HBGary has released a new freeware tool that offers the ability to automate forensic data acquisition over a network, FGET.

It simplifies the process of acquiring forensically sound copies of data on the hard drive, including the prefetch directory, system32\config directory, and all user's NTUSER.DAT files.

FGET which is short for “Forensic Get” is a network-capable forensic data acquisition tool. It’s primary function is collecting sets of forensicly interesting files from one or more remote windows machines.

FGET starts off by creating a local repository folder @ C:\FGETREPOSITORY\ and from there it will automatically create named sub-folders, one for each machine you run FGET against. By default, FGET is able to obtain a forensicly sound copy of any file on the system, including those that are locked and in use (pagefiles, registry hives, etc).

FGET can also be used to fetch NTFS special files that aren’t normally accessible thru the live operating system such as the $MFT, and system restore point data. FGET is also fully capable of bringing back a copy of a deleted file, assuming the file In questions FILERECORD data hasn’t been overwritten or reused.

According to the company, FGET does the same job as commercial tools costing multiple thousands of dollar.

BY Default FGET collects the following set of data for each machine targetted:
• Full user list - complete with NTUSER.dat file copies;
• Complete contents of the windows prefetch directory;
• Complete contents of the windows\system32\config\ directory including registry hives, event logs, and the system SAM database; and
• BONUS: HBGARY ActiveDefense Customers can also fetch a copy of the last physical memory image taken of the remote machine by appending the “+mem” option to the command line.

All of the above data is collected automatically by simply targeting a machine using “FGET.exe –scan serverbox1”. You can also get a file from a range or list of machines by utilizing the “-range” and “-list” features of FGET.

In addition to the default captured dataset, the user can also collect singular remote files on the fly by using FGET. For example if you wanted to make a copy of the remote machines MFT all you need to do is:

“FGET.exe –scan SERVERBOX1 –extract C:\$MFT mylocalmftcopy.bin”

Finally, if you’re interested in say collecting a specific file from a range of boxes you would use the command line:

“FGET.exe –range 192.168.0.1 192.168.0.5 –extract C:\$MFT”

Download FGET v1.0 HERE