Evidence
You can add more types of evidence to an FTK 3.1 case than you could in the past. FTK
can utilize various types of static images, such as .00l, .E01, .S01, and .AD1. In addition, beginning with 3.x, FTK can acquire remote live evidence from network computers. Adding and using remote evidence is covered in this chapter. For more information regarding adding static evidence to a case, see “Chapter 5 Adding and Processing Static Evidence” on page 89.
See “About Evidence” on page 2 for a discussion on ways that evidence can be acquired, precautions to take in acquiring evidence for criminal cases in particular.
FTK ROLE REQUIREMENTS
To use Remote Data Acquisition in FTK 3.1, meet the following requirements:
•
FTK 3.1 must be installed using a current license.•
Your user account must have the Application Administrator or Case Administrator role to be able to access the Add Remote Evidence dialog. Case Reviewers cannot do remote data acquisition.•
Your user account must have Administrator rights on the remote machine you wish to acquire data from.•
Simple File Sharing must be disabled on a target system running Windows XP. The default setting is Enabled, so you must make this change manually.•
Ensure that the system date and time on all machines are synchronized, or at least close. If the target machine is behind by more than 24 hours the Agent connection will work, but you will not be able to acquire data.•
On Windows 7 systems, FTK 3.1 must be run As Administrator in order to push agents to remote machines.ACQUIRING DATA REMOTELY
Remote Data Acquisition is accomplished through a new feature called Remote Device Mounting Service (RDMS). RDMS gives examiners the ability to acquire a forensic image of the physical or logical drive(s), acquire a non-proprietary image of memory, and forensically mount the physical devices or logical volumes to the examiner’s machine from up to three live systems simultaneously.
Because FTK’s ability to acquire data remotely is so tightly integrated with RDMS, the two are covered here together. Thus the differentiation between the two features may be vague.
SSL uses certificates to ensure that communication between the agent and examiner is protected. The certificates can be either self-signed by FTK, or signed by a Certificate Authority (CA).
The normal method for connecting to a remote machine from FTK for data acquisition is to “push” a temporary agent to the remote machine. The temporary agent stays active until it has not had any activity for approximately five minutes. At that point it automatically uninstalls. You can also manually install the same agent using a command line installation. For more information regarding manual deployment of the agent for use with RDMS, see “RDMS Manual Deployment” on page 114.
In addition, if you are running FTK on a system within an Enterprise network, and Enterprise Agents are already deployed on machines you wish to acquire data from, you can leverage the Enterprise Agent on the remote machine. To do so you must have access to the certificate Enterprise uses. If you do not have this information, please consult with your IT Administrator or your Enterprise Database Administrator.
Important: On
XPsystems, Simple File Sharing must be turned off for
Temporary Agent deployment.
1. From the Case UI, click Evidence > Add Remote Data.
2. Enter the IP Address of the Remote Machine.
3. Ensure that a port is designated. The default port is 3999. Use this port unless it is already in use and produces an error or conflict. If there is a conflict, select another port that is not in use.
Note: AccessData’s ADAgent (Enterprise Agent) also uses port 3999.
Important: If a port is already in use on the remote machine, the agent will be
pushed successfully from the
FTKmachine, and will run, then will be shut
down almost immediately at the remote machine. When you try to acquire
data from the remote machine, the
FTKmachine displays an error as shown
in the following figure:
Figure 6-1 Remote Data Acquisition Error
If you see this behavior, change the remote port in the FTKAgent dialog as shown in Step 1, then try again to push the agent.
Important: In Windows, if the user has defined a
TEMP\TMPpath different
from the system default
TEMP\TMPpath, the agent will push successfully to
the machine, but will not run properly.
for
TEMP\TMPto match the system variable
TEMP\TMPpath and restart
the computer.
4. Choose Install a Temporary Agent.
5. Click OK.
PROVIDE CREDENTIALS
When Install Temporary Agent is selected, the Credentials dialog opens. The
Credentials dialog stores a list of all the sets of credentials to try when connecting to a remote machine.
In the Credentials dialog, enter all the credentials with Admin rights, roles , or privileges that can be used to authenticate to the remote machine. The credentials provided here are saved, and FTK will try each until it is able to successfully connect.
Figure 6-2 Push Temporary Agent Credentials List
1. Enter the Domain name if the network uses a Domain Controller. If installing in a workgroup, or non-Domain network, enter the IP address of the workgroup machine, or the local host name of the remote computer..
2. Enter the Username, that is, the name assigned to the user account having Admin rights on the remote computer.
3. Password of the user account name given above.
4. Confirm the password.
5. Click Add to add this set of credentials to the list in the box.
6. Click Add to create additional sets of credentials. OR
Click Remove to remove a set of credentials from the list.
7. Click OK.
8. In the Remote Data dialog, select which type(s) of data to acquire.
9. Make your selections from any or all of the Remote Data options during this session. See Remote Data Types, below, for more information.
10. Click OK.
The Remote Data Acquisition job begins and the Data Processing Status window opens. Acquire Remote Data jobs are displayed under Other Jobs.
REMOTE DATA TYPES
There are three options, each has its own dialog with options and requirements. Options are:
•
Image Drives: Creates an E01 image of the selected drive. You are given a list of the drives on the remote system. This list includes the hard drive, all partitions, and other devices, such as memory cards that are connected. There is no drive preview available. Output is to .E01, using only default options.Note: This option consumes a large amount of bandwidth, and is slow.
