Perform Remote Collections of Endpoints with Confidence
As a forensic examiner in the corporate environment, you have a handful of tools to choose from to help you with your investigations. You have your legacy tools like EnCase, maybe a tool specifically for remote acquisitions like F-Response, and probably even some other open source or custom tools to help you out.
However, choosing the right tool is important so that you can do your job quickly and effectively. If you don’t, you could be wasting valuable time fighting with your technology rather than fighting the threats and attacks you’re investigating.
Why Having the Right Tool is Important
Let’s take a look at a simple example to help demonstrate why having the right toolset is important.
Perhaps the following scenario may seem a bit all too familiar…
You get a notification from your SOC Analyst that there is potentially malicious activity, on an endpoint at one of your satellite offices halfway across the world. You assume the worst case: network intrusion, malware or ransomware attack, IP theft, data exfiltration, and the list goes on… As you run through this list, you groan because you know:
- Time is going to be of the essence and you’re going to have a variety of stakeholders—everyone from half the SOC to senior leadership and IT—waiting for you to complete the remote collection.
- Your current tools (let’s say for the sake of argument it’s EnCase) actually performing the remote acquisition is going to be a challenge. You’re unsure if you’ll actually be able to connect to the agent already on the target endpoint and even if you do, the chance of it timing out and then having to start the collection from the beginning is very likely if not inevitable. All the while you’re hoping the target endpoint isn’t a Mac because if it is, the likelihood of your current remote collection tool working just plummeted.
Using Magnet AXIOM Cyber to Create a Covert Agent and Begin the Investigation
It doesn’t have to be this way…
Now imagine this: that same notification from your SOC Analyst comes in, that surge of adrenaline that hits, you jump into your new forensics tool Magnet AXIOM Cyber and quickly create a covert agent that you’re going to deploy to the target endpoint.
You cleverly name the agent “explorer.exe” because you know that the end user won’t be suspicious of that name and get tipped off that a remote acquisition is happening. The agent gets deployed and connects within seconds. You’re confident that the collection will complete no problem because even if the endpoint goes offline, your collection will be paused and then will resume right where it left off and keep going.
You finish the acquisition and then within the same tool, AXIOM Cyber, you begin your investigation. You find out there is indeed malicious activity going on—the user clicked on a link in an email that was a phishing attack—and you report back to your SOC Analyst who then quickly remediates the situation and then sends you this Giphy on Slack:
By the way, the endpoint was a Mac but you weren’t worried because AXIOM Cyber has never let you down when collecting from a Mac (even when they have T2 security chips and are SIP enabled).
That whole scenario is made possible by Magnet AXIOM Cyber: a forensics platform that can perform remote acquisitions and then do the analysis and reporting.
Watch this video to see the remote collection of a Mac in action:
Ready to try Magnet AXIOM Cyber? Request a free trial or visit https://www.magnetforensics.com/products/magnet-axiom-cyber/ to learn more.