We are running into remote collection requests more and more with COVID-19. Mostly imaging laptops and phones of individuals. I figured I would query the group for any tool or method suggestions.
This is a very timely topic and I’m also very interested in what others have to say. I can offer a couple of suggestions:
Forensic Boot Disk with User Assist
In a pinch, you can prepare and ship a forensic boot disk (optical disc or flash drive) along with encrypted output hard drives to the user, which they can use to boot the target computer and give you access. Needless to say, this requires a great deal of cooperation from the end-user.
The new Windows 10-based WinFE is a good candidate for this as it supports BitLocker. Ideally, you would want to include a remote access tool such as TeamViewer that does not require special firewall configuration. Unfortunately, getting TeamViewer to work on the new WinFE is a bit of a challenge, but you can use something along the lines of AnyDesk. One gotcha is that WinFE doesn’t have WoW64–so you can’t run 32-bit applications when you boot WinFE in 64-bit mode without some extra work.
There are also numerous Linux distros that allow remote connections if you don’t have to support BitLocker.
For phone acquisitions or when you need to collect from multiple computers on a LAN, you can send out a pre-configured kit with encrypted output drives in a Pelican case. Finally, you can do remote artifact acquisition in cases that don’t call for full forensic imaging. We had discussed these options briefly in the post below: