of it here to learn more about the capabilities:
https://www.velocidex.com/docs/presentations/sans_dfir_summit2019/

Also, they have a great three-part blog on doing triage with Velociraptor here:
https://www.velocidex.com/blog/medium/2019-10-02_triage-with-velociraptor-pt-1-253f57ce96c0/

Another interesting possibility is Ansible. Brian Olson has a Github repository containing Ansible playbooks to use for DFIR here:

Hope this helps. I would be very interested to hear how others are approaching remote acquisitions as well.

How about the newer Macs with the T2 chip and APFS? Can they be remotely imaged as you describe?

T2 really threw a monkey wrench into the remote acquisition of Macs!

None of the major players in the remote acquisition area has a publicly released remote agent that works on recent Macs with T2 and APFS as far as I’m aware. I’ve heard that this is actively being worked on as it is clearly a major pain point for many of us.

I would be very interested to hear what others are doing in this area as well!