F-Response Manual (All Versions)
Contents
1. 6 0 3 3 Provides a complete breakdown of leveraging F Response Enterprise Consultant Covert Consultant or Field Kit Edition to perform expert remote computer forensics and incident response Table of Contents Table of CONTENTS socesssiiiiiriiiiisit esst EnEEEE EEEE EEEE EEEE ESEESE EEEE EEES SEREEN EEEE EEA 2 Welcome to F Response essssssseesssssseeessssseeesssssseeeosssseeessssseeeosssseeeesssseeeeo 5 TerminQloey cccccccscscscccsasssaseseceseaescasesesasasesasessaneaessasenseaiarssareassansesseesersanaet 5 WANGCU tccccssececcesceesssescecscnmmeseteccnsceneseteccnsaanscsssecesscnsesstecassaeneseeeecescensceessee 5 Miti UO ssccsrns 5 005 5 ers orare cy arars pln 9 nies bin ys nv EEEE biele gs be nmetete 5 Supported Platforms cece cece e cece cence ence ee ee ee ee eee ee eee eee esse eeneeeeeeeeeeeeeeeeeeees 6 PPO UTS TR OS sfc occ LEARAER E REAR 8 F Response License FOB wicsssssssecsesssesensiss sa cese tis tcs reeet e CeCe ee se se ee ese EEEE TE EEEE EE 9 Getting started with F RESPONSEC ce cece eee e nce e cece eee eneeeneeeeeeeeeeeneeeneeeeeeeees 11 Enterprise Edition i einernie A A 11 Consultant Covert Eqitionacasseccsscacsanseneaescansanboneaesaausanbonsaasaausanbonsossaeuseunts 12 Gee 0 gt 9 92 0 8 p nee re 13 Keldi Kit Cit Of lanaqaacnananaaaneaasasansadaaseasdasasqnssassansasassansadaannaedssanaasssnsaasancie 14 LICENSING F RESPONSE cece cece este cece eee n nee ee eee e2. Enterprise Edition f response ent exe Browse M Unix Platform Specific Deployment Options Platform gt Reset Current Reset All Pre and Post Exec Optional Pre Start Post Stop Additional Targets Export Export MSI Cancel am F Response Enterprise Management Console Deployment Options Configuration Panel e F Response Configuration o Validation Configuration P Addr e Configures the IP Address of the F Response LM Service TCP Port e Configures the TCP Port of the F Response LM Service o Host Configuration 40 Encryption e Check to enable AES 256bit Encryption for the F Response Disk connection Physical Memory e Check to enable Physical Memory access on the remote F Response Target Supports Windows clients only Flexdisk Port Checkbox e The TCP Port the remote F Response Enterprise executable should listen on for Flexdisk HTTPS requests TCP Port e The TCP Port the remote F Response Enterprise executable should listen on for login and discovery requests Username e The Username the remote F Response Enterprise executable should use for login and discovery requests Password e The Password the remote F Response Enterprise executable should use for login and discovery requests e F Response Windows Service Install Configuration Service Name e This is the name the F Response Enterprise service will be installed as on
3. archiving and backup This replaces previous IMAP Gmail option F Response 6 0 1 2 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Completely redesigned F Response Connector taking the place of the prior Cloud Email Database connectors o Additional supported remote cloud storage environments for CE and above users added including Office 365 OneDrive for Business Office 365 Sharepoint o Numerous bug fixes and product architecture changes to increase stability and performance o Additional logging options for individual providers o Optional revision history access for Dropbox o Included installation of driver for TACTICAL hosted F Response Connector Changes affecting all versions Updates to F Response Windows Subject executables to handle GPT Partitions and disks on remote Windows machines addressed inconsistencies in detecting certain partitions in 6 0 1 2 Changes affecting Enterprise Consultant Covert and Consultant Edition 99 Updates to F Response Solaris Subject executable to handle select drive recognition issues Change affecting Enterprise Edition Updates to the FEMC COM Library for x64 systems to properly detect Apple OSX remote targets F Response 5 0 3 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Addition of a Linux F Res
4. 2 o Select an IP Address from the Host IP Address drop down arrow to bind the F Response Target code to a local IP address currently in use by the computer In this case we have chosen 192 168 1 6 e Step 3 o Select the TCP Port in this instance we chose to keep the default 3260 79 e Step 4 o Enter in a username and password value These values will be used later to authenticate the network connection to this computer e Step 5 o Press the Start button to start listening for incoming connections This completes F Response preparation for this machine Remember you will need the four entries selected in the User Interface above in order to establish the connection to access this computer s drives over the network Refer to the next section on using the Microsoft iSCSI Initiator to complete the connection and access the local machine s physical drives from remote 80 F Response Field Kit Edition Using F Response Field Kit Edition for Unix Linux Apple OS X root nsx mshannon f response fk lin h F Response Field Kit Linux Version 5 0 0 Usage This help page lt username gt Username must be eight 8 characters lt password gt Password must be fourteen 14 characters i lt port gt iSCSI port optional default is 3260 lt path to device gt Assign additional devices comma separated ex a dev md0 Examples To use F Response Field Kit Linux Edition f response
