Hi folks.
I'm no expert when it comes to networking, and I have a question that I have been wandering about for some time. For forensics applications, it is usually recommended that you don't use a PC that is not yours or is not a forensic workstation to extract evidences or acquire images. You never know what is in this PC, and you never know what's installed and what could happen. You should only use a PC you trust 100% for things like this. Otherwise, the evidence will not be reliable. The unknown PC might also contain some malware or spyware or other nasty infections which can hinder the acquisition.
Say for example, a suspect who probably has been doing some criminal activities, connected his smartphone to his PC. As it is currently the norm, the smartphone will most probably carry so many evidences against the criminal. The crime scene was reached and the phone was found connected to the PC. Proper forensics procedures aside, say I want to image or acquire a physical image of the phone on site. Now, I can do that from the machine it is physically connected to. But, like I explained above, that is not recommended or useless let's say.
My question is: Does it make any sense to you (networking gurus ^_^) to access the phone remotely from another machine that is networked to the suspect's machine and acquire the image? SSH? Hack into it using Kali Linux using metasploit maybe? Is there a case where something like this would be advisable ? I know I know: One would say why don't you just disconnect it and connect it to the machine of your preference? Well, I don't want to do that because it will wipe out all data. It is an anti-foresics technique I'm trying to fight.
Two questions here: the other machine can see the external storage only of the phone, right? And that is only if it is shared across the network, right? If it is not shared, how can one do it? There must be a trick out there...
This would also mean that only a logical acquisition is possible. There is no way to access files in the internal storage of the phone like system, data, or user files. So, is there a way to get a full physical image??
To make a network of course, I can just hook my trusted PC or laptop to the suspect's machine with a crossover cable.
Logical? Or simply very stupid? One might say why go the other way around when you have a machine that is already physically connected to your evidence? I don't really know, that's why I'm asking! This has to do with network protocols. So, can it be any safer in some scenarios?
I appreciate and is thankful to all comments and recommendations. This has been bugging me for some time now.
I'm no expert when it comes to networking, and I have a question that I have been wandering about for some time. For forensics applications, it is usually recommended that you don't use a PC that is not yours or is not a forensic workstation to extract evidences or acquire images. You never know what is in this PC, and you never know what's installed and what could happen. You should only use a PC you trust 100% for things like this. Otherwise, the evidence will not be reliable. The unknown PC might also contain some malware or spyware or other nasty infections which can hinder the acquisition.
Say for example, a suspect who probably has been doing some criminal activities, connected his smartphone to his PC. As it is currently the norm, the smartphone will most probably carry so many evidences against the criminal. The crime scene was reached and the phone was found connected to the PC. Proper forensics procedures aside, say I want to image or acquire a physical image of the phone on site. Now, I can do that from the machine it is physically connected to. But, like I explained above, that is not recommended or useless let's say.
My question is: Does it make any sense to you (networking gurus ^_^) to access the phone remotely from another machine that is networked to the suspect's machine and acquire the image? SSH? Hack into it using Kali Linux using metasploit maybe? Is there a case where something like this would be advisable ? I know I know: One would say why don't you just disconnect it and connect it to the machine of your preference? Well, I don't want to do that because it will wipe out all data. It is an anti-foresics technique I'm trying to fight.
Two questions here: the other machine can see the external storage only of the phone, right? And that is only if it is shared across the network, right? If it is not shared, how can one do it? There must be a trick out there...
This would also mean that only a logical acquisition is possible. There is no way to access files in the internal storage of the phone like system, data, or user files. So, is there a way to get a full physical image??
To make a network of course, I can just hook my trusted PC or laptop to the suspect's machine with a crossover cable.
Logical? Or simply very stupid? One might say why go the other way around when you have a machine that is already physically connected to your evidence? I don't really know, that's why I'm asking! This has to do with network protocols. So, can it be any safer in some scenarios?
I appreciate and is thankful to all comments and recommendations. This has been bugging me for some time now.
Facebook
Twitter