EnCase + F-Response + EnScript = very affordable network forensics & eDiscovery
Most of you are familiar with and have seen the numerous posts on various blogs & websites about the capabilities of F-Response. If you don't already own F-Response, you should go here first!
I don't work for F-Response or Guidance Software, nor do I have any financial interest in either of their successes. I have been using EnCase for many years and have "cut my teeth" using EnCase, so it's one of the primary tools I use. But I cannot personally afford EnCase Enterprise, so I am always looking for alternative ways to perform "Enterprise-wide" forensics. Enter F-Response.
F-Response really helps bridge the gap of available affordable tools that enable an examiner to do network based forensics or remote collections. The only limitation with F-Response was that you really could not automate F-Response in an unattended fashion and have it work together with EnCase, until now :))
Matthew Shannon at F-Response has released a version of F-Response Enterprise that now contains a scriptable object. That object can be controlled by any program that supports COM. So basically, using the standard off-the-shelf version of EnCase Forensic, you can automate the remote connection, analysis and collection of whatever data you want, based on whatever criteria you wish via EnScript.
Below is a fully functional proof-of-concept EnScript that works with the new version of F-Response Enterprise Edition. Requirements:
You need EnCase Forensic version or Law Enforcement version (not Enterprise)
You need the most recent version of F-Response Enterprise version (download page of http://www.f-response.com/) and the new F-Response scriptable COM object.
To make this POC EnScript work, you need to have the latest version of F-Response Enterprise installed and the basic configuration information completed in the FEMC. Below is an example of the required information that needs to be set in the FEMC:
Once you have this information configured, you do not need the FEMC running, but you do need the F-Response License Manager running and your F-Response dongle connected.
Once you have the above completed, you can open EnCase and run the EnScript below. It will ask for the credentials for the remote machine. The credentials are used to install, start, stop and uninstall the F-Response client on the remote machine, just like if you were doing this manually in the FEMC. The F-Response client does not neet to be installed and/or running already. Specify a remote IP address (or several) then click "OK":
Download Here
ShareThis
Posts
9 comments:
Very cool, Lance, thanks.
I'm curious though - does this contravene the EnCase Forensic EULA?
Raffael Vargas
Great Lance ....
Lance, if it costs around $9K, wouldn't one be better off with EnCase FIM instead? I know it's advertised a lot higher, but they discount it from time to time. And FIM comes with the EnCase Consultants edition which includes all the plug-ins. Does F-Response offer any additional features not found in the FIM?
Phil, I assume you own at least EnCase Forensic edition, if so then you only need to buy F-Response Enterprise. If you already own a lessor version, then you only need to upgrade that. The $8,000 was if you own nothing.
F-Repsonse does not offer any features like FIM, its not a forensic analysis tool, its a network connection tool. The analysis and features are coming from EnCase, so whatever you have in your EnCase Forensic version as far as modules, or EnScripts, you can use them like usual.
FIM has limitations on concurrent connections, And you will pay more for more connections with FIM, F-Response does not.
I am not preaching that F-Response is a better solution to FIM or EnCase Enterprise. I am just sharing an alternative affordable solution. We all have our favorites and each tool has it's own strength and weaknesses. As I mentioned, I love EnCase Enterprise and FIM, but I cant afford that or the licensing (only installed on one machine), whereas this solution can be installed on any machine. The post above is meant to describe just another alternative solution.
Thanks for the feedback, Lance.
My question wasn't well articulated. What I was trying to ask was whether the combination of EnCase Forensic and F-Response had more to offer that EnCase FIM. From what you're saying, I gather that one of the differences would be in the FIM's limitation over concurrent connections.
Phil, EnCase FIM is the EnCase you already know with network capabilities.
The only Additional feature you get from FIM or EnCase Enterprise is snapshot ability, which gives you running processes, etc which is very helpful when doing incident response.
But then on the other hand F-Response handles network connection to Windows, Linux, Apple, Solaris, AIX, SCO, HPUX, and Freebsd. FIM does not support all those platforms.
Everything else that you could do or want to do with FIM, can be done with EnCase forensic.
If you are not familiar with EnCase FIM, it looks, tastes, smells and acts just like the EnCase Forensic version you use now, just with the ability to reach out and connect to a remote machine. The analysis part ids the same in EnCase Forensic and FIM.
Thanks for the feedback, Lance.
I'm familiar with the FIM and have a copy. I was wondering what other capabilities I may be missing compared to the EnCase Forensics & F-Response combo you described. Now I know...
Best regards, Phil
F-response is not correctly linked to the site.
Anonymous, thank you, I fixed the initial link that was broken.
Post a Comment