Hello,
Does anyone have any experience of the new F-Response Tactical software? My company just bought one license for it and have given it to me to evaluate.
I wanted to use it to acquire data on NAS discs on a network.
I can't see a way of making this work, as inserting the Subject dongle into the USB port on a NAS does nothing. You have to manually run the Subject exe on the device, which isn't possible on a NAS that is not running an OS.
Has anyone figured out how to make this work? If not, what software do you recommend using with F-Response Tactical to acquire data over a network from normal PC's? We have Encase and FTK, so I was wondering if one works better than the other.
Many thanks,
Mark
I am sure your NAS is running an OS. Likely some version of Linux. However being able to get to the OS through the shell will be at the least a challenge. I had an issue where the logging server for 911 calls "lost" all the older data and tried to use Consultant Edition to interface with the server. Unfortunately with no way to get to the OS I had to pull the drives and do it the old fashioned way.
As far as "normal" PCs F-Response works great. With Tactical you will have to put hands on the machine, but once you do that you can use either EnCase or FTK. I have used FTK, X-Ways, Paraben E-Mail examiner, and IEF (Internet Evidence Finder) with F-Response and it works great.
I recommend checking out the
Thanks for the reply,
Would it be possible to use Tactical on a remote machine that the Examiner PC is not on the same network as?
For example I send a colleague to the location of the machine and they insert the Subject USB stick. This Subject PC is in a remote location and our 2 networks are not connected, however they both have internet capability. Could you potentially access the machine over the internet to pull off any files of forensic interest?
Many thanks,
Mark
Does anyone have any experience of the new F-Response Tactical software? My company just bought one license for it and have given it to me to evaluate.
I have an evaluation copy, and have used it to connect to systems in my lab. I've also read the documentation and viewed most, if not all, of the available videos.
I wanted to use it to acquire data on NAS discs on a network.
I can't see a way of making this work, as inserting the Subject dongle into the USB port on a NAS does nothing. You have to manually run the Subject exe on the device, which isn't possible on a NAS that is not running an OS.
Is the NAS not running an OS, or not running an OS that runs EXEs?
When you say that the NAS is not running an OS, what do you mean? Do you mean to say that it doesn't offer an option to open a command shell?
It may be difficult to assist you without more information (model, name, version) about the NAS and how it's set up and configured.
Has anyone figured out how to make this work?
Okay, it would seem that if you're NAS isn't running an OS from which you can run the Subject dongle, then you'd need to connect the Subject dongle to a system that DOES have an OS and is connected to the NAS.
Another option may be that the NAS isn't running Windows or an OS that supports EXEs…maybe you're just using the wrong one.
If not, what software do you recommend using with F-Response Tactical to acquire data over a network from normal PC's? We have Encase and FTK, so I was wondering if one works better than the other.
FTK Imager is free. You can use that, or dd, or dcfldd, or whatever works for you. Even EnCase in acquisition mode works just fine. You're going to experience the typical bottlenecks of a network-based acquisition, so one working "better" than the other really becomes a more subjective measure.
F-Response is a fantastic tool, and a quantum leap forward for IR and digital forensics…but in the end, it's a tool. As such, it can't considered to be a silver-bullet solution for everything. Carpenters have more than just a hammer in their toolbox, because they realize that everything isn't a nail.
Using Tactical to image over a network isn't an issue, as long as you understand connectivity. Too many people say that F-Response "doesn't work" when the issue is really that they don't understand simple TCP/IP networking, and the role played by firewalls and routers. For what you are trying to do, Tactical may be a good solution, but Enterprise may be better. The issue with providing a response as to what the "best" approach is, is that without more information, it's hard to recommend anything.
Hello,
I have been trying this on QNAP NAS devices so far, however I have one of each kind of NAS in the office as we're always playing about with ways of getting data from devices other than PC's.
You're right, the QNAP doesn't support exe's, but if you map the drive on a PC/laptop connected to the NAS, you can run Tactical against that device. It's a bit long-winded, plus we might not always have access to the NAS to set up access rights.
We're always looking at the 'short time-frame/large quantity of data' scenario. For example, you can buy 8-bay RAID devices for home. Fill it with 2TB discs and you have a massive amount of storage. We thought that you might be able to target specific file-types with F-Response Tactical. Titan CLI is a pretty good tool for this.
Mark
Would it be possible to use Tactical on a remote machine that the Examiner PC is not on the same network as?
If you were to set up an SSH connection between the two computers you can most definitely do it. Your problem here is going to be speed. It is likely quicker to have someone send you a copy of the drive than trying to do analysis over the internet.