Tuesday, May 26, 2009

F-Response Field Kit Edition Review

I purchased the field kit edition of F-Response to use in a specific case. I had a fully encrypted hard drive I needed to acquire and even though I had the password to boot the computer, acquiring it forensically was a real challenge.

So I turned to the F-Response tool as a solution. Before I used it in the actual case, I tested it on one of my lab computers to make sure that it worked as advertised and also that I fully understood the process for using the tool.

In the field kit edition, you have to place the license dongle on the computer to be acquired. Since the dongle is recognized as a HID (Human Interface Device) it does not require any weird drivers, but is recognized quickly and painlessly.

To begin the process of using F-Response, you install it on the computer that is going to do the acquisition. You do not install anything on the subject computer.

While I found the documentation to be pretty good, it was a little sparse in the actual use of the product. For one thing, it should be very clear that the executable that you are going to use on the subject computer is located in the installation directory of the F-Response product. You can write the executables to any media that the subject machine can read, such as a CD or USB stick. I prefer to put it on a CD as I don't want the subject machine to load drivers for a USB stick or portable drive.

F-Response supports Windows, Linux and Mac. That is pretty awesome.

Here is a quick walk through on using the product, step by step, without screenies.

1. The subject computer has to be booted up in its native operating system. In my case, since it was a fully encrypted hard drive, this was the only practical way to get the image.
2. Place the license USB dongle in a USB slot on the subject computer.
3. Write the executables from the F-Response installation folder to a CD.
4. Place the CD in the subject computer's CD drive and execute the proper host program, (Windows, Linux or Mac.)
5. Once the F-Response host program opens on the subject machine, fill in the proper fields. (This is covered in detail in the manual.) Note: If you are using a crossover cable, like I was, you will have a host IP address on the subject computer in the 169 range if it is set to obtain its address via DHCP. This works fine.
6. Start the i-SCSI initiator on your acquisition computer. (If you are running Windows XP you will need to download this from Microsoft.)
7. Complete the fields as shown in the user manual for the product.
8. Connect to the subject computer.

I have to say it worked flawlessly. I was able to connect to the subject computer with no problems, and could see both the physical hard drive and logical drives on the subject computer.

I then started up Encase 6.12.1, created a new case and added a device. I selected local drives and VIOLA!, there was the subject hard drive conveniently identified as FRES.

I then started the acquisition and it worked without a hitch. This is a great tool for getting to those encrypted drives if you can boot the computer with the password or you find the computer already running and can grab the image without shutting it down.

While I did not have an opportunity to review the consultant or enterprise editions, (Too expensive to buy just to do a review,) I feel certain they work just as well.

At a low price of under 300.00 for the Field Kit Edition, I would recommend it for every examiner's tool box.

1 comment:

Anonymous said...

Very Good! Jose milagre - CF expert - Brazil - Sao Paulo