F-Response 3.09 Preview

I've written a little about F-Response before. It's an incident response and forensic tool that gives investigators and responders the ability to access a running computer system's hard drive and physical memory in a read-only manner. Your analysis workstation connects over iSCSI to the target machine, and you can use practically any forensic tool to conduct analysis and imaging. I have used it with Forensic Toolkit (FTK), Encase, FTK Imager, Memoryze, and X-Ways. It's a great "enabler" tool that's now getting some major upgrades.The company sent me a prerelease version of F-Response 3.09, which will be released April 15. It includes a new license manager, and new interfaces for the Consultant and Enterprise editions make deploying and connecting to target hosts a breeze. Previously, I had to use something like Pstools to push the executable and start the service before being able to analyze a system, but now it's point-and-click easy, provided you have administrator credentials on the target systems.

Platform support for Linux and Mac OS X are now available in the Consultant and Enterprise versions. Physical memory is not included on those platforms like on Windows, but support for the new OSes works great. I've been testing both and have had no problems -- except for one small mistake on my part: I forgot that Mac OS X Leopard has the new application firewall and no longer uses ipfw, so I banged my head a bit trying to figure out why I couldn't connect. This isn't something you have to worry about on Windows because it automatically modifies the firewall to allow access, and closes it with you're done.

Performancewise, F-Response 3.09 works quite well, but a lot of the speed depends on the tool you're using to analyze or image the remote system, and, of course, network congestion and connectivity. Tools like Encase often image hard drives in smaller chunks, so there is a lot more overhead in transferring each bit, making imaging take longer. The product's creator, Matt Shannon, shared some tips with me about modifying Encase to speed up the imaging process by grabbing larger chunks of data at a time, which made a significant difference.

One of the things I really like about F-Response is the Autoconfiguration button, which lets you input all of the necessary information so you can create a preconfigured CD, ISO, or USB thumb drive that can be handed to first responders. They can plug it into a system, run the executable, and I immediately have access to perform remote analysis, collect malware specimens, and image memory. Last night, I created an autoconfig file and found that it worked on Mac, Linux, and Windows without needing any changes.

I know there are more features that I haven't found yet in my testing, but so far I'm very impressed with F-Response 3.09. It's rare to find a tool that truly makes it possible to extend your other tools' functionality in new and interesting ways. F-Response is one of those exceptions.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.