Wednesday, May 21, 2008

F-Response - Extend Your Arsenal

I recently played with F-Response Enterprise Edition, and I have to tell you, this stuff rocks! Excuse me...R0x0rz! Imagine as an incident responder if you could have read-only access to a remote disk...completely independent of your toolset? This means that once you get F-Response up and running, you have a disk on your system, which is the physical disk of the remote system...but it's read-only. Wanna grab files? Do it. Wanna image the drive? Do it.

Just so you know, you'll need to get the MS iSCSI Software Initiator as well.

So once I got everything set up (Matt's documentation is pretty straight forward) and running, all I had to do was run the installed service on the remote this case, a Windows XP VMWare session. Once that was done, I had a nice little indicator that the remote system was connected to. Very good. Then I looked and saw that I had an icon for an F:\ drive now attached to my system. I could browse it, copy files, do was all read-only. No changes (file modifications, adding files, etc.) appeared on the remote system drive.

So then I thought I'd replicate what Hogfly had done using RegRipper...and it worked like a champ! I simply fired up RegRipper 2.02, pointed it at the NTUSER.DAT for the user account on my remote system, and ran it, saving the report and log files locally.

Awesome! RegRipper ran very well, over if it were running against a file that I'd extracted from an image, locally.

The cool thing is that F-Response EE can be easily pushed out as part of an incident preparedness program, or pushed out remotely using tools like psexec.exe. By design (and an excellent choice, I must say), the F-Response service does NOT start automatically...which means that as an administrator, you can have the service sitting there until you need it. As an incident responder, once you get it set up and running, all you need to do is launch the service.

Matt Shannon, the creator of F-Response, also has two other versions of F-Response...I was using the Enterprise Edition. Check out his site and see which version may be suitable for you.

Great job, Matt! Excellent tool! I really look forward to seeing not only what updates you may have available in the future, but also some of the novel and inventive ways folks come up with for using and employing such a simple and yet 0h-so-powerful tool!

Note: Updating a license for F-Response is a breeze! Download the update file, download the updater, plug in the FOB, run the updater, point it at the update file...and bang, in a couple of seconds you're stick-a-fork-in-me-I'm-DONE!

Rob Hensing blogs about...this post!
Lance "The Man" Mueller's blog post

No comments: