Notifications
Clear all

F-Response

31 Posts
16 Users
0 Likes
2,140 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Just wanted to mention a new product that is out and available…
http//www.f-response.com/index.php?option=com_content&task=view&id=22&Itemid=2

So far, this looks like a great product! Imagine having remote READ ONLY access to physical drives, independent of your access or imaging tools! Access a drive and grab whatever info you need for triage, incident identification, or even a full-out acquisition…with all of your write-requests being buffered and silently dropped.

With three possible deployment options, you get quite a bit of coverage.

h

 
Posted : 16/04/2008 9:36 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

Do you have any additional insight on how it works beyond what is on the web page?

The web site says

"F-Response Field Kit is a point solution that permits an examiner to review any number of machines over a network, but only one machine may be examined at any given time. In this case, the F-Response USB license key or “FOB” resides at the machine under examination."

Are they booting the system off of the USB key or a CD, or is native OS running and accessing the USB key? If the latter, the filesystem is getting modified, network connections are open, ….

-David

 
Posted : 17/04/2008 1:37 am
(@fresponse_s)
Posts: 70
Trusted Member
 

Let me answer this.

F-Response in all versions (Field Kit, Consultant, and Enterprise) is running as an application on the machine being investigated.

Yes, network connections are created, and yes the filesystem can continue to be modified by the active user (desktop user if any) as well as any other system processes.

F-Response is a small executable that does not require a reboot and is a single executable.

The F-Response USB FOB is a licensing dongle that allows the software to be run.

The key here is that an investigator may review and collect files from the remote workstation or server without interrupting the existing activities and while the machine is still in service.

F-Response is quite useful in instances where you cannot reboot the machine, business necessitates an initial review before additional imaging is performed, or you have eDiscovery requirements that involve collecting information from numerous machines throughout your network.

Essentially F-Response extends your existing capabilities and tools.

If you'd like more information, or to get a feel for the process, please register on the website and you'll get access to all the product manuals and white paper.

Regardless, please don't hesitate to contact me should you have additional questions.

Warmest Regards,

 
Posted : 17/04/2008 2:32 am
(@fresponse_s)
Posts: 70
Trusted Member
 

Just a quick update, we've posted a Blip.tv video with audio commentary showing how the F-Response Field Kit works.

This should answer a few questions.

Enjoy!

http//www.f-response.com/index.php?option=com_content&task=view&id=29&Itemid=9

-M Shannon

 
Posted : 30/04/2008 5:51 pm
(@datawiz77)
Posts: 7
Active Member
 

I do a lot of sneak and peek/black bag operations here. Sometimes the subject computer is on, but in screen saver mode. Will F-Response be able to assist me? And if so, which vrsion? Do I have to physically mount the dongle on the machine in question?

And on those jobs where the subject computer is in another location (state), which version should I use? I am trying to purchase one to handle both situations?

Sometimes the subject computer is on a different LAN than our agency's.

 
Posted : 07/07/2008 8:27 pm
(@fresponse_s)
Posts: 70
Trusted Member
 

I do a lot of sneak and peek/black bag operations here. Sometimes the subject computer is on, but in screen saver mode. Will F-Response be able to assist me? And if so, which vrsion? Do I have to physically mount the dongle on the machine in question?

And on those jobs where the subject computer is in another location (state), which version should I use? I am trying to purchase one to handle both situations?

Sometimes the subject computer is on a different LAN than our agency's.

Hmm, screen saver mode would be difficult to get around if you were using F-Response Consultant or Field Kit edition, as both of those are GUI based. However, F-Response enterprise runs as a Windows Service.. but it must be installed.

If the subject computer is in another location, you'd want to look at Consultant or Enterprise Edition, as both of those put the dongle on your local workstation or a central server, NOT at the remote subject computer.

If it's on a different LAN I'd recommend a VPN solution with a local machine to perform the imaging/analysis. In other words, ship a laptop pre-loaded, VPN to that laptop, then get your F-Response connection working from there. Bottom line, it's much more efficient than the alternative (WAN link data transfer).

Hopefully this answers your questions, however if not, please don't hesitate to contact sales _at_ f-response.com and someone will get back to you in short order.

Warmest Regards,

M Shannon
www.f-response.com

 
Posted : 07/07/2008 9:16 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

datawiz,

If you have an admin username/password for the system, you can install and launch F-Response Enterprise remotely, using psexec.exe.

 
Posted : 08/07/2008 12:18 am
(@datawiz77)
Posts: 7
Active Member
 

On using psexec.exe, would that still work if the computer is in password protected screen saver mode. We often have the support of those who have access to the Administrator username and password. But there have been times when one of those that "rule the roost" has been the the subject of the case.

 
Posted : 08/07/2008 4:11 pm
(@ronanmagee)
Posts: 145
Estimable Member
 

datawiz,

If you have an admin username/password for the system, you can install and launch F-Response Enterprise remotely, using psexec.exe.

I also think that the Admin$ directory must be shared in order to connect to C\Windows\System32 directory. If this share is not present the connection fails.

Is there any way around this?

Ronan

 
Posted : 08/07/2008 7:21 pm
(@rossetoecioccolato)
Posts: 34
Eminent Member
 

If you have an admin username/password for the system, you can install and launch F-Response Enterprise remotely, using psexec.exe.

You are able to push a USB dongle out to a remote machine using psexec?

 
Posted : 08/07/2008 7:36 pm
Page 1 / 4
Share: