I have been using F-Response Tactical lately and wanted to share some of my thoughts. When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases. I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms. These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis. F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post. F-Response Tactical takes a different approach. It uses a paired set of dongles instead of agents. While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use. To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network. The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject. Once connected, you have full access to all physical disks, volumes, and memory on the Subject system. Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points. These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.
Live Response Applications
The target audience for Tactical are those who encounter systems that they don’t want to turn off or disassemble. Imagine you are called on to image a MacBook Air. Your Tableau write-blocker isn’t going to help you with that one. Or perhaps you need to image a Linux server with an attached RAID array. What about a live system that may have full-disk encryption? F-response Tactical would be helpful in all of these situations. I frequently conduct live acquisitions for these reasons along with the simple fact that it isn’t always possible to shut down a business critical system or deprive an employee of their workstation. Acquiring data via F-response has some distinct advantages:
- Very small footprint – only one tool (F-response) needs to be run on the target system (all subsequent acquisition and analysis tools are run on your forensic workstation)
- Allows triage and quick filesystem analysis in a read-only environment
- Acquisition performed over the network with iSCSI, so no specialized equipment necessary
- Simplifies interaction with exotic systems (instead of performing a command line acquisition using dd on an AIX system, you can run FTK imager from your forensic platform)
In short, Tactical improves upon nearly every step we might take on a live system. The one outlier might be the need to pull volatile system information like process listings, network connections, and loaded drivers. Tools to collect this information would still need to be executed on the target system. However, memory analysis is rapidly reducing the need for the traditional “live response script”, so this may not be much of a limitation in the future.
- Takes seconds to get two systems communicating
- Allows raw access to disk and memory (memory access only for Windows systems)
- Facilitates quick triage and fast forensics
- Unparalleled operating system support (Nearly every Windows platform , common Unix flavors like Linux 2.4.x+, and more unique platforms like SCO and AIX)
- Not designed to support systems geographically separated from your present location (upgrade to the Consultant or Enterprise versions for this capability)
- Requires USB support on target system (USB devices may not be available or authorized in some environments)