A few years ago, I was asked if there was a way to use EnCase Enterprise to connect to a remote machine that may be located behind a firewall. The scenario I was given was what if an Investigator wanted to connect to a computer located inside a Internet Cafe to collect information during an investigation, but didn't want to solicit the help from the Internet Cafe owner/employee? I came up with a simple way to accomplish this with no regard to the legal ramifications since that was not part of the problem presented to me and should be considered by the person performing this.
There are some equipment prerequisites that you need to accomplish this:
1. EnCase Enterprise/FIM
2. A public accessible SSH server
In addition, this solution requires that someone (an additional investigator) enter the Internet Cafe and have physical access to the computer you wish to preview or collect information from. Administrative access is not required and there is no need to install anything or reboot.
The scenario would be something like an investigator doing surveillance on someone who uses an Internet Cafe and then when that person leaves, an investigator would enter and pretend to use the computer that the suspect just used. The investigator would use a floppy disk or flash drive to start the necessary applications and config and then a remote investigator could connect to the computer in the Internet Cafe using EnCase Enterprise and collect information (image, preview, etc.).
The following PDF details how to accomplish this:
Download Here.
*Note: This solution was originally written several years ago for EnCase v4 and works in all subsequent versions, but in EnCase v6 there is an easier way to accomplish this with no need to use 3rd party software (SSH), but administrative access is required to the machine you wish to preview.
There are some equipment prerequisites that you need to accomplish this:
1. EnCase Enterprise/FIM
2. A public accessible SSH server
In addition, this solution requires that someone (an additional investigator) enter the Internet Cafe and have physical access to the computer you wish to preview or collect information from. Administrative access is not required and there is no need to install anything or reboot.
The scenario would be something like an investigator doing surveillance on someone who uses an Internet Cafe and then when that person leaves, an investigator would enter and pretend to use the computer that the suspect just used. The investigator would use a floppy disk or flash drive to start the necessary applications and config and then a remote investigator could connect to the computer in the Internet Cafe using EnCase Enterprise and collect information (image, preview, etc.).
The following PDF details how to accomplish this:
Download Here.
*Note: This solution was originally written several years ago for EnCase v4 and works in all subsequent versions, but in EnCase v6 there is an easier way to accomplish this with no need to use 3rd party software (SSH), but administrative access is required to the machine you wish to preview.
Post a Comment
EnCase is used for quick Incident Response in Forensics Analysis