Announcement

Collapse
No announcement yet.

9.1 Alpha 3 - Remote forensics investigation

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 9.1 Alpha 3 - Remote forensics investigation

    Hi
    I try 9.1 Alpha , so cool that I can now run Remote Investigation since I use OSF that was a Feature I miss .
    in next few days I use that to try my Malware Investigations with OSF remote, I isolate PC with Cortex from Network
    only OSF Share and Shell access from my Analyzer PC are allowed , than I can try use OSF in my Workflow others than
    capture hole Hard Disk.

    Very cool feature for me

    best

    Andre

  • #2
    As of yesterday a V9.1 Beta release is available. This has some better documentation of the requirements & method for remote acquisition. If you encounter any problems, or if anything doesn't make sense, please let us know.

    Forensics remote acquisition

    Comment


    • #3
      Hi David

      I try the Features but run into Problems the Main Problem ist that if I save the Config OSF ask
      for Password for decryption if I try reopen that saved config I get Click image for larger version

Name:	Screenshot 2021-11-04 Do. 11.17.22.png
Views:	45
Size:	65.4 KB
ID:	51662
      There are some other Problems like if Network is not online (Aquire with VPN) the hole process broke and after that
      OSF can't connect to same Host again told me Password wrong (same than load config)

      First of all cool Idea and nice feature I can not use it if I must run OSF hole Time but it will give me more Options
      But it looks there are some Problems first of all nobody can guarantee a stable running network connection if that
      is a must have I can also mount c$ in my OSF VM than I not need Remote Aquire

      I am very interested for that feature let me know if I can do some tests to solve the Problems ok

      best

      Andre

      Comment


      • #4
        Hi David,

        I tryout something the process OSForensic.exe stay alive if a Remote session was broken
        that's why I can not run again a Computer where the remote acquire was broken.

        I make a Dump File (Debug Mode) where your team can see hole Problems


        They are
        1 save /load config
        2 Sessin Broken
        3 No Connect wrong password (but PW is 100% the real one)

        I put tha Files in my Dropbox and send your Support a Link for download.

        best

        Andre

        Comment


        • #5
          We'll have a look at the issues.
          But we don't seem to have received an Email with a Dropbox link.

          But I think it is fair to say, if you are doing remote data collection, you need a stable network link. But of course we need to make sure it fails gracefully if the network isn't available and that the operation can be re-tried once the network comes back.

          Comment


          • #6
            Hi David
            the Logs are smaller I await I have send two Mails one with Logs and second wire some screenshots.
            hope the mails have arrived you
            best

            Andre

            Comment


            • #7
              We have fixed a problem with the config file. We'll do a new release on Monday to try.

              Comment


              • #8
                Hi David
                I found a second Issue the Remote Process stop responding I try why and found that the User activity are here make such a Problem.
                If I try a remote acquire step by step all works but if I try user activity the osf64 process hang at target
                In OSF I get than a Message that remote process is not responding.

                Is there a way start remote acquire in debug mode ?


                best

                Andre

                Comment


                • #9
                  Hi David,
                  cool News I try that after you make a new Version downloadable

                  best

                  Andre

                  Comment


                  • #10
                    There is a new beta build available now to try.

                    We'll also add the ability to use the global "Debug mode" flag in the next release.

                    Comment


                    • #11
                      Beta 4 is now available. If you turn on debug mode you should get a debug log
                      https://www.osforensics.com/download...9_1_Beta_4.exe

                      Comment

                      Working...
                      X