5. 5681 m i F Response Enterprise Edition command line interface F Response Enterprise edition is a GUI less Windows Service version of the F Response Target Code It was designed for ease of administration and distribution to remote targets The screen capture above provides the f response ent exe help page including several examples The following help text details the command line options for installing uninstalling and configuring F Response Enterprise on each target machine Installing amp Uninstalling F Response Enterprise e c Create d Delete 113 O These options are mutually exclusive They either install c or uninstall d the service on the local target computer with the default service name F Response Enterprise Service Note You can change the name of the F Response Enterprise executable file to anything you like prior to installation e g you may rename f response ent exe to xyz_tester exe You may also place the F Response Enterprise executable file anywhere you like prior to installation e g WINDOWS system32 e a user defined service name r user defined service name O These options are mutually exclusive They either install a or uninstall r the service on the local computer with a user defined service name Note You can change the name of the F Response Enterprise executable file to anything you like prior to installation e g you may rename
6. F Response Flexdisk PC F Response Flexdisk We fh gt D E amp pr Seye Took Ov F Response Flexdisk Web Viewer Target TACTICAL PREPPC a 0 305142 00 MB Internet Protested Mode gt Sum F Response Flexdisk Web Viewer What is a F Response Flexdisk The F Response Flexdisk Patented is a web based disk access and representation tool The Flexdisk uses standard web technologies HTTPS REST to provide direct access to the remote target machines Logical and Physical targets in both raw and logical format The Flexdisk can be accessed and used from any modern web browser and also exposes a feature rich and extensible application programming interface API accessible from any system capable of making and interpreting web queries and JSON How do access and use a F Response Flexdisk Using the F Response Flexdisk is as easy as working with a web browser The Flexdisk web viewer interface contains multiple icons as well as a clearly defined legend to cover their usage and meaning A sample of that legend appears below Q Download recursive CSV of directory contenis FP Allocated Directory F Allocated File am Download CSV of an individual file s metadata f Unallocated Directory Z Unallocated File 7 REST or Representational State Transfer is a web services development model that uses simple HTTP verbs such as GET and POST 8 JSON or Javascript
7. Locates Windows and Unix Machines Scan by IP Range Scan by IP Range IP Address Start 192 168 IP Address Stop 192 168 Scan Network by IP Range Dialog Scan network by IP Range presents a dialog that accepts a start and end IP address inclusive for an IP Range to be scanned 45 Direct Connect Locates Windows and Unix Machines Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Direct Connect Dialog Direct Connect presents a dialog that accepts a computer Network name or IP Address and attempts to connect to the computer to perform any of the following actions Install Uninstall Start Stop and Issue Discovery Request Custom Scan Locates Windows and Unix Machines Input 4 comma separated list of IP addresses and or machine names to be scanned ex MACHINE 1 MACHINE2 192 168 1 2 Custom Scan Dialog 46 Custom Scan presents a dialog that accepts a comma delineated listing of either computer names or IP addresses or both to scan to detect F Response Enterprise installations and or potential targets In addition the Custom Scan dialog will present the last executed scan input on opening Enterprise Edition Deploying and Managing F Response using the FEMC All Supported Platforms Following a successful scanning enumeration process the F Response Enterprise Management Console can then be used to install start stop and unin
8. Logout of F Response Disk option 53 E se gemei File Scan Deployment Connect Active Clients Help F Response Target Connected Local Disk B iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive HWID 155519116 Expires 12 17 2011 i a 10 gt 160 Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk Connected Local Disk B iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 When complete select individual targets or multiple targets and select Stop F Response to stop the remote F Response Enterprise service 54 File Scan Deployment Connect Active Clients Help Deployment Connect Messages Active Clients Machine Name 192 168 1
9. business information of a party including without limitation any information relating to a party s techniques algorithms software know how current and future products and services research engineering vulnerabilities designs financial information procurement requirements manufacturing customer lists business forecasts marketing plans and information b any other information of a party that is disclosed in writing and is conspicuously designated as Confidential at the time of disclosure or that is disclosed orally and is identified as Confidential at the time of disclosure or c the specific terms and conditions of this Agreement 6 2 Exclusions Confidential Information shall not include information which i is or becomes generally known to the public through no fault or breach of this Agreement by the receiving Party ii the receiving Party can demonstrate by written evidence was rightfully in the receiving Party s possession at the time of disclosure without an obligation of confidentiality iii is independently developed by the receiving Party without use of or access to the disclosing Party s Confidential Information or otherwise in breach of this Agreement iv the receiving Party rightfully obtains from a third party not under a duty of confidentiality and without restriction on use or disclosure or v is required to be disclosed pursuant to or by any applicable laws rules regulatory authority court
