FTK 4.1 How to use Remote Device Mounting Service
HOW TO USE REMOTE DEVICE MOUNTING SERVICES … What is RDMS? In FTK 3.0, AccessData offers a new feature called RDMS- Remote Data Mounting Services. It gives examiners the ability to acquire a forensic image of a remote physical or logical drive(s), acquire a non-proprietary image of memory, and forensically mount physical devices or logical volumes on the examiners machine from a single live system. SSL is used to ensure communication between the agent and examiner is protected using either a self-signed certificate or one signed by a Certificate Authority (CA).
What is needed to use RDMS: • • • • • •
FTK 3 installed with a license Either a self-signed certificate or a CA-signed certificate, if you want to want to use the manual deployment on a thumb drive. FTK agent Admin privileges on the target node Network connectivity to the target node Simple file sharing must be turned off for one-time agent deployment.
What are the agent deployment methods? There are two different agent deployment methods: Auto Deployment: Using the one-time agent deployment, in which FTK deploys the agent with a one-time certificate Manual Deployment: Using the agent binary (FTKagent.exe) and pre-created certificate running on the target machine bound to a precreated certificate.
Initial Setup
This set-up assumes that FTK 3 is installed, and you want to be able to use both manual and automatic agent deployment methods. Note: You only need to create one set of keys. (one key pair consisting of a public and private key) 1.) Create the certificates. The certman utility, which ships with FTK3, can create a self-signed certificate or the certificates needed for an existing selfsigned certificate. 2.) Create a new folder on your examiner machine For example, C:\Agent 3.) Copy certman.exe and libeay32.dll from C:\Program Files\AccessData\Forensic Toolkit\3.0\bin to the C:\Agent folder 4.) Copy the 32bit/64bit agent (x32 and x64 folder) from C:\Program Files\AccessData\Forensic Toolkit\3.0\bin\Agent to the C:\Agent folder 5.) Create the certificates for usage during manual deployment. If you need to create a pair of certificates from an existing set of keys, go to step 3 in the section below. Otherwise, follow these steps to create a self-signed pair of certificates. How to create a self signed certificate: Command line: Certman –n Example: Certman -n DellComputer.domainname.com InvestigatorCert The above command will generate the following certificates: InvestigatorCert.crt InvestigatorCert.p12 <private> 1
Preparing USB Drive for Manual Deployment of Agent 1.) Copy the proper version (x32 or x64) of the agent FTKagent.exe from C:\Agent to the thumb drive (or consider renaming the agents to something like ftkagent32.exe/ftkagent64.exe and keeping them both on the thumb drive) 2.) Copy the public certificate "InvestigatorCert.crt" to the thumb drive.
Once the agent and public certificates on the thumb drive… 3.) Use a Certificate Authority (CA ) to generate public and private pair: Command Line: Certman –n [-ca ] Example: Certman –n CAServer.domainname.com –ca cacert InvestigatorCert The above command will generate the following certificates: InvestigatorCert.crt – public key InvestigatorCert.p12 – private key NOTE: Remember that you only use one pair of cert keys—either the self-generated / -signed pair or CA-generated. 4.) Start FTK3 and Log In
5.) Create a New Case in FTK
2
6.) From the Evidence pull down menu select "Add Remote Data."
”
7.) Enter IP Address of target node 8.) Define port the agent will use for communication -3999is the default 9.) Select Install Temporary Agent 10.) Press OK
11.) At the credentials dialog, enter the required credentials. NOTE: The domain credentials used must be an account that has local admin rights on the target machine. NOTE: If the target node is machine is not part of a Domain you must enter the machine name in the domain dialog. Example Domain: MACHINENAME Username: USERNAME
3
12.) Select one of the three options (Image Drives, Acquire RAM, or Mount Device) 13.) Depending on what option you choose, follow one of the following set of instructions: • Image Drives PAGE • Acquire RAM PAGE • Mount Device PAGE NOTE: To unload ftkagent, You must kill the ftkagent in Task Manager from the Target machine, or wait 5 minutes for the default time out. Also, be aware that you must initiate your image drive, acquire RAM or mount device action prior to this time out.
