CST - DFS Architecture

Cyber Security Technologies Corporation (CST) is the innovation leader in affordable software products for computer investigations. CST was formed by industry veterans who see the need for new investigative tools designed for the changing investigative environment. We are dedicated to delivering technically advanced but easy-to-use software products for corporations, government agencies, service providers and law enforcement, as well as related training and certification. CST is an affiliate of Architecture Technology Corporation, a technology company specializing in software-intensive solutions for complex problems in IT security and high-security network computing applications. Learn more...

Products

OnLineDFS | OnLineDFS Architecture | OnLineDFS Guided Tour | P2P Marshal | Mac Marshal

OnLineDFS Architecture

Introduction

OnLineDFS™ is implemented using our patent-pending two-tiered architecture. The first tier is the OnLineDFS server which provides functionality through a web-server based infrastructure. The server is normally installed within a secure environment on the network. Investigations are created and managed by the OnLineDFS server, and stored either internally or on an external data store which also is installed within a secure environment on the network.

The second tier of the architecture is the investigator's module. Two configurations of the investigator's module are provided. The Single-User Version of OnLineDFS allows for an investigator to work directly at the server machine. Only one investigator may have access to OnLineDFS at a time in this configuration. The Multi-User Version of OnLineDFS allows the investigator to work remotely and access OnLineDFS through a web interface. A remote investigator's workstation may be located anywhere on the internet where access to the network where OnLineDFS and the target system are installed is available through a secure Web connection. Up to six investigators may access OnLineDFS and perform concurrent investigations when using the Multi-User Version of OnLineDFS.

No application software is required to be installed on the investigator's module other than a standards-compliant web browser. All major web browsers are supported by the OnLineDFS investigator's module, including Microsoft Internet Explorer, the Mozilla Suite, and Mozilla Firefox and Opera.

No pre-installed software of any kind is required to be
installed on the target system.

OnLineDFS Deployment

OnLineDFS is simple to deploy and operate. The application and the data store typically are installed within a secure location, such as a network operations or data center. The investigator works through a standard web browser, which can be either remote from the system on which OnLineDFS is installed or on the same system. The following figure illustrates the Multi-User Version configuration of OnLineDFS. In the Multi-User Version, up to six investigators may perform investigations concurrently through access to one instance of OnLineDFS.

Multi-User Version Configuration

The target "system under investigation" can be located anywhere on the network; it can be a client or server system; and it can be actively used or unattended at the time of investigation. The investigator needs an administrative account and/or password of the target system to begin an investigation. OnLineDFS can collect information from target machines on an Intel® x86 architecture with Microsoft Windows Vista (32-bit versions), Microsoft Windows Server 2003, Microsoft Windows XP Professional, Microsoft Windows 2000, Microsoft Windows NT4, Mac OSX on a PowerPC architecture, and several varieties of Unix and Linux. OnLineDFS investigators and administrators connect to the OnLineDFS machine via a web browser using SSL.

How Does It Work?

We have designed an original investigative framework around three main principles:

Volatile data is vital to capture in investigative situations and is the best and quickest way to assess computer security issues in an enterprise environment;
Persistent data can be found and extracted from live systems in a focused way so as to obtain just the information that is required, without operational disruption; and
The application should deliver productivity tools to make the investigator's job quicker and easier.

Incident response illustrates these principles. With OnLineDFS, an IT security professional can quickly and discreetly inspect a computing device (workstation, server, etc.) with a known or suspected security problem, and make a rapid assessment of the potential problem. Then, we provide data-gathering and analytical tools to help the investigator take the analysis wherever the data may lead. Our tools enable the examination of running processes, applications, files, memory, external connections, and the like, and enable the investigator to capture real-time, relevant data in a sound forensic manner.

All of this work is done with the target computer running and in place. Its operating context is preserved, its running state is captured and operations are not disrupted. The operator of the computer being investigated does not need to be aware that the investigation is taking place. In fact, we built our application to allow the investigator to conduct the examination from anywhere a secure internet connection is available.

OnLineDFS Server

OnLineDFS may be installed on a Microsoft Windows XP Professional system running Service Pack 2 or later and Windows Vista (32 bit version).
Web access to OnLineDFS functionality is provided by the Apache web-server with the Secure Socket Layer (SSL) extension.
OnLineDFS uses a mixture of shell scripts and native applications for data acquisition and view.
It is recommended that an external data store (USB or FireWire) be attached to the OnLineDFS to facilitate storage of inquiry data.

OnLineDFS Investigator's Module

No application software is required to be installed on the investigator's workstation.
Can be any machine on the internet capable of connecting to the OnLineDFS server machine through a secure web connection. (HTTPS)
Must have a standards-compliant web browser installed. Recommended browsers include Microsoft Internet Explorer, the Mozilla Suite, Mozilla Firefox, and Opera.
The investigator's module does not need to be on a high-speed connection, although a higher connection speed will increase responsiveness between the OnLineDFS server and the investigator's module.

OnLineDFS performs investigations on live, running target systems. More detailed technical specifications for target systems are given below.

OnLineDFS Target Systems

The supported operating systems for targets of an investigation are Microsoft® Windows Vista (32-bit versions), Microsoft Windows Server 2003, Microsoft Windows XP Professional, Microsoft Windows 2000, Microsoft Windows NT4, Mac OSX on a PowerPC architecture, and several varieties of Unix and Linux. No pre-installed software of any kind is required to be installed on the target system.
Target system must be running and connected to the same private network as the OnLineDFS server.
If a firewall is installed between the OnLineDFS server and the target, it must be configured to allow the OnLineDFS connections to pass through unhindered.
Target systems may be any host installed on the network and running the supported operating systems including desktop workstations, laptops and servers.

Display Data

Once the desired data has been acquired from the target system, the OnLineDFS server machine formats the data and displays it in a web page for the Investigator to view. OnLineDFS creates tables to relate different data for easy view and interpretation by the investigator. Investigators also have the ability to download a copy of any gathered data for supplementary analysis. Third-party tools may generally be used in analyzing data collected using OnLineDFS.