After many months of working on this project, I believe I have reached its endpoint, where I feel comfortable demonstrating its functionality to the public. In the end I was able to design a tool that will automatically image the logical volume, physical disk and physical memory off of any Windows machine.
Overall this was very challenging, but also rewarding project. I learned a large amount about the functionality of F-Response Enterprise edition, and I came across first -hand the many of the advantages and limitations that come with writing entire script using only windows powershell. Many of these issues are due to a lack of an easy way to send data between my main script and the many background jobs that I am required to run.
One of my later decisions in the design process was to add progress bars to the Graphical user interface. While I liked the original output, I felt that a gradually filling bar would be much clearer to the user, also much of the output text is still reported and saved within a log file specified by the user. I also performed a variety of speed tests to ensure that my script was indeed faster than other popular forensic tools. When putting up F-Response and X-ways up against Encase. X-ways was able image the target drive in nearly half the time. These findings where consistent when automating X-Ways through my script.
I believe that this tool has the potential to become a valuable tool in any digital examiner’s arsenal. It would excel highly in an environment in which you would need to image a large amount of machines quickly and somewhat covertly. There is very little indication that the images are occurring on the target machines while the script is running. In the end, x-ways forensics with F-Response work exceptionally well together, and I believe the automation of these large imaging processes is a significant and time-saving addition that any digital examiner should be aware of.
No comments:
Post a Comment