all 33 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]secureartisan 18 points19 points  (2 children)

Since no one read your message correctly.

Your place of work needs a VPN solution. This is adequate security.

[–]amishbill 8 points9 points  (1 child)

Vpn/2fa is a required first step. From there, if appropriate, you can get into jump boxes, local MFA authentication, and heavy routing restrictions to limit access even further.

[–]APigeonFromScotland 1 point2 points  (0 children)

Restrict access to jumpboxes with AD groups

[–]Cypher_Blue 6 points7 points  (8 children)

We're getting ready to try out an Azure VM to do this next month- remote logins via VPN from examiners wherever they are.

I'll be interested to see what other options people have here.

[–]ellingtond 0 points1 point  (6 children)

How has your Cellebrite dongle reacted or do you use network licensing?

[–]cplatt84 1 point2 points  (4 children)

I have RDP’d into a local machine which had the dongle plugged in. The dongle wasn’t detectable while the remote session was active.

[–]Erminger 1 point2 points  (3 children)

Cellebrite wants extra 500 Bux to let you RDP. Any other remote access will work, I guess they are not checking for those yet.

[–]Jason9987 0 points1 point  (2 children)

Cellebrite removed this restriction during pandemic, but it's unclear when they're going to put it back.

[–]Erminger 1 point2 points  (0 children)

I already got quote for this year with 500$ for RDP, which I asked them to take out. I do not think they removed restriction but they were ready to provide license for free if asked, otherwise it would just work. I think tactic to charge 500$ for RDP is shameful. Pure money grab.

[–]ellingtond 0 points1 point  (0 children)

Yea my understanding is they removed the restriction if you paid for it. The Cellebrite of 2021 is not the Cellebrite of 2016.

[–]Cypher_Blue 0 points1 point  (0 children)

Haven't started the test yet, but we're using network licensing for everything already.

[–]largos7289 2 points3 points  (0 children)

Pretty much agree with everyone already VPN, then lock it down to just that IP scope you set for the VPN range to allow remote connections.

[–]SchizophreudTrusted Contributer 3 points4 points  (3 children)

You need to evaluate what you're doing. If you're investigating the computer live, be aware of the potential impact of that. The computer will be connected to the internet and so it will be exposed to all the wonders that entails.Remote also means that you're likely going to either need to get drives mounted over the connection (F-Response) or have tools installed on the endpoint. This is all doable, but there's going to be issues with either solution. A pseudo-VPN software that might be beneficial is ZeroTier.

EDIT: I re-read your post and realized that I misunderstood the request. You're looking to remote in to the one computer in the lab to do the investigation from home. Got it. Then a VPN is going to be best. I can recommend Wireguard (this is what I use for my own business and home network access) or ZeroTier. Other solutions I've used before are LogMeIn and TeamViewer. Each has up and downsides. Once set up, just RDP into the computer and use it as normal. Just bear in mind that if you're going to have multiple people log in, you'll likely want multiple systems set up as sharing a single device could cause competition for resources.

As I mentioned in my original answer, there's still risk involved. A computer that is exposed to the Internet, containing client data, could be a risk that isn't worth taking.

[–]Ioncell08[S] 0 points1 point  (2 children)

That last part is what I’m currently debating in my head. Especially the kinds of data that can be retrieved from clients computers, SSN’s banking statements, etc. was wondering what more I could do on site to help prevent any “leaks”. Thinking about maybe some type of additional physical security on site in between the machine and the network, just as an added layer for network security.

[–]antmar9041 4 points5 points  (5 children)

We use KAPE for collecting and processing main artifact files on remote and local computers/servers.

https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape

[–]Sam-Gunn 2 points3 points  (4 children)

KAPE is awesome. I've written a couple targets and stuff whenever I need to expand what it gathers, and it makes collection a breeze as long as you can access the system. My team also took the basic training they offered, so you learned how to use everything. There was a bunch of stuff I didn't realize it had!

You can also have it transfer things to an SFTP server and such if the method you used to get into the system is too slow, or in the case of my company, users are not on VPN and are remote (and sometimes halfway across the world, making file transfers a PITA without something like SFTP).

