As Eric Huber (@AFoDBlog) will attest, working in DFIR means that you will be inundated with a ridiculous amount of security dongles. The problem with security dongles is that each product requires its own, and as much fun as it is carting around 8+ dongles (as well as a hub) it can lead to accidental breakages or loss. In the past if you wanted a decent dongle server you were probably looking at the myUTN-80 (8 ports) or its bigger brother the myUTN-800 (20 ports). Although these devices work well they are relatively expensive.
Recently I set out to find a solution to the dongle server problem; one which could handle any security dongles thrown at it as well as being reasonably priced. There are many software-based USB over IP solutions, for example KernelPro or USB Redirector, but these products don't generally scale well in the price department when dealing with numerous dongles. In the end I stumbled across VirtualHere, a USB over IP software solution that supports a number of different operating systems for both the client and the server side.
VirtualHere is free to try, and to share 1 USB device, so I thought that I would give it a whirl. Like most USB over IP solutions there are 2 components; a server (where the USB devices are plugged in locally) and a client (where the USB devices are remotely accessed). On the server side it supports the following operating systems: Ubuntu, Debian, CentOS, openSUSE, Scientific Linux, Raspberry Pi (Raspbian), Beagle Board (Beaglebone Angstrom / Ubuntu), ODROID, OpenWRT, and Android - quite an extensive support list of OS/HW. I had a spare Raspberry Pi (Model B) lying around so I booted Raspbian and followed the installation instructions from the VirtualHere website:
ssh to your raspberry pi
wget <span class=""><span class="js_parser-skip">http://www.virtualhere.com/sites/default/files/usbserver/vhusbdpin</span></span>
sudo chmod +x ./vhusbdpin
sudo mv vhusbdpin /usr/sbin
wget <span class="">http://www.virtualhere.com/sites/default/files/usbserver/scripts/vhusbdpin</span><br>
sudo chmod +x ./vhusbdpin
sudo mv vhusbdpin /etc/init.d
sudo update-rc.d vhusbdpin defaults
After configuring a static IP address on the Raspberry Pi I was up and running. To test the setup I was using the Windows x64 client, on a Windows 7 machine. There are actually a number of supported client OS versions too: Windows x32/x64, Mac OSX 10.9/10.10, Ubuntu x32/x64/ARM, Raspbian, Debian x32/x64, and CentOS.
Now I have used both KernelPro & USB Redirector before, so I am across which dongles are going to play nicely from the get-go. I tested all of the security dongles at my disposal and as expected KEYLOK II did not work out of the box.
One of the great advantages of VirtualHere is that it is actively being developed, so I shot off an email to support and within 2 days I had a beta release of the client software that resolved the issue.
All in all I tested the following security dongles:
- KEYLOK II
- Rockey 2
And the following products:
- EnCase (6/7)
- X-Ways Forensic
- NetAnalysis / HstEx
- Cellebrite Physical Analyzer
The beauty of this product is that it is scalable; it can support up to 128 devices, 4 hubs deep. To secure it you can utilise your own SSL certificate, as well as specify users/IP addresses for individual dongle access (https://www.virtualhere.com/node/273).
Given the cost of the VirtualHere Raspberry Pi licence (USD29.00) you can put together an entire solution supporting 26 security dongles for well under $200.00, Raspberry Pi and all. Putting that into perspective, the myUTN-800 (20 port) dongle server usually retails for over USD2000.00, USB Redirector is USD665.00 for 20 dongles, and KernelPro probably costs something similar (as they are both owned by the same subsidiary, SimplyCore LLC).
Below is a table of the some of the features I have highlighted to differentiate the product (this is not an extensive list of all features):
|VirtualHere||KernelPro / USB Redirector||myUTN-80x|
|WiFi network support||Yes||Yes||No|
|Hub support (expandability)||Yes||No*||No|
*Not without purchasing additional licence support
The client is fully scriptable and it supports NAT traversal for reverse connections behind firewalls.
All in all VirtualHere is a product that resolves my issue of sharing dongles remotely, as I work in a national capacity. It may not be the solution for everyone, but it certainly made my life easier.
DISCLAIMER: I am not affiliated with Virtual Here PTY LTD, I do not work for Virtual Here PTY LTD nor do I have anything to gain from this article.