On Tuesday, I received a package in the mail from Matt Shannon, founder and creator of F-Response. Inside was a small, F-Response-branded USB thumb drive containing the upcoming release of F-Response due out April 15, 2009. I updated my dongle, installed the new license manager and was ready to begin testing.
One of the first things I noticed is the newly redesigned license manager to replace the NetUnikey Server! Thank you, thank you, thank you. The third-party NetUnikey Server for dongle authentication in previous releases sucked, and I even ran into some bizarre network issues where it wouldn't authenticate in version 1.18 but was fine in the 2.x betas. Now, that's all fixed and working great. For those of you unfamiliar with the product, their is a licensing dongle. In the Field Kit edition, it has to be plugged into the host you are examining. In the Consultant and Enterprise editions, the dongle can be plugged into the analyst's workstation. When the F-Response client runs on the host being analyzed, it first must authenticate to the workstation with the dongle in it. It was the NetUnikey Server that used to accept and authenticate the requests from the F-Response clients. Now, it's gone and the F-Response License Manager serves that purpose in version 3.09.
The next major feature addition is the inclusion of the new management interfaces in the Enterprise and Consultant editions. They make deployment and connecting to remote disks a piece of cake. The Enterprise Management Console allows you to push the F-Response enterprise service to hosts you have admin rights to, start the service and connect to the disks and memory. The Consultant Connector makes it easy to connect to disks from hosts on which the Consultant F-Response client is running. There are several videos over at the F-Response site if you want to see them in action (linked to by their names above). The Enterprise Management Console will definitely be a head turner for companies who have been looking to replace products like Encase Enterprise but weren't sure if F-Response was the solution. It's about time to take a another look if you're one of those groups.
For me, the most exciting new features were the inclusion of support for Mac OS X and Linux in the Enterprise and Consultant versions. Previously, support for those OS's were only on the Field Kit edition. So far, F-Response has been working flawlessly on Mac and Linux. Earlier this week, I witnessed two Mac OS X machines have their entire 200+GB hard drives images over the network with F-Response. I personally tested a Mac Book Pro with the latest version of OS X, a fully updated Ubuntu Linux system and a Windows XP SP3 system.
In this screenshot, you can see the different options available in the Mac OS X client.
I created an autoconfigure ".ini" file using the Windows F-Response client, which has a GUI interface where you enter the IP of the host with the dongle and the user credentials to connect back into the machine over iSCSI. As you can see in this screenshot, I ran the executable with the "-c" option followed by the autoconfigure file I had created from the Windows client. The F-Response client authenticated, mounted the available drives and started listening for connections via iSCSI.Did you notice how there were two drives in the last screenshot that were mounted read-only? What's worth noting is that this is my MacBook Pro which only has one hard drive. I use FileVault for encrypting my Home directory. The second drive is my Home directory mounted. I know one of the big features in Windows was the ability to access disk Volumes and not just raw hard drives, but I was surprised to see this behavior. I haven't tested imaging the mounted Home directory via F-Response, yet, but should be interesting.
This next screenshot is of the Linux F-Response client. It's pretty much identical to the Mac version and works with the same autoconfigure file as both Windows and Linux. This is a great feature allowing you to create CDs to hand out to your help desk with all versions of the client and only one ".ini".
This next screenshot is FTK Imager connected to a Linux host. While I was testing, I only looked around the filesystem a bit, but I could have easily imaged the drive. I think one of the things I like about F-Response the most is the flexibility it gives me to use pretty much any forensic tool I want whether it's FTK, Encase, RegRipper or anything else. It really lives up to its slogan by extending your arsenal.