10. cenecdcemmendemeuadenmdaceesecccenmemeted 141 DISCLAIMER cassteetestccehe heehee cies canadienne cau eanddansneauneauneeuusensaeaneeted 141 PATENTS eons esesa sen nee oes nesesn enemies A 142 Welcome to F Response Thank you for purchasing F Response You have now extended the capabilities of your existing arsenal of tools to enable them to work over an IP network F Response accomplishes this through the use of a patented process US 7 899 882 US 8 171 108 and patents pending a part of which includes leveraging the Internet Small Computer Systems Interface iSCSI protocol standard as defined in RFC 3720 http www ietf org rfc rfc3720 txt Terminology The iSCSI terms Target and Initiator are used throughout this manual The choice of initiator and target verbiage in the iSCSI definitions may prove confusing to forensics practitioners because target carries a different definition in the field of computer forensics versus iSCSI In computer forensics the system to be analyzed is generally referred to as the subject system whereas the system to which forensically sound data is collected is generally referred to as the target system In this manual the forensic subject is an iSCSI target i e F Response Target code is executed on the machine to be analyzed For this reason we want to make clear that the use of the word target in this manual refers to the iSCSI definition
11. configuring the F Response Consultant Covert Console e F Response Enterprise Configuring Deployment Options e F Response Enterprise Configuring Credentials e F Response Enterprise Scanning Direct Connect Only 59 F Response Consultant Edition Consultant Edition Overview of the F Response Consultant Connector F F Response Consultant Connector File Connect Help Connect Messages Active Clients Local Disk EEE HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Menu Options e File o Quick Configure Opens a dialog to configure the TCP Port Username and Password for use during Discovery Request or Login phases o Create Autoconfigure Opens a dialog for creation of an Autoconfigure package for F Response Consultant Edition o Clear Messages Clears any information or error messages currently in the Messages Panel o Exit Close and exit the F Response CC console 60 e Connect o Discovery F Response Disks Opens a dialog providing iSCSI Discovery request capability by IP Address o Login to F Response Disk Initiates a iSCSI login on the selected F Response Consultant Target o Logout of F Response Disk Initiates a iSCSI logout on the selected F Response Consultant Target o Remove F Response Disk Deletes all F Response Disks for the selected target from the Connect Tab o Open F Response Flexdisk Opens the
12. considerable amount of time depending on the total number of messages size of the messages available bandwidth and any throttling of performance done by the email provider A running output of the message subjects will be shown in the Status column Once complete the newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer File Credentials Scan Connect View Help Target Description Provider Status amp O fresponsec Google Mai Parsing Vote NOW for the YouTube Mu fresponsechartest gmail com Gmail Trash Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Starred Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Spam Appx Messages 0 fresponsec Google Mai Inactive Processing email in an account 34 Disconnecting from Email Account Targets You can disconnect from one or more storage targets by simply double clicking on target Are you certain you wish to detach this share Warning before detaching a connected share 35 F Response Enterprise Enterprise Edition Overview of the F Response Enterprise Management Console FEMC At the core of F Response Enterprise Edition is the F Response Enterprise Management Console FEMC Below is a guideline of the features and functions of the FEMC F F Response Enterprise Management Console File Scan Deployment Connect Active Client
13. f response ent exe to xyz_tester exe You may also place the F Response Enterprise executable file anywhere you like prior to installation e g WINDOWS system32 Configuring F Response Enterprise e s Server IP o Server Port O Since the Enterprise Edition of F Response allows the F Response FOB to be physically remote from the computer to be analyzed the Enterprise Edition software must be configured with parameters identifying the network address Server IP and port number Server Port of the computer to which the F Response FOB is connected and which is running the NetUniKey Server often the IP Address of an Enterprise Investigations Server Completing a successful configuration creates a NetUniKey ini file For successful execution of F Response Enterprise both the F Response Enterprise executable f response ent exe by default and the NetUniKey ini file must be located in the same folder on the target computer e u username p password i iSCSI Port f Flexdisk Port O These options set the username password and iSCSI port that will be used for remote connectivity by the iSCSI initiator If the Flexdisk port is not specified it will not be enabled 114 u Services Fie Action View Help e m fas e gt m l y Services Local F Response Enterprise Service Name Description Status Startup Type Log On As N Sy F Re