Manual Deployment This section describes how to get the agent running on the target machine manually and how to connect to it via FTK. NOTE: You must have admin privileges on the target node when executing the agent. 1.) 2.) 3.) 4.) 5.)
Take the USB with the FTKagent.exe and public certificate from the instructions above Insert USB into target machine On the remote machine, open a command prompt (make sure you are opening the command prompt with admin privileges) Navigate to the thumb drive Run the agent with the following parameters: FTKAgent –cert -port <portNumber> [-timeout] Timeout: is value in minutes before the agent stops running 6.) Example: FTKAgent.exe –cert InvestigatorCert –port 3999 -timeout 20 3999 is the default port
Connecting to Agent 1.) Start FTK3 and login
4
2.) Create New Case in FTK
3.) From the Evidence pull down menu select "Add Remote Data."
” 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent" 7.) Press OK
5
8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs- the private key with a “.p12” extension) 9.) Select OK to continue.
10.) Choose one of the "Remote Data" options.
Using Remote Device Acquisition Services After Deployment Image Drives 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert (.p12) located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select Image Drive You will then be prompted to select the Physical or Logical drive(s) from system. Enter path for where you would like to store the disk image, and finally, check the box if you would like to add the image to case. 12.) Select OK
6
The Process will start and be displayed as shown below.
Acquire RAM 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select “Acquire RAM” 12.) Select Memory Dump file path (Where you want to store the memory dump after collection)
The process will start…
7
Mount Device 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select Mount Device You will now be required to choose between mounting the physical drive (Drive number), logical drive (By volume name if present) or Memory. In this example, you will see the end user does not have a label assigned to the volume. In this instance, you will see “(No Volume Name)”
12.) The next step is to choose a drive letter (mount point). In this example we will mount the drive as Drive K. 13.) You can now open Windows Explorer and access the remote system via the assigned drive letter.
8
How to Unmount Agent Device After you’ve completed remote operations and stop agent on target node, you need to unmount the agent. 1.) To unmount the agent device simply go to the tools pull down menu and choose Unmount Agent.
2.) Select all agents or your specific agent and hit OK
9
What is needed to use RDMS: • • • • • •
FTK 3 installed with a license Either a self-signed certificate or a CA-signed certificate, if you want to want to use the manual deployment on a thumb drive. FTK agent Admin privileges on the target node Network connectivity to the target node Simple file sharing must be turned off for one-time agent deployment.
What are the agent deployment methods? There are two different agent deployment methods: Auto Deployment: Using the one-time agent deployment, in which FTK deploys the agent with a one-time certificate Manual Deployment: Using the agent binary (FTKagent.exe) and pre-created certificate running on the target machine bound to a precreated certificate.
Initial Setup
This set-up assumes that FTK 3 is installed, and you want to be able to use both manual and automatic agent deployment methods. Note: You only need to create one set of keys. (one key pair consisting of a public and private key) 1.) Create the certificates. The certman utility, which ships with FTK3, can create a self-signed certificate or the certificates needed for an existing selfsigned certificate. 2.) Create a new folder on your examiner machine For example, C:\Agent 3.) Copy certman.exe and libeay32.dll from C:\Program Files\AccessData\Forensic Toolkit\3.0\bin to the C:\Agent folder 4.) Copy the 32bit/64bit agent (x32 and x64 folder) from C:\Program Files\AccessData\Forensic Toolkit\3.0\bin\Agent to the C:\Agent folder 5.) Create the certificates for usage during manual deployment. If you need to create a pair of certificates from an existing set of keys, go to step 3 in the section below. Otherwise, follow these steps to create a self-signed pair of certificates. How to create a self signed certificate: Command line: Certman –n Example: Certman -n DellComputer.domainname.com InvestigatorCert The above command will generate the following certificates: InvestigatorCert.crt InvestigatorCert.p12 <private> 1
Preparing USB Drive for Manual Deployment of Agent 1.) Copy the proper version (x32 or x64) of the agent FTKagent.exe from C:\Agent to the thumb drive (or consider renaming the agents to something like ftkagent32.exe/ftkagent64.exe and keeping them both on the thumb drive) 2.) Copy the public certificate "InvestigatorCert.crt" to the thumb drive.
