X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

RDP Passthrough for Dongles and BYOD USB Devices

If you wish to unlock X-Ways Forensics remotely when your dongle or BYOD USB device is plugged in locally, that can work using RDP after following a few steps:
 
Firstly, on the remote machine:
 
1. In Edit Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection > Do not allow supported Plug and Play device redirection | Disabled. This typical Windows “double-negative” allows for redirected devices to be detected on your remote PC.
 
2. Run gpupdate /force. Restart remote machine.
 
Secondly, on the local machine:
 
1. In Edit Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > RemoteFX USB Device Redirection | Enable Allows RDP redirection of other supported RemoteFX USB devices from this computer (Administrators and Users).
 
2. In Device Manager, copy the hardware ID (e.g. USB\VID_0951&PID_1666&REV_0100) in Properties | Details tab of the USB device that has been assigned the X-Ways Forensics Licence.
 
3. In Edit Group Policy:  Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of devices that match any of these device IDs | Click Show... then paste the hardware ID into the top field. Check also apply to matching devices that are already installed. Click Apply. This will uninstall the USB device and notify that this device will not be installed. The USB device will be listed in Device Manager as “Other Device” with its friendly name. If this does not happen, uninstall the USB in Device Manager and repeat this step.
 
4. Before connecting to the remote machine via RDP, click the Show Options button if necessary, and in the Local Resources tab click More > Other Supported RemoteFX USB Devices | Check the friendly name of the USB device, either “USB Input Device (HID-compliant vendor-defined device)” for a dongle or something like “Data Traveler” for a BYOD USB device. You may need to reboot your machine to have that option.
 
If you have connected a BYOD USB device, after a short delay, Windows Explorer in the RDP connected machine will open with that USB device. XWF will then recognize it as a “physical” device when it is next started. This method allows X-Ways Forensics to work with standard user permissions on the remote machine. X-Ways Forensics currently does not support running as an administrator with a remote BYOD USB device.

 
Further information on RemoteFX USB Redirection can be found here (although meant for Microsoft Azure, it works for LAN devices too).