The agent can be exposed and identified if installed in environments with antivirus or in environments managed by expert technicians.
Three different agent levels were included to prevent this from happening:
Thescout agent is a replacement for the agent sent at the beginning of the installation phase to analyze the level of target device security.
The soldier agent and elite agent are actual agents. The soldier agent is installed in environments that are not fully secure and thus only allow some types of evidence to be collected. The elite agent is installed in secure environments and can collect all types of available evidence.
Phase | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
1 |
The technician installs the scout agent on the target device. |
||||||||
2 |
The scout agent collects evidence from the device to check the level of security. |
||||||||
3 |
The Technician updates the agent:
|
The agent icon provides the following information:
Following are the three agent level icons, for example, for a Windows desktop device:
Once installed, the scout agent appears in the target page after the first synchronization.
The scout agent acquires evidence:
IMPORTANT: Screenshot type evidence is only collected if the module is enabled in the configuration. If necessary, remember to enable it before sending the agent.
The soldier agent lets you collect evidence defined by the base configuration modules except for Call and Accessed file modules.
IMPORTANT: the advanced settings are not enabled for soldier agents.
Tip: once the soldier agent is installed, check the settings defined in the initial phase to make sure they meet investigation needs and agent characteristics.
The elite agent lets you collect all types of evidence using both the base and advanced configuration
An agent will perform synchronization only if:
An agent behaves differently according to the Internet connection availability:
If the Internet connection is... | Then... |
---|---|
not available |
if the agent has modules enabled, it starts to record data in the device. |
available |
if first synchronization has been run on the agent, you can:
Tip: start creating an agent and only enable synchronization and the device module. Then, once installed, and upon receiving the first synchronization, gradually enable the other modules, according to the device capabilities and the type of evidence you want to collect. |
Agent activities can be temporarily suspended without uninstalling the agent by simply disabling all the modules and leaving only synchronization active.
To test a configuration before production use, create an agent in Demo mode (see "Compiling a factory").
The agent is created in demo mode, behaving according to the given configuration, with the sole difference that it clearly signals its presence with audio, led and screen messages. Signaling permits easy identification of an infected device used for testing.
NOTE: in case evidence is not received from an agent in demo mode, this may be due to a server settings error or impossibility of reaching the address of the set Collector (i.e.: due to network settings problems).
Agent configuration (basic or advanced) can be repeatedly edited. When saved, a copy of the configuration is created and saved in the configuration log.
At the next synchronization, the agent will receive the new configuration (Send time) and will communicate completed installation (Activated). From that point on, any changes can only be made by saving a new configuration.
NOTE: If Send time and Activated are blank, the current configuration can still be edited.
For a description of agent configuration log data see "Agent configuration log data".
RCS9.5 | User manual | © COPYRIGHT 2014