BBC 'vague' reporting again!

[Peter Sommer]

>
> LiveWire from WetStone claims to do the same thing without requiring 
> dedicated software on the target machine; it just requires 
> administrator access. See 
> https://www.wetstonetech.com/cgi/shop.cgi?view,14 for details.
I haven't had an opportunity to use LiveWire. However if you are going 
to collect data from a computer which is of forensic value then the 
principle of the smallest possible chance of contamination during the 
process applies. That surely limits the number of attempts that can be 
made to obtain access. Livewire, like Encase, appears to use a servelet. 
See Steps 3 and 4 of their explanation: LiveWire Investigator™ Remote 
Forensic Discover Module (RFMD) is pushed and is executed as a kernel 
level process. The RFMD performs evidence collection operations based on 
user specifications.



In my earlier email I described how Encase Enterprise works - the 
servelet is installed by the corporate owner. In a law enforcement 
situation the investigator plainly has to find a covert means to get the 
servelet onto the target - but the literature on the website, or at 
least that which is openly accessible, does not spell out how!

Incidentally covert installation of these products will have to overcome 
regular antivirus products - even if the servelets are not in the 
signature library heuristics could spot them at the point of 
installation. Once deployed of course, a reasonably well set-up firewall 
will spot the unexpected in-coming command traffic and (even more) the 
outgoing traffic.

Peter Sommer