RealSecurity

There is no shortage of technology in the information security industry. As time passes, there are fewer and fewer cases of truly interesting and compelling solutions that have the potential to revolutionize the industry. However, they do come along on occasion; with no fan fair and hidden in the back of some massive vendor expo hall, but sneak up on you and the next thing you know is you can’t live without it. So, expect to be buying F-Response in the near future.

It’s not that it uses some new quantum theory algorithm, coded using alien language from Area 51, or compiled using plasma induced crystal processing. Nope. It’s, well, technically speaking, very simple. But so is the shoelace and I bet you have a few of those hanging around you can’t live without. F-Response is an enabler, and one that completely changes the dynamics of computer forensics and data collection.

Computer forensics requires an amalgamation of deep technical skill, investigative thinking, astute security knowledge, attention to detail, and patience. Moreover, it requires the use of sophisticated technology that enables the investigator to interact with the targeted system in a manner as to not invalidate the evidence.  With information systems becoming increasingly intertwined with people, business, and society as a whole, computer forensics is a growing industry.

In traditional forensics the target computer’s hard drive is usually removed and attached to an independent system, such as Encase or other product specifically designed to process the raw data. Of course, the usual first step is making an image (copy) of the hard drive at the sector-level so analysis can be performed without actually having to work with the source. From this point it’s up to the investigator’s experience and know-how to cull through the data to find those magic bits of information that can be used as evidence.

The process of collecting the data can become cumbersome for the investigator and the user. Also, from the user’s perspective, it’s typically seen as a negative act. I don’t care what the user says or how nonchalant they appear when the investigator arrives to take their computer, they are nervous about the process – it’s somewhat disruptive for them. Then there is investigating servers. Having to take them off-line and dealing with complex storage models can elongate the process and disrupt business.

In virtually all cases the data physically collected is a one-time snapshot. This represents pros and cons. The advantage of course is that you can capture critical information in swap files or slack space on the disk that could be easily overwritten in a short period of time. The disadvantage is things change and evolve making for a potential value to process several images of the system over time. However, are you going to shut down the server or remove the hard drive from 50 user’s computer everyday or every week? Unlikely.

These have been “accepted barriers” to forensics and raw data collection activities. No one really questioned the tried and tested method – until Mathew Shannon came along as the founder of F-Response.

(Note: There are several other videos availble from F-Response that are well worth watching.)

F-Response allows the investigator to conduct live forensics, Data Recovery, and eDiscovery over an IP network using any tool of their choice.  It’s not an analysis tool; it is an enabler to existing data tools and extends the reach of capability using existing IP data networks. This means if you have an IP connection with a system, you can collect – live and in real-time – forensically sound images. Wow. Think about that for a second. Let it sink in…

Using iSCSI as the foundation of leveraging IP connectivity, an investigator can retrieve sector-level data from system attached data stores. Of course, the entire process is read-only and the very, very small client-side software, in combination with iSCSI, ensures that an examiner cannot purposefully or accidently write to the targeted stores. Also, something pretty cool as an added benefit of the software, is the ability to capture data in physical memory (RAM).

The amazing part is that you don’t have to be an expert with the tool to use it. You can install and start using F-Response is just a few minutes. In the hands of an experienced investigator it can instantly provide access to systems anywhere. By using the F-Response Enterprise management console you can deploy to remote systems, connect to the systems, review the disks, detach, and uninstall from remote systems. It’s a single interface to manage the entire lifecycle of acquiring system data.

The interesting part is that the deployment of the capability to remote systems can be as surreptitious as you need it to be by using administrative privileged system and domain users as the method for installation. It will also scan the network for systems and present accessible systems (based on the user name and password combination you configured) that can have the F-Response client installed. Once installed, now that system can be made available to the investigator for data collection. From this point, the investigator can connect to the remote disk, making a local representation of it for imaging to be processed by an analysis tool of your liking, save as a backup image, or pull valuable data from the image. What is truly interesting is that this solution can access any IP enabled system that supports iSCSI. So, this promotes the use of the tool for a wide range of system and platform types.

The method used for deployment combined with the licensing structure and validation make the tool extraordinarily sound for ethical purposes. This isn’t a L0Pht-like tool that can be used easily for good or evil. You can’t simply download the tool and start taking images of someone’s system all willy-nilly. There is a well-defined structure in the implementation and installation that ensures the tool’s use is governed.

F-Response is ground breaking and completely changes how forensics and other data sensitive activities can be performed. It’s astounding to find that it can be so enormously valuable and effective, yet ingeniously simple. I think this is an amazing solution - not because I’m a forensics expert (which I’m not), but because I’m a security enthusiast. This solution is exciting because what it represents. The simplicity of function and use is only matched by its effectiveness and usefulness. Moreover, it just works – no frills, nothing included you don’t need, or can’t find value in using.

It’s perfect, eloquent, intelligence in motion.

If you perform forensics, data recovery, or other data collection activities everyday this tool is invaluable and will dramatically change how you work and make you far more efficient and effective. If you never perform these types of functions or expect you will have to in the future, you still need this tool. One day you will want to reach out a touch someone’s computer to retrieve your valuable data, collect evidence, to simply have a back-up, or who knows what may surface. Regardless, the ability to do so has intrinsic value to any organization.

I rarely get excited about technology, but I simply can’t help but love this tool because of what it represents, how it works, and the fact that it works so well. Moreover, it can be used to accomplish so many things. Clearly, imaging a disk and doing so over the network represents significant value to forensics activities, but this capability can be applied to just about anything. It’s a data acquisition ubiquitous utility that can be a huge value to security professionals or anyone with the need to collect data.

Go get a copy and play with it – you’ll get excited too.