14. fk lin u jsmith0Ol p password123456 The F Response Field Kit Edition for Apple OS X and Linux is installed and available in the C Program Files F Response F Response Field Kit Edition folder The executable name will indicate which version is appropriate for your target platform F Response Field Kit Edition for Linux f response fk lin F Response Field Kit Edition for Apple OSX 10 4 10 5 10 6 Intel f response fk osx Example Usage Scenario 1 F Response License Manager Server on 192 168 1 6 Port 5681 sudo f response fk lin u mshannon p mshannon123456 i 3260 81 F Response Field Kit Edition Connecting to an F Response Target iSCSI Initiator Properties This is the Microsoft iSCSI Initiator console First select Change to rename your initiator node Initiator Node Name Change a Se Set this value to whatever value was inputted in the F Response Field Kit user interface username field Select OK 82 iSCSI Initiator Properties Remove Add Target Portal Lea a co a a Input the IP Address and TCP port of the remote F Response Field Kit computer These values must match the ones entered in the F Response Field Kit user interface Once this is complete select the Advanced button 83 Advanced Settings Check the box for CHAP logon information and enter the Username and Password previously entered
15. give you the exact information you need to get you connected and underway as fast as possible Mission Guides are simple straight forward 4 6 page PDF documents that cover all the steps necessary to accomplish a specific Mission with F Response All Mission Guides are available at https www f response com support missionguides under the Support link at the top of every page A selection of the Mission Guides available at the time this document was developed is available below e F Response Enterprise Edition O O Connect to a remote Linux target s disk using F Response Enterprise Edition Connect to a remote Apple target s disk using F Response Enterprise Edition Connect to a remote Windows target s disk using F Response Enterprise Edition Connect to the F Response Boot CDROM using F Response Enterprise Edition e F Response Consultant Edition O O Connect to a remote Linux target s disk using F Response Consultant Edition Connect to a remote Apple target s disk using F Response Consultant Edition Connect to a remote Windows target s disk using F Response Consultant Edition Connect to the F Response Boot CDROM using F Response Consultant Edition e F Response Field Kit Edition O Connect to the F Response Boot CDROM using F Response Field Kit Edition e F Response TACTICAL O Connect to the F Response Boot CDROM using F Response TACTICAL 98 Software Revision History The foll
16. machine Double click this file on the target machine to populate the registry with this key To remove follow the same steps as above this time with the following information HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies Syst em LocalAccountTokenFilterPolicy dword 00000000 Q established an F Response connection tried to view the remote Documents and Settings folder and received a message that don t have permission to view that folder Why don t have access A You have the access with the right tools You probably used Windows Explorer or an equivalent tool that is subject to the file permission settings for those folders If you use a forensics tool that can take advantage of your raw drive access then you won t have this issue Q What port does the F Response EMC management console use to deploy and manage the F Response Service A The F Response EMC uses Microsoft File and Printer Sharing services for remote administration and deployment TCP Port 445 Q Where does the F Response EMC management console install or place the F Response Enterprise executable and configuration file A The F Response EMC places the executable and configuration file in the C Windows WINNT System32 SysWow64 folder depending on Windows version Q What port does the F Response EMC management console use to deploy and manage the F Response Service A The F Response EMC uses Microsof
17. remote device 52 File Scan Denkannient Connect Active Clients Help B Bj Custom Scan nA 192 168 1 210 Messages _ Active Clients F Response Target Connected Local Disk B iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive i B iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive i B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive 62 iqn 2008 02 com f response win2k8 dc disk 0 Connected PhysicalDrivel Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Once connected the Target icon will change to indicate the disk is now attached to your computer in addition the local mapping information will be provided in the above instance the Windows disk 0 has been mapped to PhysicalDisk1 Active Clients Help Active Clients F Response Target Connected Local Disk B iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive Discover F Response Disks APhysicalDrivel Login to F Response Disk Logout of F Response Disk Remove F Response Disk 3155519116 Expires 12 17 2011 To logoff select one or more connected F Response Targets and select the Connect Menu
18. to lowercase reduces data duplication for some accounts _ ox canei F Response Connector Configure Cloud Storage Options e General Options o Record Log Will create a secondary CSV log file with the drive contents for each attached Cloud Storage device e Dropbox Options o For Modified Time Use Dropbox provides two different times that can be used as Modified Time for a given file By default the Cloud Connector uses the Modified time as provided by the Dropbox Servers Alternatively it is now possible to use the Client MTime a non verified time that is assigned to the files when they are modified by a Dropbox Client tool The Client MTime is not verified by Dropbox o Do not show file revisions default is to show all file revisions By default the connector will show all revisions for Dropbox items checking this box will tell the Connector to not request multiple versions of items o Merge all folder paths to lowercase In some accounts user data is duplicated due to case differences this will force all case to lowercase and reduce duplication 20 Configuring Cloud Storage Credentials Before you can connect to Cloud Storage services you must first input valid credentials While the credentials necessary vary by cloud storage provider all credentials must be input using one of the Configure Credentials dialog boxes Zj Scan Connect View Help Cloud Storage 2 Azure Blob Storag
19. 210 File Scan Deployment Connect Active Clients Help i Wy Custom Scan Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk Connected Local Disk Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 When complete select individual targets or multiple targets and select Uninstall F Response to uninstall the remote F Response Enterprise service 55 File Scan Deployment Connect Active Clients sij Custom Scan F Response Target Local Disk HWID 155519116 Expires 12 17 2011 Icons indicate F Response has been successfully uninstalled on the target computers 56 Enterprise Edition Using F Response Enterprise Edition for Windows Deployment without the FEMC e Step 1 o To use the F Response Enterprise Edition insert a valid F Response FOB key into a USB port of the computer on which you will be running the F Response License Manager Service and then execute the F Response LM Server on this computer e Step 2 o Start the remote F Response Enterprise Service which has been installed and configured on the Target computer See Appendix A for details regarding the command line options for installing uninstalling and configuring F Response Enterprise on each target machine o Once an F Response Enterprise
20. 33 10 2 Consent to Use of Data You agree that Agile and its affiliates may collect and use technical information gathered as part of the support services provided to you if any related to the Software Agile may use this information solely to improve our products or to provide customized services or technologies to you and will not disclose this information in a form that personally identifies you 11 Miscellaneous 11 1 Legal Compliance Restricted Rights Each Party agrees to comply with all applicable Laws Without limiting the foregoing Customer agrees to comply with all U S export Laws and applicable export Laws of its locality if Customer is not located in the United States and Customer agrees not to export any Software or other materials provided by Agile without first obtaining all required authorizations or licenses In the event the Software is provided to the United States government it is provided with only LIMITED RIGHTS and RESTRICTED RIGHTS as defined in FAR 52 227 14 if the commercial terms are deemed not to apply 11 2 Governing Law Severability This Agreement including any addendum or amendment to this Agreement which is included with the Software are the entire agreement between you and Agile relating to the Software and the support services if any and they supersede all prior or contemporaneous oral or written communications proposals and representations with respect to the Software or any other sub
21. 78eb 7ea31b6 Database not a Sharepoint Database 192 168 1 206 Search_Service _Application_DB_dd13ba 1Sa 7bb4ffaafcc3e626e 73c949 Database not a Sharepoint Database 192 168 1 206 Search_Service_Application_PropertyStoreDB_b506dce49c514f8899ae5 1503889885 Peai a Sharepoint Database 192 168 1 206 Secure_Store_Service_DB_ prne Database not a Sharepoint Dat 192 168 1 206 SharePoint_Config Database not a Sharepoint Databa 192 168 1 206 State Service _023458a051374afa8Seb028bfefald 7 Database not a Sharepoint Database 192 168 1 206 SupplyChainSQL Database not a Sharepoint Database 192 168 1 206 User Profile Service Application _ProfileDB_987e2714752344ee93Sde2826d85a9ad Database not a Sharepoint Database 192 168 1 206 User Profile Service Application_SocialDB_e4fSaad698084292813139 Ibfb 7b f3a Database not a Sharepoint Database 192 168 1 206 User Profile Service Application _SyncDB_b693fa07151b4428990fd52d4069bGdb Database not a Sharepoint Database 192 168 1 206 WebAnalytics ServiceApplication_ReportingDB_eQab621 1 8b 16 4b 9e 19 a0cd4c6aefc 1 Database not a Sharepoint Database 192 168 1 206 WebAnalyticsServiceApplication_StagingDB_266892db 3937 427b Sd8c 744248149d59 Database not a Sharepoint Database 192 168 1 206 Word Automation Services_36972c0afbed46bcSad91 3efba30575 Database not a Sharepoint Database gba i Database not a Sharepoint Database Scanning Databases not recognized are listed on the Messages Panel 27 C
22. 9v6rgoen pm Inactive 3 iqn 2008 02 com f response win bst9v6rgoen dis Inactive HWID 155519116 Expires 12 17 2011 Following a successful Discovery Request the Connect Tab will contain a listing of valid Targets Physical Disks Logical Volumes and or Physical Memory More on Target naming in Appendix G 74 Discover F Response Disks Issue Discovery Request _ Login to F Response Disk f Inactive Inactive Logout of F Response Disk Inactive Inactive Rema 5 Resporee E Inactive Inactive Open F Response Flexdisk Select one or more targets and select Connect gt Login to F Response Disk to authenticate to and access the remote device F File Connect Help Connect Messages Active Clients F ResponseTargt O O Comete foai 3 iqn 2008 02 com f response win bst9v6rgoen vol c Inactive Inactive Gs iqn 2008 02 com f response win bst9v6rgoen pmem Inactive Inactive Connected PhysicalDrivel HWID 155519116 Expires 12 17 2011 Following a successful login the Target icon will indicate connected and the Local disk column will show the locally connected disk that maps to the remote device 75 Discover F Response Disks Issue Discovery Request Login to F Response Disk Logout of F Response Disk Remove F Response Disk Open F Response Flexdisk Connected Local Disk Inactive Inactive Inactive Inactive Connected W APhysicalDrivet HW
23. ARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright 2006 Alistair Crooks All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 137 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIAB
24. CD etc Execute the F Response Target code on the machine as Root please see Appendix E Understanding Unix Credentials for more information At the command line on the target platform type response ce e lin c fresponse ini 72 Consultant Edition Using the F Response Consultant Connector HWID 155519116 Expires 12 17 2011 The Active Clients Tab in the F Response Consultant Connector shows clients actively connected to the F Response License Manager Host Configuration Flexdisk Port 3261 TCP Port 3260 Username mshannon Password Prior to issuing a Discovery Request or Connecting to an F Response Target you must first input your username and password information into either the File gt Quick Configure or Create Autoconfigure Dialog these are the same username and password values entered on the Consultant remote target gui 73 Discover F Response Disks _ Issue Discovery Request Windows 7 Login to F Response Disk j Logout of F Response Disk Remove F Response Disk Open F Response Flexdisk HwID 155519116 Expires 12 17 2011 Select one or more Active Clients and select Connect gt Issue Discovery Request to perform a discovery request against the remote target iF File Connect Help Connect Messages Active Clients 85 iqn 2008 02 com f response win bst9v6rgoen vol c Inactive 83 iqn 2008 02 com f response win bst
25. Connecting to Cloud Storage Targets You can connect to one or more storage targets by simply double clicking on target The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer File Credentials Scan Connect View Help Target Description Provider Status Local Volume F i AmazonS3 T Amazon Si Active WAG Amazon 3T Amazon Si Inactive Logged in Cloud Storage target assigned the G drive letter 23 Disconnecting from Cloud Storage Targets You can disconnect from one or more storage targets by simply double clicking on target Are you certain you wish to detach this share oe ee Warning before detaching a connected share 24 F Response Connector Database Objects Using the F Response Connector for Database Objects Sharepoint 2010 TAC CE CE C and EE F Response TACTICAL Consultant Consultant Covert and Enterprise edition includes a copy of the F Response Connector FC The FC allows an examiner to mount remote Microsoft SQL Server Database Objects Embedded Files BLOBS etc as local read only logical volumes or network shares The F Response Connector supports Microsoft Sharepoint 2010 only at present The FC does not require executables or agents be deployed to the remote Microsoft SQL Server s The FC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Respo
26. Console Create AutoConfigure CreateAutoConfigure sssts Sststs E F Response Configuration m Validation Configuration Host Configuration All IP Addresses IP Addr 192 168 1 218 Physical Memory A TCP Port 5681 Flexdisk Port 3261 TCP Port 3260 Username Password F Response Consultant Executable Executable Browse con The Create Autoconfigure dialog allows you to create an Autoconfigure package which when executed on the remote machine will bring up F Response completely pre configured and ready to start e F Response Configuration o Validation Configuration P Addr e Configures the IP Address of the F Response LM Service TCP Port e Configures the TCP Port of the F Response LM Service o Host Configuration All IP Addresses e Check to enable automatic binding to all IP Addresses Physical Memory e Check to enable Physical Memory access on the remote F Response Target Supports Windows clients only Flexdisk Port e TCP Port the remote F Response Consultant executable should listen on for Flexdisk HTTPS connections TCP Port 63 e TCP Port the remote F Response Consultant executable should listen on for login and discovery requests Username e The Username the remote F Response Consultant executable should use for login and discovery requests Password e The Password the remote F Response Consultant executable should use for login and
27. ES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION 136 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Intel License Agreement Copyright c 2000 Intel Corporation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution The name of Intel Corporation may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A P
28. Edition target has been successfully validated the F Response Enterprise Management Console Active Clients Tab will show the remote client s IP address Machine name and Platform as shown below Clients listed under the Active Clients tab are available for F Response connections using the F Response FEMC Accelerator or iSCSI Initiator Fi F Response Enterprise Management Console on File Scan Deployment Connect Active Clients Help Deployment Connect Messages Active Clients IP Address Hostname Platform 192 168 1 210 WIN2K8 DC Windows 2008 Vista Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 F Response Enterprise Management Console Active Clients Tab 57 To examine multiple targets simply start the remote F Response Enterprise Service on each Target To see the available targets on the remote computer select the IP address in the Active Clients panel and use the context menu option Issue Discovery Request 58 F Response Consultant Covert Edition Consultant Covert Edition Overview The Consultant Covert Edition provides all the capabilities of the F Response Consultant Edition see the following F Response Consultant Edition section of this document however it additionally provides a limited covert deployment console capable of deploying and starting F Response on a single active target Please refer to the following sections to learn more about
