Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/8/2009
01:59 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

F-Response 3.09 Preview

I've written a little about F-Response before. It's an incident response and forensic tool that gives investigators and responders the ability to access a running computer system's hard drive and physical memory in a read-only manner. Your analysis workstation connects over iSCSI to the target machine, and you can use practically any forensic tool to conduct analysis and imaging. I have used it with Forensic Toolkit (FTK), Encase, FTK Imager, Memoryze, and X-Ways. It's a great "enabler" tool tha

I've written a little about F-Response before. It's an incident response and forensic tool that gives investigators and responders the ability to access a running computer system's hard drive and physical memory in a read-only manner. Your analysis workstation connects over iSCSI to the target machine, and you can use practically any forensic tool to conduct analysis and imaging. I have used it with Forensic Toolkit (FTK), Encase, FTK Imager, Memoryze, and X-Ways. It's a great "enabler" tool that's now getting some major upgrades.The company sent me a prerelease version of F-Response 3.09, which will be released April 15. It includes a new license manager, and new interfaces for the Consultant and Enterprise editions make deploying and connecting to target hosts a breeze. Previously, I had to use something like Pstools to push the executable and start the service before being able to analyze a system, but now it's point-and-click easy, provided you have administrator credentials on the target systems.

Platform support for Linux and Mac OS X are now available in the Consultant and Enterprise versions. Physical memory is not included on those platforms like on Windows, but support for the new OSes works great. I've been testing both and have had no problems -- except for one small mistake on my part: I forgot that Mac OS X Leopard has the new application firewall and no longer uses ipfw, so I banged my head a bit trying to figure out why I couldn't connect. This isn't something you have to worry about on Windows because it automatically modifies the firewall to allow access, and closes it with you're done.

Performancewise, F-Response 3.09 works quite well, but a lot of the speed depends on the tool you're using to analyze or image the remote system, and, of course, network congestion and connectivity. Tools like Encase often image hard drives in smaller chunks, so there is a lot more overhead in transferring each bit, making imaging take longer. The product's creator, Matt Shannon, shared some tips with me about modifying Encase to speed up the imaging process by grabbing larger chunks of data at a time, which made a significant difference.

One of the things I really like about F-Response is the Autoconfiguration button, which lets you input all of the necessary information so you can create a preconfigured CD, ISO, or USB thumb drive that can be handed to first responders. They can plug it into a system, run the executable, and I immediately have access to perform remote analysis, collect malware specimens, and image memory. Last night, I created an autoconfig file and found that it worked on Mac, Linux, and Windows without needing any changes.

I know there are more features that I haven't found yet in my testing, but so far I'm very impressed with F-Response 3.09. It's rare to find a tool that truly makes it possible to extend your other tools' functionality in new and interesting ways. F-Response is one of those exceptions.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18165
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
CVE-2020-19275
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
CVE-2021-29511
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
CVE-2021-30211
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.