I have recently seen a demonstration of remote forensics. Has anyone else got any ideas on this?

Should it be allowed?

Should it technically work?

Will Computer Forensics be accepted in a court of law?

If this science has only just been invented, is there anyone else offering this service?

Thoughts please?

Simon

Hi Simon

How remote? acquisitions are already taken over networks but as far as i know, but the image taker has authority to use both ends of the connection.

If the acquisition is further afield, and the owner of the target PC is unaware, it maybe argued that if someone has capacity to use the computer remotely to gather a forensic image, then the computer was insecure, and other people could also have done this to plant data.
Then theres the "rights to privacy" issues.

if you mean remote as in "without permission of the end user";
Should it be allowed? in certain contexts i think so.
Should it technically work? Yes i think it already does within certain limits.
Is anyone else offering the service? As part of internal audits, i think yes. As a completely remote acquisition, without source system permission, commercially, i don't think so.


kern

What we're talking about here is EnCase Enterprise edition. This offers remote forensics out of the box. You pay for it though!

What if we were not talking about Encase Enterprise?

What if there was another solution?

What if the solution meant that you didnt have to move data over international boundaries?

I will keep you hanging on, but tell you more in the coming weeks.

Its really interesting!

Regards,

Simon

if you mean remote as in "without permission of the end user";
Should it be allowed? kern

Fortunately, the inventor of this system has taken that into consideration. Again, I will tell you more later...

Simon

sounds very interesting, Simon. will keep my eye out for your follow ups :)

k

Quite unfair to tease geeks like this Simon!

POD :)

but i wouldn't be sat in a swimming pool with a laptop like the geek in the Ad :)

Could be....

We have a system set up using FTK's Case Agent. Basically we have a central lab that houses the evidence image files and forensic software and several remote sites that serve as workstations. The connection between the central server and the workstations is done through a VPN on a dedicated line (government use only). We are able to send evidence to be imaged at the lab then investigators can access the image for analysis at the workstations. It cuts down travel time and it allows several investigators to examine the evidence without each having to get their own copy of the image file. It does have some limitations, mostly to do with FTK Case Agent limits on how you can process the data.

-Dawson
wwww.computer-forensic-resources.com

I have just had a demo of a new 'remote' forensics solution, this time it is designed to be used 'pre' incident, rather than deployed 'post' incident. It is really cool, and seems to have some wonderful posibilities.

I believe that this type of deployment prior to incidents happening will sort out a lot of internal security issues, (it can warn of any type of incident from a user trying to remove data on a memory stick to virus attack etc.

More to come later. Its not officially released yet.

Regards,

Simon

we do a "sort of" Remote Foreniscs
because we do Network Forensics, i.e. a bit like TCPDumping etc..

so what ever goes across the wire (or wireless) we capture, reconstruct and playback - akin to a video camera on the network!

TIA:D

Keanaz,

I am interested, tell us some more will you?

Simon

Our Network Forensics solution will help your organisation
secure its network and ensure availability by capturing realtime
network data to identify how your business assets are
affected by network exploits, internal data theft, and security
or HR policy violations.

Network Forensics will help your organisation mitigate
risk, comply with regulations, and reduce analysis and
investigation cost by allowing your IT and security staff to
visualise network activity, uncover anomalous traffic and
investigate security breaches.

Network Forensics provides the advanced analysis and
forensics tools to manage security and improve visibility in
the increasingly complex network security infrastructure
so critical to business continuance. This unique solution
provides you with the means to continuously monitor and
record network activity and session content. It stores
information in an easily queried knowledge base. This
provides a holistic view of how network communications are
impacting performance, availability, and security, to support
subsequent analysis. :eek:

Keanaz,

PM me with your details as I have some potential business issues that you may be able to deal with.

Simon

Started reading this and realised that the company I am working for for a placement next year has a product that does this ! Is this what is being discussed here :http://www.remoteforensics.com/index.html

I did a fair bit of reading up on this product for the interview so that I could impress, still seems to confuse me slightly. As I understand it a company buys a server and the pods from Evidence Talks, when an incident occurs a trained member of staff reports the incident to Evidence Talks and places the suspect device in the POD. The investigator then can work on the device without having to download or image the device over the network and carry out the investigation from anywhere in the world.

I think its a nifty little invention that could be the future of truely international computer forensics companies.

http://www.evidencetalks.com/PDFs/Remote_Forensics.pdf

CF@UNN,

You got it right. Its the kit by Evidence Talks.

I think its great and has some excellent uses.

it wont do for everything because it still involves human interaction, which is always where things fall down, (especially if the person loading the hard drive 'could be' or is an 'assailant to' the person being investigated).

Well spotted though!

FYI If you get a placement at ET, you will be working under a forensics genius.

Regards,

CF@UNN,

You got it right. Its the kit by Evidence Talks.

I think its great and has some excellent uses.

it wont do for everything because it still involves human interaction, which is always where things fall down, (especially if the person loading the hard drive 'could be' or is an 'assailant to' the person being investigated).

Well spotted though!

FYI If you get a placement at ET, you will be working under a forensics genius.

Regards,

Woo !! What do i win ?? :-p

but anyways, yeh this is a great little piece of kit and will bring a whole new area to computer forensics.

I offically am going down to ET in July for a year and can't wait to start working with them - whose the genius?

David

I offically am going down to ET in July for a year and can't wait to start working with them - whose the genius?

David

David,

The chap in question is Andy Sheldon, the owner of the company. You are fortunate, as he is a brilliant techie and a remarkably fine gentleman too.

Please pass on my regards to him.

Regards,

Yer Andrew seems a really nice guy- met him when I went down to be interviewed with them- thanks for the support :D

David