Perform Remote Research

After initial identification of the possible locations where evidence may reside, the computer investigator performs remote research to gather more information and determine the best course of action for the investigation.

Remote research can be very useful to the investigator and consists of any information gathering and analysis actions that can be performed without the subject's direct knowledge. The action taken will depend on the potential suspect's wariness and technical savvy. A novice computer user sending harassing email messages might not notice a port scan of her system, but a network engineer might.

Remote research may involve probing specific systems and might require preparatory work based on other information gathered. If the model number of the PC to be acquired is known ahead of time from physical surveillance, an asset management database, or corporate standards, it helps to download the technical guide from the manufacturer before arriving. Likewise, if an obscure operating system is present, a refresher search on Google might be warranted. Any information that will shorten the on-scene and acquisition times and can be gathered without setting off alarms should be done.

A typical approach to remote research is to acquire the log files of any machines that the suspect would be unaware of or would have no access to and analyze them ahead of time. Likewise, a quick profile of the suspect's systems through physical surveillance or light network probing (that is, traceroutes and pings ) may reveal details about the locations, configurations, and types of systems in question. If permitted by law, individuals can use a nontraceable machine connected with a nontraceable connection.

If the suspect is known to be unsophisticated, more invasive techniques may be employed such as port scans , remote connections, and the mapping of drives and connections to the registry with great care. For a full view of the suspect's actions and the most in-depth remote information gathering, the Enterprise version of EnCase provides a full system snapshot and drive search capability using a small servlet that can be deployed by an administrator or through social engineering.

CASE STUDY: REMOTE CORRUPTION

My forensics team was called in on an investigation of corporate corruption by a Global 500 company with a geographically dispersed footprint. Because of the unique nature of their business, they had corporate locations in countries to which there were strict travel restrictions for American citizens .

The allegations of corruption were in one such country located in the Middle East, and the company was sending a physical security team from another country there in two days time to collect evidence and conduct interviews. Our computer forensics team could not obtain travel visas quickly enough, and the physical security team needed a preliminary analysis of remote systems to which we did not have access (they were locally administered, and the corporate IT team did not have accounts.) The local IT team was implicated in the wrongdoing and could not be ruled out as suspects at the time, precluding any support from local staff. Further complicating matters, the connectivity to the remote location was over a 128Kb/s leased line, making a full remote acquisition of the multiple terabytes of potential evidence impossible .

We handled the distributed scene issue with a two-pronged approach. First, we used EnCase Enterprise with a bit of social engineering to perform a remote triage. EnCase relies on a servlet deployed on the remote system and a centralized analysis platform. The servlet was sent to the local IT team as part of a phony virus alert, requesting they install the patch attached to all critical systems within 24 hours. When the patch was installed, we were able to remotely preview numerous machines to better target the on-site investigation.

Then we engaged a local team to perform forensic imaging and provide us with the raw drive images. The hard drives of key individuals' laptops and servers were secured, imaged , and sent back to the United States for analysis. The actual drives were left with the local management to ensure continuing operations of the business.

By combining a remote preview and the use of on-site first responders to perform basic imaging, we were able to conduct an effective investigation in a foreign country with limited remote and no physical access directly available to our analysis team.

After all of the remote research that can be performed is completed, an investigative plan is put in place to acquire the remote equipment. This may include putting a response team together (including physical security, IT security, human resources, and legal), planning the actual acquisition times and locations (for example, at night without the suspect knowing or during the day while interviewing the suspect), and getting together any special adapters or devices needed on-scene.