Thursday, March 11, 2010

EnCase + F-Response + EnScript = very affordable network forensics & eDiscovery

Most of you are familiar with and have seen the numerous posts on various blogs & websites about the capabilities of F-Response. If you don't already own F-Response, you should go here first!

I don't work for F-Response or Guidance Software, nor do I have any financial interest in either of their successes. I have been using EnCase for many years and have "cut my teeth" using EnCase, so it's one of the primary tools I use. But I cannot personally afford EnCase Enterprise, so I am always looking for alternative ways to perform "Enterprise-wide" forensics. Enter F-Response.

F-Response really helps bridge the gap of available affordable tools that enable an examiner to do network based forensics or remote collections. The only limitation with F-Response was that you really could not automate F-Response in an unattended fashion and have it work together with EnCase, until now :))

Matthew Shannon at F-Response has released a version of F-Response Enterprise that now contains a scriptable object. That object can be controlled by any program that supports COM. So basically, using the standard off-the-shelf version of EnCase Forensic, you can automate the remote connection, analysis and collection of whatever data you want, based on whatever criteria you wish via EnScript.

Below is a fully functional proof-of-concept EnScript that works with the new version of F-Response Enterprise Edition. Requirements:

You need EnCase Forensic version or Law Enforcement version (not Enterprise)
You need the most recent version of F-Response Enterprise version (download page of and the new F-Response scriptable COM object.

To make this POC EnScript work, you need to have the latest version of F-Response Enterprise installed and the basic configuration information completed in the FEMC. Below is an example of the required information that needs to be set in the FEMC:

Once you have this information configured, you do not need the FEMC running, but you do need the F-Response License Manager running and your F-Response dongle connected.

Once you have the above completed, you can open EnCase and run the EnScript below. It will ask for the credentials for the remote machine. The credentials are used to install, start, stop and uninstall the F-Response client on the remote machine, just like if you were doing this manually in the FEMC. The F-Response client does not neet to be installed and/or running already. Specify a remote IP address (or several) then click "OK":

This POC EnScript is specifically designed to search all the remote IP addresses (or machine names) and find a specific file named "F-Response_text.txt" (case sensitive) on the remote machine. If the file is found, EnCase will print out the full path, logical size and created date in the console. This is just a basic POC to demonstrate the capabilities, but the possibilities are endless. You can do *anything* you could normally do while looking at a local disk or evidence file in EnCase. Want to connect to a list of remote machines and collect certain files that match certain criteria? i.e. size, extension, location, whatever? No problem, it can now be done programmatically.

If you were starting from scratch and didn't have either of these tools, the total price to get the tools would be about $8,500. The great thing is both of these are already widely used and owned by many people. You may not have the Enterprise version of F-Response, but you can upgrade to that and have this capability for just a few thousand dollars.

If you are interested in beta testing a full version of the EnScript that collects files based on user-definable criteria, send me an email at beta(at) with "beta test" in the subject line.

Download Here


Anonymous Thursday, 11 March, 2010  

Very cool, Lance, thanks.
I'm curious though - does this contravene the EnCase Forensic EULA?

Anonymous Thursday, 11 March, 2010  

Raffael Vargas
Great Lance ....

Phil Rodokanakis Friday, 12 March, 2010  

Lance, if it costs around $9K, wouldn't one be better off with EnCase FIM instead? I know it's advertised a lot higher, but they discount it from time to time. And FIM comes with the EnCase Consultants edition which includes all the plug-ins. Does F-Response offer any additional features not found in the FIM?

Lance Mueller Saturday, 13 March, 2010  

Phil, I assume you own at least EnCase Forensic edition, if so then you only need to buy F-Response Enterprise. If you already own a lessor version, then you only need to upgrade that. The $8,000 was if you own nothing.

F-Repsonse does not offer any features like FIM, its not a forensic analysis tool, its a network connection tool. The analysis and features are coming from EnCase, so whatever you have in your EnCase Forensic version as far as modules, or EnScripts, you can use them like usual.

FIM has limitations on concurrent connections, And you will pay more for more connections with FIM, F-Response does not.

I am not preaching that F-Response is a better solution to FIM or EnCase Enterprise. I am just sharing an alternative affordable solution. We all have our favorites and each tool has it's own strength and weaknesses. As I mentioned, I love EnCase Enterprise and FIM, but I cant afford that or the licensing (only installed on one machine), whereas this solution can be installed on any machine. The post above is meant to describe just another alternative solution.

Phil Rodokanakis Tuesday, 16 March, 2010  

Thanks for the feedback, Lance.

My question wasn't well articulated. What I was trying to ask was whether the combination of EnCase Forensic and F-Response had more to offer that EnCase FIM. From what you're saying, I gather that one of the differences would be in the FIM's limitation over concurrent connections.

Lance Mueller Wednesday, 17 March, 2010  

Phil, EnCase FIM is the EnCase you already know with network capabilities.

The only Additional feature you get from FIM or EnCase Enterprise is snapshot ability, which gives you running processes, etc which is very helpful when doing incident response.

But then on the other hand F-Response handles network connection to Windows, Linux, Apple, Solaris, AIX, SCO, HPUX, and Freebsd. FIM does not support all those platforms.

Everything else that you could do or want to do with FIM, can be done with EnCase forensic.

If you are not familiar with EnCase FIM, it looks, tastes, smells and acts just like the EnCase Forensic version you use now, just with the ability to reach out and connect to a remote machine. The analysis part ids the same in EnCase Forensic and FIM.

Phil Rodokanakis Wednesday, 17 March, 2010  

Thanks for the feedback, Lance.

I'm familiar with the FIM and have a copy. I was wondering what other capabilities I may be missing compared to the EnCase Forensics & F-Response combo you described. Now I know...

Best regards, Phil

Anonymous Thursday, 18 March, 2010  

F-response is not correctly linked to the site.

Lance Mueller Thursday, 18 March, 2010  

Anonymous, thank you, I fixed the initial link that was broken.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles