Device_Remote

Remote Memory Acquisition

The LeechCore library supports connecting to a remote LeechService and then read and write memory by any of the supported acquisition methods.

Facts in short:

• Is supported on 64-bit Windows.
• Acquires memory in read-only or read/write mode - depending on remote acquisition method.
• Acquired memory is assumed to be static or **volatile ** - depending on remote acquisition method.
• Have additional requirements.

The remote functionality allows a LeechCore library to connect to a remote LeechCore library running inside a LeechService. All supported memory acquisition methods may be used remotely if the target system supports them and dependencies are met.

The connection takes place over mutually authenticated encrypted RPC secured by kerberos by default.

If not running in an Active Directory domain security including authentication may be disabled by the user by specifying insecure.

Compression of data is not enabled if any of the systems (client or server) is a Windows 7 system. Compression will automatically be disabled due to lack of support.

For more information check out this blog entry about the LeechService.

---

Connection string:

LeechCore API:

Please specify the file name in LEECHCORE_CONFIG.szRemote when calling LeechCore_Open. Please note that LEECHCORE_CONFIG.szDevice should also be specified. The format for LEECHCORE_CONFIG.szRemoteis rpc://<spn>:<host> where spn denotes the kerberos service principal name SPN of the user running the remote LeechService (or insecure).

Memory Process File System:

Please specify the file name in the -remote option.

Examples:

-remote rpc://insecure:ad-test.ad.example.org

-remote "rpc://ad-test$@AD.EXAMPLE.ORG:ad-test.ad.example.org"

---

Requirements:

A remote LeechService must exist running in either service or interactive mode. See individual acquisition methods for any additional requirements.