Digital Forensics:REMOTE FORENSICS WITH BELKASOFT
Remote Acquisition of Digital Devices with Belkasoft
- Remote acquisition of hard and removable drives, volatile memory
- Remote acquisition of connected smart devices(iOS, Android)
- Forensic analysis of the acquired image at the central location
Process Guide Remote acquisition
How-to
- Click on the "View" main menu item.
- Then click on "Remote acquisition". The following screen will be shown:
- If you have not deployed the agent, do it with "Deploy agent" button.
- Once you have clicked "Deploy agent", there will be two kinds of agent deployment with Belkasoft Evidence Center:
- your option is "Local deployment". You need to choose a folder on your computer and click on the second "Generate" button in this case. As a result, a set of files will be generated which should be passed to the computer of interest: via network folders, a thumb drive, etc. After that, the agent executable file should be run on such a machine.
Remote Option >LAN
Check Network setting
Check Agent file
- After you complete the previous stage, you can launch the process of acquisition by clicking on "Acquire" and selecting one of the available agents in the list at the right.
- Let us assume that you would like to acquire a hard drive image. Once you have clicked on the "Drive" button, you will see the following screen with a range of options:
Please remember that hard drives can be acquired unattended,
- "Source drive". Here you can choose a physical drive or a logical one (of course, they mean remote drives connected to the computer of interest).
- "Destination". You can select a location for the acquired image on both a remote computer and your local one.
- "File format", "Checksum" and "Split output" output work the same as for a drive acquisition.
- You can schedule your image uploading. We recommend scheduling it for nighttime especially if you would like to upload several images at once or just one big image. Otherwise your (and your colleagues) connection quality may degrade.
- After the image uploading is finished, you can add images acquired remotely to your local Belkasoft Evidence Center case. You can then analyze their contents the same way you do with locally acquired images.
Once we click the Create and open button a new window will open, asking us to add evidences for the case. As you can see, we can add a wide variety of evidece types:
- Disk images, either E01, AFF, DD…
- An installed storage device on the system (such as a cloned hard drive).
- A folder containing evidence files.
On the other hand, we are also presented options about about adquiring and anylizing a storage drive, a mobile device or even make an adquisition of a cloud storage account.
In our case we will add a testing disk image, consisting on a E01 file from a Windows 8 created specially for this.
Conclusion
Belkasoft Evidence Center contains a nice and useful toolset for forensic evidences inspection.
The timeline will allow you to locate events very quickly and I am sure about the usefulness of common artifact search when analyzing several cases, aiding an internal thread hunting process inside an organization.
Remote Forensics with Belkasoft Evidence Center
- หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD
No comments:
Post a Comment