Notifications
Clear all

Helix 3 Pro & F-Response Tactical

12 Posts
7 Users
0 Likes
753 Views
(@markl1975)
Posts: 63
Trusted Member
Topic starter
 

Hello,

We have recently bought F-Response Tactical and I'm looking at ways of using it as alternatives to our current methods.

One way I thought of using it was to boot the suspect PC/Laptop with a Live CD, then insert the subject dongle and connect it up to your Examiner PC via and X-Over cable to image the hard disc. I am looking at replacing our current LinkMaster capability.

I am testing with the following but having problems

I am booting the Suspect PC with a Helix 3 Pro Live CD. I can insert and mount the F-Response Subject dongle. When I run the 'f-response-tacsub-lin' command (as sudo root in Linux) I get a 'permission denied' message. I have tried with the read/write switch set to R/W on the dongle as well.

From my Examiner PC I can ping the Suspect PC, but there is a problem running the F-Response program.

Has anyone else tried this way of running F-Response, and if so, do you have a Live CD that will allow you to run programs?

This is for a situation where, for whatever reason, you can't remove the hard drive but need to image it without turning the machine on. We currently use LinkMaster, but as this runs over USB 2.0 it can be slow. I figured running F-Response over a GB X-Over cable would be quicker.

Any pointers would be appreciated.

Mark

 
Posted : 17/02/2010 4:08 pm
(@jonathan)
Posts: 878
Prominent Member
 

Mark, am not sure if I'm understaning correctly, but it seems to me that you are overcomplicating things. If you can't remove a HDD from a PC and you want to image it, all you need is something like Helix 3 Pro; you don't need F-Response or other tools or another PC. Attach an evidence drive where your E01/DD files will go to a spare SATA/IDE channel in your suspect PC then boot with with Helix 3 Pro and mount the evidence drive as read/write, and image it with one of Helix 3 Pro's imaging apps. Bob's your uncle.

Jonathan

 
Posted : 17/02/2010 4:55 pm
(@markl1975)
Posts: 63
Trusted Member
Topic starter
 

Jonathan,

Thanks for the reply. That's generally what we do when we have a spare SATA port, however, this scenario mainly applies to laptops.

Most modern ones do come with an eSATA port on them however for those that don't, we have LinkMaster. This is very slow over USB 2.0, so this is an alternative.

With LinkMaster (and Helix) you collect from the machine to an external device. I thought it might be quicker going over a 10/100/1000 cable.

I am trying it with various Live CD's, but not having much luck, so might give up on the idea. I have tried Helix, Raptor, Hirens, Parted Magic & iLoog. I had a bit of luck with Hirens, however both EnCase and FTK bombed out after copying approx 600MB. Can't figure out why.

There's always the tried and tested method of removing the drive and imaging with our forensic copiers too.

Mark

 
Posted : 17/02/2010 5:16 pm
(@jonathan)
Posts: 878
Prominent Member
 

I've not imaged over a X-over cable that many times, but in my limited experience I found it generally unreliable and painfully slow. Older laptops/PCs are unlikely to have 1GB network ports, so imaging to an attached USB 2.0 device would always be personally preferrable for me. What type of imaging speeds (MB/sec) are you seeing via USB?

 
Posted : 17/02/2010 5:33 pm
(@fresponse_s)
Posts: 70
Trusted Member
 

Mark,

We would be happy to help you, one of our guys has some experience with the different boot cds available and I've asked him to take a look at your issue.

Please don't hesitate to contact us when you have an issue, that's what we are here for. 😉

Warmest Regards,

 
Posted : 17/02/2010 5:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Mark,

Any pointers would be appreciated.

For one, I would highly recommend that you contact the great folks at F-Response with regards to any questions about the tool and how it's used/employed.

It never ceases to amaze me that folks will post to a public forum *before* going to the vendor, particularly with a vendor as responsive as Matt Shannon.

 
Posted : 17/02/2010 5:52 pm
(@markl1975)
Posts: 63
Trusted Member
Topic starter
 

Hello,

I emailed Matt about this last week and he said it was possible.

I didn't want him getting sick of me bugging him so I thought I'd ask on here. He's a very helpful chap though, so maybe I'll drop him an email too.

Many thanks,

Mark

 
Posted : 17/02/2010 5:57 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Mark,

It seems that you have questions that go beyond, "…is this possible?"

And besides…you're a paying customer. I don't see where Matt would get sick of you bugging him with the questions you seem to have.

 
Posted : 17/02/2010 6:03 pm
Wardy
(@wardy)
Posts: 149
Estimable Member
 

Harlan, while I understand your sentiments about going straight to the vendor, I do somewhat disagree.

If I were to check all of the forums for tools I use, I simply wouldn't get much work done. Jamie has done an outstanding job in creating ForensicFocus and it shouldn't be considered a resource for only questions on the lines of "is this possible".

There is a vast wealth of knowledge which visits this forum hourly, surely it is only right to tap that knowledge ??

 
Posted : 17/02/2010 7:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Wardy,

I never said anything about NOT checking this, or any other forum. I simply suggested that perhaps going to the vendor…in this case, because of how responsive Matt is…would be advisable.

 
Posted : 17/02/2010 8:09 pm
Page 1 / 2
Share: