Description

The Tactical EXecutor (TEX) is a complete portable hardware and software solution that unlocks and grants full administrative access to Microsoft Windows computers, even when protected by the BitLocker full-disk encryption. TEX is a powerful and portable device that is extremely versatile for all tactical operations in which it is possible to physically access the computers under investigation.
Capabilities
Once connected to the computer under examination, TEX provides a series of actions that can be performed in a matter of few minutes, these can be divided into forensic inspections or investigative operations, based on the scope.
Forensic Features
Forensic features are intended for all contexts in which it is mandatory to leave the integrity of the target computer intact, thus without tampering with the local file system and/or memory.
Among the forensic features, TEX provides the following capabilities:
Execution of a memory dump of the computer
This capability aims at getting a binary image of the target computer’s RAM. The memory dump is generated and saved locally on the attacker PC as an uncompressed RAW file and can then be examined using any specialized tool for RAM analysis (not provided).
Mount of the PC file system in read-only mode
This feature allows to mount locally on the investigator PC, a read-only image of the system drive of the examined computer. This capability can be used to browse the computer’s file system – bypassing the full-disk encryption, if present – and retrieving information, without any risk of altering its content.
Generation of the BitLocker Recovery Key
This feature allows the extraction of the recovery key from a examined computer whose system drive is protected by Windows BitLocker encryption. After taking a forensic copy (bit-by-bit) of the original system disk of the target, the recovery key can be used to decrypt the copied disk, thus allowing to mount the target file system on a different computer in which the protection provided by BitLocker encryption has been completely disabled.
Besides the forensic features, TEX provides the following capabilities:
Unlocking the PC under examination with system-level privileges
This capability allows the investigator to temporarily bypass the Windows authentication on the computer, thus enabling desktop access for any configured local Windows account, including administrative accounts and without altering the existing account credentials.
Capability of installing specific software
This capability allows the installation of DANTE software or other executable applications that could be activated for specific Windows accounts to be selected using the TEX GUI. The installation can be scheduled immediately or at the user’s next logon.
Creation of an Interactive System shell on the investigator PC
This capability allows the execution of a remote shell on the investigator PC with nt authority\system access to the examined computer. That shell can be typically used to execute scripts.