Remote Forensic Investigations

Introduction
Benefits of having a remote forensic capability
Common pitfalls, challenges and risks
Hints and tips

Introduction

Remote Forensic Investigation is nothing new, I remember first using EnCase Enterprise Edition (now Encase Endpoint Investigator) in 2008 and at that time it wasn’t new technology. Since then, the range and capabilities of technologies that allow an investigator to acquire data remotely across a network has broadened, but nevertheless, many organisations still do not utilise remote forensic technology in their investigation workflows.

In the world we are currently living and working in, there can’t be many organisations who could hand on heart swear that they could get physical access to all of their endpoints at short notice. There has for some time been a gradual shift to remote working, but for obvious reasons this has now been accelerated beyond anyone’s expectations. We have reached a point where now anyone who can work remotely must do so; and experts are speculating that once the current global health crisis is over, many organisations will not go back to how they were. If this mass remote working experiment is successful, then businesses will begin to question why they need large expensive city centre offices, and why they limit the talent pool to only those living within commutable distance.

For investigation and cyber incident response departments this presents a challenge. No longer will it be possible to physically unplug a machine because the user opened a dodgy email attachment, and neither will it be possible to take possession of a laptop because the user leaked confidential information. Remote forensics will become the ‘norm’ rather than a specialised capability reserved for specific cases.

At Avatu we are hearing from companies who already have something in place but are interested in expanding their use of remote forensic technologies. We are also speaking to companies who have no remote capability at all and are looking to deploy something quick. We thought, therefore, that it might be useful to share some high-level information, advice and warnings about operating a remote forensic capability, the remainder of this article is dedicated to this.

If you need help with this, or you would like a more in depth discussion around tooling options, please don’t hesitate to contact me at rob.savage@avatu.co.uk

Benefits of having a Remote Forensic Capability

There are many benefits of deploying and using remote forensic technologies, some are more obvious that others. I have highlighted some of the more common ones below:

Investigation mobilisation speed

With proper planning, procedures and permissions, an investigator is able to respond to requirements and start to collect data in minutes rather than hours/days. This is particularly important when responding to cyber security incidents.

Minimise business interruption

Depending on the nature of the investigation it may be appropriate to leave the endpoints in the possession of the subject. In these cases, a remote forensic capability will allow you to acquire data without disrupting their work by taking possession of the device.

Covert investigations

Many remote forensic tools have functionality that enable covert acquisitions/searches of endpoints. If you can navigate through the HR/Privacy complications, this can be very useful.

Remote access to endpoints

This is the obvious benefit, and probably the most relevant in the current environment. Remote forensic tools allow investigators to access, search and collect data from endpoints connected to the network.

Common Pitfalls, Challenges and Risks

There are many things to consider when deploying or utilising a remote forensic capability. I’ve highlighted a few challenges that I’ve personally encountered in the past, but by no means is this list exhaustive

Agent deployment

Before any work can be done, agents need to be deployed to endpoints. This can be done as a company wide roll out, either as part of gold builds, group policy, or manually. Alternatively many organisations opt to deploy agents to machines only as and when they are needed. Either way, it is likely that some planning and engagement with IT will be needed here.

Privacy/Legal

This is an absolute minefield and well beyond my expertise and the scope of this post to go into detail, but it’s worth keeping in mind, at very least, the following:

Cross border – Are you moving data between countries? If so, is it legal to do so?
Privacy – Does the subject have a reasonable expectation of privacy when using a company issued device in their own home? What do your IT Policies say about acceptable use? Have you made them aware that you can collect data stored on their devices without them knowing?
Collateral intrusion – Is the subject using the device for non-work purposes such as banking, personal email, legal advice etc? Do they allow other members of their family to use it? If so, is it possible to identify and exclude this from a collection?
BYOD - If you operate a Bring Your Own Device policy, what right do you have to access information stored on a device belonging to an employee?

Bandwidth

Depending on how much data you are looking to acquire, bandwidth might be a consideration. Remember that most home broadband connections have a significantly slower upload than download speed, a quick check of my own home broadband shows upload speed is less than a quarter of download speed. So, if you are to acquire a full forensic image or a large chunk of data from a subject based at home then you may be waiting a while.

Risk of leaving devices online while collecting

In a cyber incident response scenario we need to balance the risk of leaving the device connected to company systems while we collect. In an ideal world we would isolate the device and then collect. Some tools allow this, but not all.

Disconnects

Especially when undertaking large collections in a covert scenario this can be an issue. If a user is active on their device, creating and changing data and logging on and off, then creating a ‘snapshot’ collection can be challenging. Some technologies provide the capability to make a local snapshot onto the device itself, which can then be collected gradually in segments over time.

Hints and Tips

The following are some things that I’ve found it useful to keep in mind when considering remote forensics:

Technology Selection

The very first thing to get right is to choose the right technology for your use case. Understand what it is you are looking to achieve and then build a set of requirements from it.

There are multiple technologies in the market that offer a remote forensic capability. Some are collection only; some are collection and analysis combined. Some are aimed at Cyber Incident Response use cases; some are aimed at E-Discovery and Investigation. Some allow you to triage and search the endpoint prior to collecting; some just allow you to collect based on file attributes alone.

Take the time to understand what options are available and when choosing a technology, ensure that you choose one that not only meets your requirements, and is suitable for your technical environment, but also fits your processes.

Be as targeted as possible with the data you collect

Unless the investigation dictates a full acquisition, be as targeted as possible. This will help mitigate some of the privacy risks and also minimise the volume of data that you are uploading over the subject's internet connection. Plan and document the parameters of your collection, such as any keywords, date ranges, file type, file names and location filters used.

Create an organisational data map to understand where data is held.

This can be used to identify sources of information and plan collections. If for example a user’s documents folder is replicated onto say OneDrive and email is O365, then there might not be a need to collect data from the endpoint at all.

Prioritise centralised data sources over endpoint

If I’m only interested in email and we are using Office365, it is much easier to collect direct from O365 rather than attempting to collect the locally stored OST/PST file.

Utilise on device triage/search

If your technology allows, do as much triage/searching on the endpoint itself as possible. If you only collect responsive documents, not only does it reduce the amount of data being collected it minimises any collateral intrusion.

Have a well-defined investigation process

Make sure that the investigation process is well documented and that authorisation is sought and documented at the correct level. This is a sensitive area and so comprehensive audit trails of decisions should be kept.

Logging and note taking

As above it is vital that any work done is properly documented and contemporaneous notes taken. You may find that you are having to account for exactly what was collected and why at a later date and accurate notes will be important for this.

Update your IT Policies

Ensure that Company IT Policies make it clear that data held on company devices is subject to investigations and that the company deploys and makes use of technology that allows it to collect data from devices.

Conclusion

Remote Forensic Investigations can be challenging, especially if policies are not in place that facilitate their use. However as we all learn to adapt to new ways of working, it is likely the importance of having a remote capability will increase.

There are a number of reasons why organisations have previously resisted adoption of remote forensic technology, it may be because there exists a perception that it would be prohibitively expensive, or that deploying agents onto endpoints would be technically difficult, but in many cases (and I count myself in this category) there is something reassuring about taking physical possession of a target device and knowing that I have the data because it is safely locked away.

It is unlikely however that this is a luxury that we will be able to rely on forever.