Remote Acquisitions

Hi Justin,

I personally consider such engagements in two main categories:

1. Remote Forensic Imaging

When I am after acquiring forensic images of targets (i.e., full physical images or targeted images), I usually prefer to be on the same local network as the target computers—mainly for performance reasons. It is fairly straightforward to set up an independent computer on the target network which you can pivot off of, or send the target company a preconfigured headless computer (e.g., Intel NUC) for this purpose.

If you will be using tools that require dongles, you can virtualize and connect them to the pivot computer over the internet with something along the lines of USB over Ethernet or Eltima. I would make sure the software’s EULA doesn’t disallow the virtualization of its dongles.

I’ve found that it is often best to store the acquired images on two encrypted external drives (or arrays, depending on data size) attached to the pivot computer. Once the imaging is complete, you can have the target company keep one of the drives, and ship you the other. Whole disk encryption not only makes the shipping part safer (in case the drive falls into the wrong hands) but also provides protection from on-site interference since the pivot computer and the attached drives are not in your physical control.

As for the data acquisition, I usually prefer F-Response with my tool of choice or FTK. Unfortunately, the agent-based network acquisition functionality in FTK has been moved to AD Enterprise AFAIK. Two of the other viable options are Evimetry and EnCase Endpoint Investigator :man_shrugging:t2:

2. Remote Artifact Collection

On the other hand, if you are after collecting distinct artifacts rather than disk images, setting up a server on a remote network as in your Azure example might be a viable option provided that the data is transferred between the endpoints and your server in an encrypted manner. You can configure an encrypted disk or container on your virtual server to store the collected data.

There are quite a few options in this area as well, but the one I find most interesting right now is Velociraptor. You can read more here:

I was fortunate to catch Nick and Mike’s presentation live during the SANS DFIR Summit last year. You can find a copy of it here to learn more about the capabilities:
https://www.velocidex.com/docs/presentations/sans_dfir_summit2019/

Also, they have a great three-part blog on doing triage with Velociraptor here:
https://www.velocidex.com/blog/medium/2019-10-02_triage-with-velociraptor-pt-1-253f57ce96c0/

Another interesting possibility is Ansible. Brian Olson has a Github repository containing Ansible playbooks to use for DFIR here:

Hope this helps. I would be very interested to hear how others are approaching remote acquisitions as well.

3 Likes