Device_Remote

Remote Memory Acquisition

The LeechCore library supports connecting to a remote LeechAgent and then read and write memory by any of the supported acquisition methods.

Facts in short:

• Is supported on 32-bit and 64-bit Windows.
• Acquires memory in read-only or read/write mode - depending on remote acquisition method.
• Acquired memory is assumed to be static or **volatile ** - depending on remote acquisition method.
• Have additional requirements.

The remote functionality allows a LeechCore library to connect to a remote LeechCore library running inside a LeechAgent. All supported memory acquisition methods may be used remotely if the target system supports them and dependencies are met.

The connection takes place over mutually authenticated encrypted RPC secured by kerberos by default.

If not running in an Active Directory domain security including authentication may be disabled by the user by specifying -insecure.

Compression of data is not enabled if any of the systems (client or server) is a Windows 7 system. Compression will automatically be disabled due to lack of support.

For more information check out this recent blog entry and this older blog entry.

---

Connection string:

LeechCore API:

Please specify the file name in LC_CONFIG.szRemote when calling LcCreate. Please note that LC_CONFIG.szDevice should also be specified. The format for LC_CONFIG.szRemoteis rpc://<spn>:<host> where spn denotes the kerberos service principal name SPN of the user running the remote LeechAgent (or insecure).

PCILeech / MemProcFS:

Please specify the file name in the -remote option.

Examples:

-remote rpc://insecure:ad-test.ad.example.org

-remote "rpc://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org"

---

Requirements:

A remote LeechAgent must exist and be running in either service or interactive mode. See individual acquisition methods for any additional requirements. Also consult the guide for the LeechAgent.