Once the agent and public certificates on the thumb drive… 3.) Use a Certificate Authority (CA ) to generate public and private pair: Command Line: Certman –n [-ca ] Example: Certman –n CAServer.domainname.com –ca cacert InvestigatorCert The above command will generate the following certificates: InvestigatorCert.crt – public key InvestigatorCert.p12 – private key NOTE: Remember that you only use one pair of cert keys—either the self-generated / -signed pair or CA-generated. 4.) Start FTK3 and Log In
5.) Create a New Case in FTK
2
6.) From the Evidence pull down menu select "Add Remote Data."
”
7.) Enter IP Address of target node 8.) Define port the agent will use for communication -3999is the default 9.) Select Install Temporary Agent 10.) Press OK
11.) At the credentials dialog, enter the required credentials. NOTE: The domain credentials used must be an account that has local admin rights on the target machine. NOTE: If the target node is machine is not part of a Domain you must enter the machine name in the domain dialog. Example Domain: MACHINENAME Username: USERNAME
3
12.) Select one of the three options (Image Drives, Acquire RAM, or Mount Device) 13.) Depending on what option you choose, follow one of the following set of instructions: • Image Drives PAGE • Acquire RAM PAGE • Mount Device PAGE NOTE: To unload ftkagent, You must kill the ftkagent in Task Manager from the Target machine, or wait 5 minutes for the default time out. Also, be aware that you must initiate your image drive, acquire RAM or mount device action prior to this time out.
Manual Deployment This section describes how to get the agent running on the target machine manually and how to connect to it via FTK. NOTE: You must have admin privileges on the target node when executing the agent. 1.) 2.) 3.) 4.) 5.)
Take the USB with the FTKagent.exe and public certificate from the instructions above Insert USB into target machine On the remote machine, open a command prompt (make sure you are opening the command prompt with admin privileges) Navigate to the thumb drive Run the agent with the following parameters: FTKAgent –cert -port <portNumber> [-timeout] Timeout: is value in minutes before the agent stops running 6.) Example: FTKAgent.exe –cert InvestigatorCert –port 3999 -timeout 20 3999 is the default port
Connecting to Agent 1.) Start FTK3 and login
4
2.) Create New Case in FTK
3.) From the Evidence pull down menu select "Add Remote Data."
” 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent" 7.) Press OK
5
8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs- the private key with a “.p12” extension) 9.) Select OK to continue.
10.) Choose one of the "Remote Data" options.
Using Remote Device Acquisition Services After Deployment Image Drives 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert (.p12) located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select Image Drive You will then be prompted to select the Physical or Logical drive(s) from system. Enter path for where you would like to store the disk image, and finally, check the box if you would like to add the image to case. 12.) Select OK
6
The Process will start and be displayed as shown below.
Acquire RAM 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select “Acquire RAM” 12.) Select Memory Dump file path (Where you want to store the memory dump after collection)
The process will start…
7
Mount Device 1.) Start FTK3 and login 2.) Create New Case in FTK 3.) Evidence pull down menu select "Add Remote Data." 4.) Enter IP Address of target node 5.) Define port the agent will use for communication 6.) Select "Use Existing Agent” 7.) Press OK 8.) In the "Path to Cert" browse to the location of your private cert located on the examiner machine. (Note this is NOT the certificate that was copied to the remote system, but the certificate copied to C:\Certs) 9.) Select OK to continue. 10.) Choose one of the "Remote Data" options 11.) Select Mount Device You will now be required to choose between mounting the physical drive (Drive number), logical drive (By volume name if present) or Memory. In this example, you will see the end user does not have a label assigned to the volume. In this instance, you will see “(No Volume Name)”
12.) The next step is to choose a drive letter (mount point). In this example we will mount the drive as Drive K. 13.) You can now open Windows Explorer and access the remote system via the assigned drive letter.
8
How to Unmount Agent Device After you’ve completed remote operations and stop agent on target node, you need to unmount the agent. 1.) To unmount the agent device simply go to the tools pull down menu and choose Unmount Agent.
2.) Select all agents or your specific agent and hit OK
9
