Blog Series: Using F-Response In Enterprise Investigations

This month, Jamie McQuaid, a Forensics Consultant at Magnet Forensics, looked at how F-Response and Magnet AXIOM can be used together to recover data remotely in enterprise investigations.

In this three-part series, Jamie discusses how to establish a read-only, secure connection to a remote host allowing examiners to acquire or analyze physical disks and volatile data. The series uses Magnet AXIOM as an example of a tools that can be used to recover and examine the data, but as F-Response is tool-agnostic, any tool could conceivably be used.In the first post, Jamie walks through set up and acquisition methods using F-Response Enterprise to connect to a remote machine and analyze the contents. (Read the full post here: Using F-Response and Magnet AXIOM to Conduct Enterprise Investigations.)

In the second post, Using F-Response and Magnet AXIOM: Use Case 1 – Targeted Acquisition, Jamie discusses a specific use case. He says the bottleneck for a proper investigation on a remote host is the network – especially to retrieve a full physical disk image. Luckily, that’s not usually necessary – a targeted acquisition will help save time in acquisition and analysis.

In the third blog post, Jamie walks through another option for recovery and analysis that can save examiners time – previewing without retrieving artifacts. This method has minimal impact to the system or the user and can be facilitated using F-Response and AXIOM together. Read more here: Using F-Response and Magnet AXIOM: Use Case 2 – Preview No Artifacts.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...