New Today: 0
New Yesterday: 3
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
19/6/08Back to top Back to main Skip to menu
Interview with Matt Shannon, Founder and Chief Software Architect F-Response - 19/6/08
Matt Shannon: It’s true that necessity is the mother of invention, which is how F-Response came into being. As a computer security & forensics firm we are asked to be both accurate and efficient. I have never had a client tell me to “image and analyze everything- I don’t care how long it takes or how much it costs.” No – our clients want us to provide them with the right answers; but they want us to attain these answers as quickly and efficiently as possible.
That presented us with a challenge. What do we need to do to conduct forensically sound analysis on a live machine so that we can minimize customer down time and collect only the evidence we need, when we need it?
Every off-the-shelf solution we looked at came with a hefty price tag, and forced us to learn another tool. We didn’t want another analysis tool.
We wanted to make better use of the tools we already had; and thus F-Response was born.
Forensic Focus: The technology behind F-Response is described as patent-pending, can you tell us any more about that at this stage?
Matt Shannon: Our solution is unique. We spent a considerable amount of time developing and refining our product, and we’re very proud of what we have accomplished. We filed our patent application with the United Stated Patent & Trademark Office in order to protect our interests and our considerable investment in time and capital.
Forensic Focus: Most of our readership comes from either a law enforcement or private computer forensics practice background - which of the different versions of F-Response do you think would be most appropriate for their needs?
Matt Shannon: I mentioned earlier that we wanted to make better use of the tools we already had, and that is what we now offer to the forensics community at large. The version of F-Response one requires will depend upon the mission one needs to accomplish.
Some will want to deploy a remote managed forensics appliance solution to serve their clients’ forensics and incident response needs over the Internet, and I would tell them that the Enterprise Edition is right for them.
Others will be inspecting one machine at a time and have direct physical access to the machine under inspection, and I would tell them that the Field Kit Edition will suit their needs.
Most importantly, each product license is “inclusive” for example, purchasing the Consultant Edition license gives you access to both Consultant and Field Kit Edition. Likewise, the Enterprise Edition license permits use of the dongle with all versions of F-Response software, Consultant and Field Kit Edition.
So, for example, if you have a Consultant license, but find that sometimes the Field Kit is the better solution for a scenario you face in the field – you’re good to go.
Bottom line, all three products provide the same basic capability and cover a wide range of price points. There’s bound to be a solution that fits your needs and budget.
Forensic Focus: What changes take place on a machine when it is the subject of analysis using F-Response (i.e. what effect does loading and running the target software have on the machine's state)?
Matt Shannon: The changes that take place are as minimal as they can be for a live analysis scenario. If you use the field kit version, the license dongle will be inserted into the machine under inspection; but the dongle is driverless. It is seen as an HID device, like a mouse or keyboard. The software is pre-installed only with the Enterprise Edition. For Consultant and Field Kit versions, the small and largely self-contained F-Response target code is simply executed on the machine; it is not installed and may easily be executed from a USB Disk or Removable Drive.
To put it into perspective, F-Response does not have any greater impact upon the machine under inspection than popular imaging tools that are currently run on live machines to collect images.
Forensic Focus: The training videos on the F-Response website make reference to the ability to work with a disk as though it were connected using a hardware write-blocker. Can you tell us something about your validation methodology?
Matt Shannon: First and foremost, F-Response uses a “defense in-depth” model to prohibit write operations from taking effect on the target hard drive. One of these layers of defense includes how F-Response accesses the drive at a physical level, avoiding any potential for file level modifications.
Next, F-Response has been tested internally and more importantly F-Response has been tested in the field by numerous “pre-release” and early adopters.
Simply put, F-Response is designed to silently ignore Write operations, and it does exactly that.
Forensic Focus: One of the greatest benefits of F-Response is clearly the ability it gives to perform analysis on a live machine without needing to take it out of service. That being the case, does F-Response offer any functionality in the area of "live forensics" as the term is commonly understood, i.e. analyzing running processes, network connections and other types of data in memory?
Matt Shannon: Not yet, but we’re not new to this arena. We developed Nigilant32 several years ago and released it to the world. Nigilent32 allows an examiner to grab snapshot data from a subject computer, as well as capture an image of physical memory. Do not be surprised if you see a capability to access live physical memory using F-Response in the near future.
Forensic Focus: When a new tool is introduced, examiners are often concerned about its acceptance in the courtroom. What reassurances can you give them regarding this form of validation?