29. Help Connect Messages F Response Target Local Disk Validated Licensed and Active The F Response Accelerator main window Configure Host Configuration TCP Port 3260 Username mshannon Password Start by selecting File gt Configure to input your F Response username password and tcp port 77 To locate F Response Targets and connect to them start by using the Connect gt Find F Response Disks this will open a dialog where you can input the target machine IP addresses 78 Field Kit Edition F Response Field Kit Edition Using F Response Field Kit Edition for Windows e Step 1 o To use the F Response Field Kit insert a valid F Response FOB key into a USB port of the computer to be analyzed Make the F Response FK Target code available to the local machine via USB network share CD et al and execute the F Response FK Target code The below user interface will appear ig F Response Remote Forensics Field Kit File Host Information Hostname win bst9v6rgoen Host IP Address 192 168 1 218 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 Username mshannon Username must be 1 or more characters Password ssss2ssessees Password must be 12 or more characters Version License Key HW ID 155519116 License Expires 12 17 2011 F Response User Interface configured for use See Appendix A for field information detail e Step
30. ID 155519116 Expires 12 17 2011 To logoff of the F Response Target select the connected Target and select Connect gt Logout of F Response Disk in iqn 2008 02 com f response win bst9v6rgoen vol c Inactive EE iqn 2008 02 com f response win bst9v6rgoen pm Inactive 43 iqn 2008 02 com f response win bst9v6rgoen dis Inactive HWID 155519116 Expires 12 17 2011 Once logoff operation completes the icon will indicate disconnected and the Local Disk column will indicate Inactive 76 F Response Accelerator Consultant Consultant Covert and Enterprise Only The F Response Accelerator is a secondary connection utility provided to Consultant and Enterprise license holders Essentially the Accelerator removes the need to navigate the somewhat difficult Microsoft iSCSI Initiator to connect to F Response targets from machines that do not currently have an F Response license dongle inserted in them By using the F Response Accelerator a customer can create connections from many F Response Accelerator machines to many F Response targets OO _eorvOC8F rl ll F Response Accelerator Validation F Response License Manager IP Address s Port 5681 Not Connected C ca Upon starting the F Response Accelerator you will be prompted to input the IP and Port of the F Response License Manager in order to validate your license and begin using Accelerator ig F Response Accelerator eA File Connect
31. IN CONTRACT OR ANY OTHER THEORY IN LAW OR IN EQUITY THE ENTIRE LIABILITY OF EITHER PARTY AND WITH RESPECT TO AGILE ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF THIS AGREEMENT AND THE EXCLUSIVE REMEDY HEREUNDER SHALL BE LIMITED TO THREE TIMES THE TOTAL AMOUNT PAID BY CUSTOMER FOR THE LICENSE PROVIDED HOWEVER THAT THIS LIMITATION DOES NOT APPLY TO ANY OF THE FOLLOWING A A PARTY S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT OR B ANY GROSS NEGLIGENCE OR WILLFUL MISCONDUCT BY A PARTY THE FOREGOING LIMITATIONS EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE 8 2 Exclusion of Incidental Consequential and Certain Other Damages TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN NO EVENT SHALL EITHER PARTY AND WITH RESPECT TO AGILE ITS SUPPLIERS BE LIABLE TO THE OTHER FOR ANY SPECIAL INCIDENTAL PUNITIVE INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS FOR BUSINESS 132 INTERRUPTION FOR PERSONAL INJURY FOR LOSS OF PRIVACY FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHER
32. LE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 2011 2014 Loic Hoguin lt essen ninenines eu gt Permission to use copy modify and or distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Copyright 2009 2011 Andrew Thompson lt andrew hijacked us gt All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of sour
33. LLC MASTER SOFTWARE LICENSE AGREEMENT TERMS AND CONDITIONS 1 Scope of Agreement Definitions This Agreement covers the license and permitted use of the Agile Risk Management LLC Agile F Response Software Unless otherwise defined in this section the capitalized terms used in this Agreement shall be defined in the context in which they are used The following terms shall have the following meanings 1 1 Agile Software or Software means any and all versions of Agile s F Response software and the related Documentation as defined below 1 2 Customer or Licensee means the person or entity identified on the invoice and only such person or entity Customer shall not mean any assigns heirs or related persons or entities or claimed third party beneficiaries of the Customer 1 3 Documentation means Agile release notes or other similar instructions in hard copy or machine readable form supplied by Agile to Customer that describes the functionality of the Agile Software 1 4 License Term means the term of the applicable license as specified on an invoice or as set forth in this Agreement 2 Grant of Software License 2 1 Enterprise License Subject to the terms and conditions of this Agreement only Agile grants Customer a non exclusive non transferable license to install the Agile Software and to use the Agile Software during the License Term in object code form only 2 2 Third Party Softwar
