Most of you are familiar with and have seen the numerous posts on various blogs & websites about the capabilities of F-Response. If you don't already own F-Response, you should go here first!
I don't work for F-Response or Guidance Software, nor do I have any financial interest in either of their successes. I have been using EnCase for many years and have "cut my teeth" using EnCase, so it's one of the primary tools I use. But I cannot personally afford EnCase Enterprise, so I am always looking for alternative ways to perform "Enterprise-wide" forensics. Enter F-Response.
F-Response really helps bridge the gap of available affordable tools that enable an examiner to do network based forensics or remote collections. The only limitation with F-Response was that you really could not automate F-Response in an unattended fashion and have it work together with EnCase, until now :))
Matthew Shannon at F-Response has released a version of F-Response Enterprise that now contains a scriptable object. That object can be controlled by any program that supports COM. So basically, using the standard off-the-shelf version of EnCase Forensic, you can automate the remote connection, analysis and collection of whatever data you want, based on whatever criteria you wish via EnScript.
Below is a fully functional proof-of-concept EnScript that works with the new version of F-Response Enterprise Edition. Requirements:
You need EnCase Forensic version or Law Enforcement version (not Enterprise)
You need the most recent version of F-Response Enterprise version (download page of http://www.f-response.com/) and the new F-Response scriptable COM object.
To make this POC EnScript work, you need to have the latest version of F-Response Enterprise installed and the basic configuration information completed in the FEMC. Below is an example of the required information that needs to be set in the FEMC:
Once you have this information configured, you do not need the FEMC running, but you do need the F-Response License Manager running and your F-Response dongle connected.
Once you have the above completed, you can open EnCase and run the EnScript below. It will ask for the credentials for the remote machine. The credentials are used to install, start, stop and uninstall the F-Response client on the remote machine, just like if you were doing this manually in the FEMC. The F-Response client does not neet to be installed and/or running already. Specify a remote IP address (or several) then click "OK":