Cyber Security Technologies Corporation (CST) is the innovation leader in affordable software products for computer investigations. CST was formed by industry veterans who see the need for new investigative tools designed for the changing investigative environment. We are dedicated to delivering technically advanced but easy-to-use software products for corporations, government agencies, service providers and law enforcement, as well as related training and certification. CST is an affiliate of Architecture Technology Corporation, a technology company specializing in software-intensive solutions for complex problems in IT security and high-security network computing applications. Learn more...
OnLineDFS is implemented using our patent-pending OnLine InVestigative Environment (OLIVE) two-tiered architecture. The first tier is the OnLineDFS server which provides functionality through a web-server based infrastructure. The server is normally installed within a secure environment on the network. Investigations are created and managed by the OnLineDFS server, and stored either internally or on an external data store which also is installed within a secure environment on the network.
The second tier of the architecture is the investigator's module. OnLineDFS allows for an investigator to work directly at the server machine, or remotely through a web interface. A remote investigator's workstation can be located anywhere on the internet where access is available through a secure Web connection. No application software is required to be installed on the investigator's module other than a standards-compliant web browser. All major web browsers are supported by the OnLineDFS investigator's module, including Microsoft Internet Explorer, the Mozilla Suite, and Mozilla Firefox and Opera.
Enterprise Configuration
OnLineDFS is simple to deploy and operate. The application and the data store typically are installed within a secure location, such as a network operations or data center. The investigator works through a standard web browser, which can be either remote from the system on which OnLineDFS is installed or on the same system. The following figure illustrates a typical configuration for OnLineDFS.
OnLineDFS Configuration
The target "system under investigation" can be located anywhere on the network; it can be a client or server system; and it can be actively used or unattended at the time of investigation. The investigator needs a user ID and password to begin an investigation. The following operating environments are supported: Microsoft Windows, XP Professional, 2000, NT 4.0 or higher and Server 2003; and popular versions of UNIX and Linux. OnLineDFS investigators and administrators connect to the OnLineDFS machine via a web browser using SSL.
How Does It Work?
We have designed an original investigative framework around three main principles:
Volatile data is vital to capture in investigative situations and is the best and quickest way to assess computer security issues in an enterprise environment;
Persistent data can be found and extracted from live systems in a focused way so as to obtain just the information that is required, without operational disruption; and
The application should deliver productivity tools to make the investigator's job quicker and easier.
Incident response illustrates these principles. With OnLineDFS, an IT security professional can quickly and discreetly inspect a computing device (workstation, server, etc.) with a known or suspected security problem, and make a rapid assessment of the potential problem. Then, we provide data-gathering and analytical tools to help the investigator take the analysis wherever the data may lead. Our tools enable the examination of running processes, applications, files, memory, external connections, and the like, and enable the investigator to capture real-time, relevant data in a sound forensic manner.
All of this work is done with the target computer running and in place. Its operating context is preserved, its running state is captured and operations are not disrupted. The operator of the computer being investigated does not need to be aware that the investigation is taking place. In fact, we built our application to allow the investigator to conduct the examination from anywhere a secure internet connection is available.
OnLineDFS Server
OnLineDFS is installed on a Microsoft Windows XP Professional system running Service Pack 2.
Web access to OnLineDFS functionality is provided by the Apache web-server with the Secure Socket Layer (SSL) extension.
OnLineDFS uses a mixture of shell scripts and native applications for data acquisition and view.
It is recommended that an external data store (USB or FireWire) be attached to the OnLineDFS to facilitate storage of inquiry data.
OnLineDFS Investigator's Module
No application software is required to be installed on the investigator's workstation.
Can be any machine on the internet capable of connecting to the OnLineDFS server machine through a secure web connection. (HTTPS)
Must have a standards-compliant web browser installed. Recommended browsers include Microsoft Internet Explorer, the Mozilla Suite, Mozilla Firefox, and Opera.
The investigator's module does not need to be on a high-speed connection, although a higher connection speed will increase responsiveness between the OnLineDFS server and the investigator's module.
OnLineDFS performs investigations on live, running target systems. More detailed technical specifications for target systems are given below.
OnLineDFS Target Systems
The supported operating systems for targets of an investigation are:
Microsoft Windows XP Professional
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows NT 4
Redhat Linux 9
Redhat Enterprise Server
Redhat Fedora Core
Suse Linux 8 - United Linux version
FreeBSD 4.10
Solaris 8 - SPARC hardware only
Mac OS X - version 10.3
No pre-installed software of any kind is required to be installed on the target system.
Target system must be running and connected to the same private network as the OnLineDFS server.
If a firewall is installed between the OnLineDFS server and the target, it must be configured to allow the OnLineDFS connections to pass through unhindered.
Target systems may be any host installed on the network and running the supported operating systems including desktop workstations, laptops and servers.
Display Data
Once the desired data has been acquired from the target system, the OnLineDFS server machine formats the data and displays it in a web page for the Investigator to view. OnLineDFS creates tables to relate different data for easy view and interpretation by the investigator. Investigators also have the ability to download a copy of any gathered data for supplementary analysis.
