Remote Forensics
The term Remote Forensics (also identified as Network Forensics or Online Forensics by some companies) covers a broad variety of forensic approaches, but is used mostly to refer to performing computer and digital forensics remotely in an enterprise environment. It is the collection, examination, and reporting of digital evidence from a connected, operating computer on a live network.
Remote Forensics is not just network packet capture and analysis. For these types of tools, please see the Network Forensic Tools category.
The primary benefit of Remote Forensics tools is response capability; providing a method for Incident Response teams to evaluate the potentially compromised computer without the time necessary to gain physical access to the computer. Running a close second is the ability to capture volatile data that is not available once a computer is shutdown, including:
- Data in memory, such as registers and cache contents
- Running processes
- Any passwords that are stored in memory as clear text
- Executed console commands
- Currently attached devices, especially networked drives
- Open ports and listening applications
- Logged on users
Usually the investigation can be performed without the knowledge of the computer owner, allowing for discreete internal investigations.
Most Remote Forensic tools use a servlet, a piece of software installed on each computer that allows a Forensics Investigator or Incident Responder to access and analyze a computer over the network.
Be sure to investigate any solution you choose to ensure it meets your requirements for collection of valid and verifiable evidence and documentation for acceptance evidence and documentation in a court of law.
Other information about Remote Forensics:
- Remote Forensic Software - A Gartner Research Note
- Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community - a presentation by Todd Shipley and Henry Reeve Esq.
- Covert Post-Exploitation Forensics with Metasploit - by R. Wesley McGrew. Not Remote Forensics persay, as the computer must be compromised to then run the forensics.
OpenText EnCase Forensic is a court-proven solution for finding, decrypting, collecting and preserving forensic data from a wide variety of devices, while ensuring evidence integrity and seamlessly integrating investigation workflows. Thorough evidence c ...
Gargoyle Investigator MP is the next generation of WetStone’s advanced malware discovery solution for computer forensic investigators and incident response teams. It is designed for forensic laboratories, law enforcement, field investigators, advanced pri ...
E3 Forensic Platform provides processing options for smartphones, computers, cloud data, email, and more. A comprehensive review of data together to find the gaps that hold the keys to your investigation. Universal Data ProcessingData processing in ...
F-Response is a vendor neutral, patented software utility that enables an investigator to conduct live forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool. F-Response is a util ...
The Remote Forensics architecture allows companies to reduce their investigation budgets and enable analysts to work more productively by providing a fast, secure and effective incident response framework that enforces a consistent methodology allowing an ...
GRR is an Incident Response Framework focused on Remote Live Forensics. State of the Project August 2011 GRR is in proof of concept stage and is not considered production-ready. The basic principles have been proven, but there is significant work to be d ...
AXIOM Cyber is a robust digital forensics and incident response solution for businesses that need to perform remote acquisitions and collect & analyze evidence from computers, the cloud, and mobile devices.Off-Network CollectionAXIOM Cyber enables you ...