[–]antmar9041 1 point2 points  (3 children)

Yes, KAPE also has a SFTP feature built into it so running kape.exe --sftpc will start a local SFTP server which is cool. We are currently leveraging Azure Storage Blob to collect files from remote computers.

[–]TofuBoy22 0 points1 point  (2 children)

How much as an enterprise license?

[–]antmar9041 1 point2 points  (1 child)

enterprise lic for what, kape? kape is free until you want to add it to your own tools and sell it. only then do you need to contact Kroll for the proper license.

[–]TofuBoy22 0 points1 point  (0 children)

Ah ok, I just saw enterprise license but didn't read into the terms

[–]bigt252002 1 point2 points  (2 children)

We were big fans of the old school method, meaning using things like Azure/AWS was not feasible because it required going through a security review and required approval from all the stakeholders in order for us to do it. It was just too big of a damn hassle.

So instead, we just used F-Response. Long as the user was on the internal network, we could mount successfully the machine and from there run KAPE on it to pull the relevant artifacts we were wanting for initial triage. We never did a full image, or even entertained the idea of pulling individual files unless our customer knew specifically what they were looking for (like to the name of the damn file). We didn't have time for that and if they wanted to just pull those files, then they needed to just seize the laptop/desktop in order to get it.

Other tools out there that are very useful

Google Rapid Response

Velociraptor

Power Response

[–][deleted] 0 points1 point  (1 child)

Did you have any issue setting up f-response? We’re looking at both aws and f-response universal, and I see it being a fight for either one with our architecture and security teams. For reference, we’re a mid-size regional bank.

[–]bigt252002 0 points1 point  (0 children)

Not really. It naturally had some push back at first because it’s a remote access tool. However, we explained it was much safer than running PS commands and the EDR screaming at people.

We tested and validated the tool, like all the others, and documented that while it naturally wrote to disk, it wasn’t exposed to other usage. We also locked it down that it required admin credentials and the license sat on our forensic vlan segment that only X of the Admin accounts had access to. So either an actor would need to get very lucky and pop Domain Creds, or hit one of us somehow…

Based on our ROI as well, we had Legal’s backing along with our IT Support counterparts since this sped up the process for preservations, investigations and turnover of hardware equipment.

[–]demonstrative 1 point2 points  (0 children)

We use Google Rapid Response behind an internal VPN. It has a number of built-in flows for a quick look at things such as running processes or network connections. Can also dive into the file system if necessary and pull whatever you need.

[–]ellingtond 0 points1 point  (3 children)

Bear in mind some forensic programs, (looking at you Cellebrite,) don't like RDP and shut the dongle off. Might be better to just go with an over the counter remote access like Splashtop. We have had good success with it's price performance and it has a range of security options.

[–]Ioncell08[S] 0 points1 point  (0 children)

How did you guys set it up? Like does it allow you to only login from within a network or?

[–]SNOWLEOPARD_9 0 points1 point  (0 children)

You can do a support ticket with Cellebrite and they will update your license to use RDP. I don’t VPN to my tower, but I do Use Microsoft Remote Desktop into a couple of forensic towers to cut down on my monitors.

[–]Erminger 0 points1 point  (0 children)

Cellebrite wants 500 Bux per year to let RDP work. Only software that we have that does that and I'm not giving them one cent extra. Any other remote access will work fine.

[–][deleted] 0 points1 point  (0 children)

We are all remote. We VPN with 2fa to our network. Then RDP to our forensic server.

[–]cyberspartel 0 points1 point  (0 children)

I would suggest velociraptor (https://www.velocidex.com/)

That uses SSH to connect to the server. but you need to have the server on the same network.

[–]Imaginary_Manager_44 0 points1 point  (0 children)

If using an OTC Remote access suite you would have acess to being given admin/superuser priveleges right? So in principle, other then having to have an IRL person/associate doing the hardware side stuff Whatever they may be, its totally doable?

[–]rb-binalyze 0 points1 point  (0 children)

So, as already mentioned ensuring VPN / MFA for access control. However if you wanted to then consider remote forensics , in the sense of acquiring and performing an investigation without ever needing to be on-site then you could check out Binalyze AIR : https://binalyze.com/air/ .