The second tier of the architecture is the investigator's module. OnLineDFS allows for an investigator to work directly at the server machine, or remotely through a web interface. A remote investigator's workstation can be located anywhere on the internet where access is available through a secure Web connection. No application software is required to be installed on the investigator's module other than a standards-compliant web browser. All major web browsers are supported by the OnLineDFS investigator's module, including Microsoft Internet Explorer, the Mozilla Suite, and Mozilla Firefox and Opera.
Enterprise Configuration
OnLineDFS is simple to deploy and operate. The application and the data store typically are installed within a secure location, such as a network operations or data center. The investigator works through a standard web browser, which can be either remote from the system on which OnLineDFS is installed or on the same system. The following figure illustrates a typical configuration for OnLineDFS.OnLineDFS Configuration
The target "system under investigation" can be located anywhere on the network; it can be a client or server system; and it can be actively used or unattended at the time of investigation. The investigator needs a user ID and password to begin an investigation. The following operating environments are supported: Microsoft Windows, XP Professional, 2000, NT 4.0 or higher and Server 2003; and popular versions of UNIX and Linux. OnLineDFS investigators and administrators connect to the OnLineDFS machine via a web browser using SSL.
How Does It Work?
We have designed an original investigative framework around three main principles:- Volatile data is vital to capture in investigative situations and is the best and quickest way to assess computer security issues in an enterprise environment;
- Persistent data can be found and extracted from live systems in a focused way so as to obtain just the information that is required, without operational disruption; and
- The application should deliver productivity tools to make the investigator's job quicker and easier.
All of this work is done with the target computer running and in place. Its operating context is preserved, its running state is captured and operations are not disrupted. The operator of the computer being investigated does not need to be aware that the investigation is taking place. In fact, we built our application to allow the investigator to conduct the examination from anywhere a secure internet connection is available.
OnLineDFS Server
- OnLineDFS is installed on a Microsoft Windows XP Professional system running Service Pack 2.
- Web access to OnLineDFS functionality is provided by the Apache web-server with the Secure Socket Layer (SSL) extension.
- OnlineDFS uses a mixture of shell scripts and native applications for data acquisition and view.
- It is recommended that an external data store (USB or FireWire) be attached to the OnLineDFS to facilitate storage of inquiry data.
OnLineDFS Investigator's Module
- No application software is required to be installed on the investigator's workstation.
- Can be any machine on the internet capable of connecting to the OnLineDFS server machine through a secure web connection. (HTTPS)
- Must have a standards-compliant web browser installed. Recommended browsers include Microsoft Internet Explorer, the Mozilla Suite, Mozilla Firefox, and Opera.
- The investigator's module does not need to be on a high-speed connection, although a higher connection speed will increase responsiveness between the OnLineDFS server and the investigator's module.
OnLineDFS Target Systems
- The supported operating systems for targets of an investigation are:
- Microsoft Windows XP Professional
- Microsoft Windows 2000
- Microsoft Windows Server 2003
- Microsoft Windows NT 4
- Redhat Linux 9
- Redhat Enterprise Server
- Redhat Fedora Core
- Suse Linux 8 - United Linux version
- FreeBSD 4.10
- Solaris 8 - SPARC hardware only
- Mac OS X - version 10.3
- No pre-installed software of any kind is required to be installed on the target system.
- Target system must be running and connected to the same private network as the OnLineDFS server.
- If a firewall is installed between the OnLineDFS server and the target, it must be configured to allow the OnLineDFS connections to pass through unhindered.
- Target systems may be any host installed on the network and running the supported operating systems including desktop workstations, laptops and servers.