•
Acquire RAM: Allows you to acquire the memory contents from the target machine. Once acquired, RAM data is viewable from the Volatile tab in FTK. You will beNote: Mark Page File to also acquire the data in page files on the remote computer. This is the
only way you will see the contents of the page file.
•
Mount Device: Mounts and connects to a device on the remote computer. You canthen map to that device and browse the contents in Windows Explorer. A list of remote devices available for mapping is provided. For the selected item on the left, the available information about that device is displayed on the right. While this is live data, it reads from the disk, not from the cache. This means that if there is activity on the screen while you are viewing the mounted device data, you will not see it.
Important: Processing a
UDFlogical drive appears to hang in processing
during indexing. It could be that this process is just extremely slow. (16918)
Workaround: Image the
UDFdrive and add the image to the case. This
seems to work more quickly and the processing does finish.
Once you disconnect from the remote system, the Temporary Agent stays “alive” for approximately five minutes before self-deleting. In addition, if you do not disconnect from the remote system the Agent will complete its assigned tasks, and when there are no running tasks, it will self-delete after about five minutes. To avoid waiting for the
FTK Agent to expire, manually end the FTK Agent in Task Manager on the Target machine.
Once disconnected, you must push the Temporary Agent again to establish a new connection and acquire additional data. If you wish to create a manual deployment on the remote machine that allows the Agent to remain resident, use the directions that follow to create a Manual Deployment.
RDMS MANUAL DEPLOYMENT
Remote Device Management System (RDMS) enables the acquisition of data from remote systems in your network using FTK. When you use RDMS to acquire data from remote devices, you can map to the remote drive and preview the contents before adding it to the case.Requirements for RDMS Manual Deployment:
•
FTK 3.1 installed with a license•
Either a self-signed certificate, or a CA-signed certificate if you want to run the manual deployment from a thumb drive•
FTK agent (FTKAgent.exe)•
Admin privileges on the target nodeUTILIZINGTHE AGENT
There are two different agent deployment methods:
•
Auto Deployment: Using the Temporary Agent where FTK deploys the agent for a one-time use. This method was discussed in the previous Add Remote Data discussion.•
Manual Deployment: Using the same agent executable (FTKAgent.exe) and pre- created certificate running on the target machine. This method is accomplished from a command line, and is explained below.Note: You need to have only one set of certificate of keys. If you have CA-signed certificates, you do not need to create additional ones.
Assuming FTK 3.1 is installed and you want the option to leverage both the manual and automatic agent deployment methods, complete steps in the following sections:
C
REATINGAS
ELF-
SIGNEDC
ERTIFICATEOnce preparations are made, to create a self-signed certificate do the following:
1. Open a command line and navigate to
C:\Program Files\AccessData\Forensic Toolkit\3.1\bin
2. Type the following command line:
Certman.exe –n [hostname of issuer] [base name of cert] Example:
Certman.exe ‐n DellComputer.domainname.com InvestigatorCert
Which generates the following certificates and places them in the \bin folder path from Step 1:
InvestigatorCert.crt (public key) InvestigatorCert.p12 (private key)
DEPLOYING
THE AGENT
To complete the manual deployment of the Agent, do the following:
1. Copy the appropriate FTKAgent.exe (32-bit, or 64-bit) from
C:\Program Files\AccessData\Forensic Toolkit\3.1\bin\Agent\x32 (or x64) to a thumbdrive or a shared network resource that is available to both the host and the target machines.
C:\Program Files\AccessData\Forensic Toolkit\3.1\bin\
to the same thumbdrive or a shared network resource used in Step 1.
3. Create a new folder on the desktop of the target machine: Agent
4. Copy the .CRT and FTKAgent files from the thumbdrive or shared resource to Agent. 5. Open a command line and navigate to the path of the Agent2 folder
6. Type one of the following command lines, depending on which agent file you copied in Step 1:
ftkagent.exe ‐cert [certname.crt] ‐port [portnumber] ftkagentx64.exe ‐cert [certname.crt] ‐port [portnumber]
7. Depending on which agent file you deployed, you will see either FTKAgent.exe or FTKAgentx64.exe in the Task Manager. DO NOT close the command line, or the agent dies.
CONNECTINGTOTHE AGENT
To connect FTK to the remote agent, do the following:
1. Open FTK on the host machine.
2. Select and open a case.
3. Click Evidence > Add Remote Data.
4. Enter the IP Address of hostname or target machine where Agent is deployed.
5. Enter the port specified in your command line.
6. Choose the Use Existing Agent radio button; click OK.
7. Browse to the Agent folder and choose the [certname].p12 file; click OK. A list of options appears. Choose the ones to use during this session.
Important: When utilizing the manual deployment method, the agent stays
installed and available only until the remote machine is restarted or
rebooted. On any restart, the manual deployment of
FTKAgent.exe must be
performed again.
UTILIZING REMOTELY ACQUIRED DATA
View the data acquired from remote machines in the FTKUI. Volatile data such as
RAM, page files, .DLLs, open sockets, drivers, and so forth will be accessible on the
Drives and other data are displayed in the Evidence tab, and are treated as any other evidence.