Just wanted to mention a new product that is out and available...
www.f-response.com/ind...2&Itemid=2

So far, this looks like a great product! Imagine having remote READ ONLY access to physical drives, independent of your access or imaging tools! Access a drive and grab whatever info you need for triage, incident identification, or even a full-out acquisition...with all of your write-requests being buffered and silently dropped.

With three possible deployment options, you get quite a bit of coverage.

h  

Greetings,

Do you have any additional insight on how it works beyond what is on the web page?

The web site says:

"F-Response Field Kit is a point solution that permits an examiner to review any number of machines over a network, but only one machine may be examined at any given time. In this case, the F-Response USB license key or “FOB” resides at the machine under examination."

Are they booting the system off of the USB key or a CD, or is native OS running and accessing the USB key? If the latter, the filesystem is getting modified, network connections are open, ....

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

Let me answer this.

F-Response in all versions (Field Kit, Consultant, and Enterprise) is running as an application on the machine being investigated.

Yes, network connections are created, and yes the filesystem can continue to be modified by the active user (desktop user if any) as well as any other system processes.

F-Response is a small executable that does not require a reboot and is a single executable.

The F-Response USB FOB is a licensing dongle that allows the software to be run.

The key here is that an investigator may review and collect files from the remote workstation or server without interrupting the existing activities and while the machine is still in service.

F-Response is quite useful in instances where you cannot reboot the machine, business necessitates an initial review before additional imaging is performed, or you have eDiscovery requirements that involve collecting information from numerous machines throughout your network.

Essentially F-Response extends your existing capabilities and tools.

If you'd like more information, or to get a feel for the process, please register on the website and you'll get access to all the product manuals and white paper.

Regardless, please don't hesitate to contact me should you have additional questions.

Warmest Regards,  

Just a quick update, we've posted a Blip.tv video with audio commentary showing how the F-Response Field Kit works.

This should answer a few questions.

Enjoy!

www.f-response.com/ind...9&Itemid=9

-M Shannon  

I do a lot of sneak and peek/black bag operations here. Sometimes the subject computer is on, but in screen saver mode. Will F-Response be able to assist me? And if so, which vrsion? Do I have to physically mount the dongle on the machine in question?

And on those jobs where the subject computer is in another location (state), which version should I use? I am trying to purchase one to handle both situations?

Sometimes the subject computer is on a different LAN than our agency's.  

- datawiz77

I do a lot of sneak and peek/black bag operations here. Sometimes the subject computer is on, but in screen saver mode. Will F-Response be able to assist me? And if so, which vrsion? Do I have to physically mount the dongle on the machine in question?

And on those jobs where the subject computer is in another location (state), which version should I use? I am trying to purchase one to handle both situations?

Sometimes the subject computer is on a different LAN than our agency's.

Hmm, screen saver mode would be difficult to get around if you were using F-Response Consultant or Field Kit edition, as both of those are GUI based. However, F-Response enterprise runs as a Windows Service.. but it must be installed.

If the subject computer is in another location, you'd want to look at Consultant or Enterprise Edition, as both of those put the dongle on your local workstation or a central server, NOT at the remote subject computer.

If it's on a different LAN I'd recommend a VPN solution with a local machine to perform the imaging/analysis. In other words, ship a laptop pre-loaded, VPN to that laptop, then get your F-Response connection working from there. Bottom line, it's much more efficient than the alternative (WAN link data transfer).

Hopefully this answers your questions, however if not, please don't hesitate to contact sales _at_ f-response.com and someone will get back to you in short order.

Warmest Regards,

M Shannon
www.f-response.com  

datawiz,

If you have an admin username/password for the system, you can install and launch F-Response Enterprise remotely, using psexec.exe.