Friday, October 23, 2020

Digital Forensics:Remote Acquisition of Digital Devices with Belkasoft

Digital Forensics:REMOTE FORENSICS WITH BELKASOFT

Remote Acquisition of Digital Devices with Belkasoft

  • Remote acquisition of hard and removable drives, volatile memory
  • Remote acquisition of connected smart devices(iOS, Android)
  • Forensic analysis of the acquired image at the central location

Process Guide Remote acquisition

REMOTE FORENSICS WITH BELKASOFT

Remote Acquisition of Digital Devices

REMOTE FORENSICS WITH BELKASOFT

How-to

  • Click on the "View" main menu item.
  • Then click on "Remote acquisition". The following screen will be shown:

  • If you have not deployed the agent, do it with "Deploy agent" button.
  • Once you have clicked "Deploy agent", there will be two kinds of agent deployment with Belkasoft Evidence Center:
  • your option is "Local deployment". You need to choose a folder on your computer and click on the second "Generate" button in this case. As a result, a set of files will be generated which should be passed to the computer of interest: via network folders, a thumb drive, etc. After that, the agent executable file should be run on such a machine.

Remote Option >LAN
Check Network setting
Check Agent file
a set of files will be generated which should be passed to the computer of interest: via a thumb drive, 
Direct Installation via USB

  • After you complete the previous stage, you can launch the process of acquisition by clicking on "Acquire" and selecting one of the available agents in the list at the right.
REMOTE FORENSICS WITH BELKASOFT
Upon clicking on the "Acquire" button, a list of connected remote computer names is shown along with their IP addresses. Select any to start the acquisition
REMOTE FORENSICS WITH BELKASOFT

    Please remember that hard drives can be acquired unattended, 

  • Let us assume that you would like to acquire a hard drive image. Once you have clicked on the "Drive" button, you will see the following screen with a range of options:
REMOTE FORENSICS WITH BELKASOFT

    • "Source drive". Here you can choose a physical drive or a logical one (of course, they mean remote drives connected to the computer of interest).
    • "Destination". You can select a location for the acquired image on both a remote computer and your local one.
    • "File format""Checksum" and "Split output" output work the same as for a drive acquisition.
  • You can schedule your image uploading. We recommend scheduling it for nighttime especially if you would like to upload several images at once or just one big image. Otherwise your (and your colleagues) connection quality may degrade.
REMOTE FORENSICS WITH BELKASOFT
  • After the image uploading is finished, you can add images acquired remotely to your local Belkasoft Evidence Center case. You can then analyze their contents the same way you do with locally acquired images.

Once we click the Create and open button a new window will open, asking us to add evidences for the case. As you can see, we can add a wide variety of evidece types:

  • Disk images, either E01, AFF, DD…
  • An installed storage device on the system (such as a cloned hard drive).
  • A folder containing evidence files.

On the other hand, we are also presented options about about adquiring and anylizing a storage drive, a mobile device or even make an adquisition of a cloud storage account.

In our case we will add a testing disk image, consisting on a E01 file from a Windows 8  created specially for this.

REMOTE FORENSICS WITH BELKASOFT
As you can see, we are able to select the options of performing an analysis of the date to find artifacts (which is both preselected and convenient) and also perform a search for files which hash matches a value stored in an internal database in the program. This is interesting if we are looking for a concrete indicator of compromise or IOC in our investigation.
REMOTE FORENSICS WITH BELKASOFT
Once we click Finish we will be asked if we wish to add another source of information. For the moment, we will say no and focus on the hard drive analysis.
REMOTE FORENSICS WITH BELKASOFT
Automatically we will be sent to the Case Explorer tab, and we will soon start to see diverse artifacts appear on the left panel. We can also see the number of tasks being executed currently. Clicking on this indicator will show us the detail about these tasks and their state, with higher detail if we select each of them, inside the Task Manager tab.
REMOTE FORENSICS WITH BELKASOFT

REMOTE FORENSICS WITH BELKASOFT
Conclusion
Belkasoft Evidence Center contains a nice and useful toolset for forensic evidences inspection. 

The timeline will allow you to locate events very quickly and I am sure about the usefulness of common artifact search when analyzing several cases, aiding an internal thread hunting process inside an organization.
Remote Forensics with Belkasoft Evidence Center


  •             https://bit.ly/3nxmh8y

    หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

    * หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
    ขอบคุณครับ


    #WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD

No comments:

Post a Comment