Matt Shannon: F-Response is built upon the iSCSI standard.
This standard is well founded, fully documented, widely supported, and we leveraged this standard to devise F-Response.
Quite simply, iSCSI has an established track record as the storage protocol of choice for numerous Storage Area Networks and Network Attached Storage devices, these devices are in use today by some of the largest organizations in the world to store and maintain critically relied upon records, including financial, legal, and medical documents.
We believe this makes iSCSI and F-Response a very logical and acceptable protocol for use in Computer Forensics and E-Discovery.
Forensic Focus: How does F-Response differ from other remote forensic tools (or forensic tools with remote capabilities)? How worried are you about competition from the more established players in the forensic software marketplace?
Matt Shannon: We are fond of telling prospective customers and clients,
“We are not in the analysis business, we are not in the imaging business, we are in the getting data to you and getting the heck out of the way business!”
Basically, we provide examiners with network access to remote, RAW, physical hard drives, and then we get out of the way. We do not offer an analysis tool and we do not offer an imaging tool.
We have not designed F-Response to favor some tools better than others. In fact, we are much more interested in working with other Computer Forensic and e-Discovery software firms than competing with them. By using F-Response any local drive only imaging or analysis application is instantly an “Enterprise” class tool. We believe that by partnering and working together, F-Response and other tool vendors can create a powerful and useful arsenal for the practitioner for a very reasonable price.
Forensic Focus: What's next for F-Response? Might we see encryption over the network? Will we ever see a Linux version?
Matt Shannon: We developed F-Response based on the needs of our consulting efforts; as such we continue to find new improvements to streamline that consulting and delivery process.
In addition, we have a truly top notch customer base that constantly is coming up with new and inventive ways to use F-Response.
I firmly believe it’s in using and working with F-Response to solve business problems that exciting new improvements will be made.
With all of that being said, we’ve got some consultant and law enforcement requested enhancements to the Consultant Edition due in the next release, then we’ll be working on physical memory and potentially a Apple OSX version of F-Response.
Forensic Focus: You recently announced a partnership agreement with X-Ways Software Technology AG, can you tell us more about this agreement and how it came about?
Matt Shannon: When we released F-Response we knew there would be a certain amount of skepticism, such as - will F-Response really work with any computer forensics or e-discovery software? We expected to hear "I'm a proud user of ‘xyz’ software and I’d like to know if it works with F-Response" frequently. So, even though we could easily write about all the software we had used and tested with F-Response, it made more sense to develop a series of short videos. We used multiple forensic products in our videos, one of which was the X-Ways Winhex product.
Evidently Stefan became aware of the video and purchased one of our F-Response Field Kits. I learned of this shortly thereafter, and while working up an email to him about potentially partnering, he contacted me.
Stefan is a consummate professional, honest, and straight forward. Those who know him will find it no surprise that we were able to reach an agreement remarkably fast. After that is was up to the attorneys to clean up the details.
In the end, the agreement essentially allows X-Ways to resell F-Response and bundle it with X-Ways Forensics. We are very pleased with the agreement and feel it is an excellent way for X-Ways clients to “Extend their Arsenal”.
Forensic Focus (question posted by "azrael" in the Interviews forum): I’m particularly interested in the statistical work that Mr. Shannon has done, the paper was very interesting. Has he pursued this any further since 2004? If so, any chance of a brief update on the state of play?
Matt Shannon: Great question, to recap for those who have not read the paper. I wrote a paper for the International Journal of Digital Evidence in 2004 on the concept of using statistical mechanisms to effect quicker and more accurate searching. These mechanisms included Entropy and N-Gram based relative strength scoring.
Have I pursued these concepts further? No.
The main reason I began that research was to create a faster “time to market” for finding the answers my client’s were looking for. This desire quickly moved from “pre-analysis” using statistical indicators to “pre-analysis” using remote live drive access, thus moving me down the path of creating F-Response.
In the end, while they seem quite different, that paper was the first step on a path that eventually lead to F-Response today.
Forensic Focus: Finally, what do you do to relax in your free time?
Matt Shannon: Free time?
I enjoy spending time with my one year old daughter and my wife, both of the ladies in my life keep me very grounded and focused on what’s important.
That being said, I heartily enjoy the sport of Brazilian Jiu-Jitsu and Submission Grappling, and can often be found enjoying a good grappling match or two a few times a week to blow off some steam.
Further information about F-Response can be found at www.f-response.com