34. Object Notation is a data formatting style considered smaller and easier to manipulate when compared to XML 90 In addition to using the provided web viewer the F Response Flexdisk provides a rich and capable web services API that can be used to build mobile and web based applications that leverage F Response Flexdisk provided content More information of using the Flexdisk API is available in the Flexdisk API document available on the Downloads page of the F Response Website Frequently Asked Questions 1 Q Can multiple initiators connect to a single F Response target machine 2 Q Do change any data on the target computer by using F Response 3 Q I am connected via F Response navigated to a file on the remote computer hit delete and it appears to be gone Did really delete the file 4 Q lI have a personal firewall running on my computers Do need to change firewall settings to use F Response 5 Q Ihave a remote user that accidentally deleted a file Can use F Response to recover deleted files Q Is the F Response iSCSI connection encrypted Q Does F Response work as an agent Q Can deploy F Response to Linux or Other Operating Systems OS s Q When attempt to deploy F Response using the FEMC cannot even though have valid credentials 10 Q established an F Response connection tried to view the remote Documents and Settings folder and received a me
35. ResponseLM IP gt IP Address of F Response LM Server P lt F ResponseLM Port gt TCP Port of F Response LM Server optional defaults to 5681 u lt username gt F Response username must be 8 characters p lt password gt F Response password must be 14 characters i lt iSCSI Port gt iSCSI Port optional defaults to 3260 c lt path to fresponse ini gt Optional autoconfigure path if used no other commandline options are required lt Flexdisk Port gt Optional Flexdisk port if not provided Flexdisk services will not be enabled F Response Consultant Enteprise Edition can either be run directly from the commandline using the various arguments indicated above or it can be run with the c lt path to fresponse ini gt option provided the path points to a valid fresponse ini file See the F Response Consultant Connector autoconfigure option to generate a valid fresponse ini F Response command line help on analyst machine The F Response Consultant Edition target code for non Windows platforms is installed and available in the C Program Files F Response F Response Consultant Edition folder The executable name will indicate which version is appropriate for your target platform Platform F Response Target Code Linux glibc 2 3 5 Intel i386 f response ce e lin Linux glibc 2 3 5 x64 f response ce e lin 64 Apple OSX 10 3 10 4 10 5 10 6 10 7 f response ce e osx 10 8 Universal Binary Sun So
36. WISE ARISING OUT OF THE USE OF THE SOFTWARE OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT EVEN IN THE EVENT OF THE FAULT TORT INCLUDING NEGLIGENCE MISREPRESENTATION STRICT LIABILITY BREACH OF CONTRACT OR BREACH OF WARRANTY OF AGILE OR ANY SUPPLIER AND EVEN IF AGILE OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY INDIRECT INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LIABILITIES RELATED TO A LOSS OF USE PROFITS GOODWILL OR SAVINGS OR A LOSS OR DAMAGE TO ANY SYSTEMS RECORDS OR DATA WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT WARRANTY TORT INCLUDING NEGLIGENCE PRODUCT LIABILITY OR OTHERWISE EVEN IF ADVISED IN ADVANCE OR AWARE OF THE POSSIBILITY OF ANY SUCH LOSS OR DAMAGE THE FOREGOING LIMITATIONS OF LIABILITY WILL NOT APPLY TO ANY OF THE FOLLOWING A A PARTY S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT OR B ANY GROSS NEGLIGENCE OR WILLFUL MISCONDUCT BY A PARTY 8 3 Indemnification Licensor hereby agrees to indemnify hold harmless and defend Licensee and any partner principal employee or agent thereof against all claims liabilities losses expenses including attorney s fees and legal expenses related to such defense fines penalties taxes or damages collectively Liabilities asserted by any third party where s
37. and not the forensics definition The definitions for Target and Initiator used in this manual are as follows Target F Response Target code is to be executed on the machine s to be analyzed All references to target in this manual refer to the machine s being analyzed using F Response target code Initiator An iSCSI initiator is used to establish network connections to machines running F Response Target code iSCSI initiator software must be installed on the machine from which analysis is to be conducted over the network F Response Target code has been tested with Microsoft iSCSI Initiator 2 0 software included by default with newer Windows operating systems and freely available for download from the Microsoft web site Supported Platforms The F Response stand alone executable is capable of providing remote forensically sound read only physical hard drive connectivity on the following platforms Platforms supported by all versions of F Response Field Kit Consultant Consultant Covert amp Enterprise e Windows XP 2003 e Windows Vista 2008 32 amp 64bit e Windows 7 2008r2 32 amp 64bit e Windows 8 8 1 2012 2012r2 32bit amp 64bit e Linux Glibc 2 3 5 e Apple OS X 10 3 10 4 10 5 10 6 10 7 10 8 10 9 10 10 Intel Only Additional Platforms supported by F Response Consultant Consultant Covert and Enterprise only e Apple OS X 10 3 Universal Binary e Sun Solaris 8 9 10 o
38. ator issues related to listing targets on 64bit Windows platforms have been resolved F Response 3 09 05 contains the following new features and enhancements to the Consultant and Enterprise Edition F Response is now a Microsoft Winqual validated and approved Windows 7 Compatible Application F Response provides additional support for the following platforms HP Unix HP_UX11iv2 HP_UX11iv3 on Itanium FreeBSD 7 on Intel i386 108 F Response now addresses the Unable to logoff of disk issue in Windows Vista 2008 and Windows 7 both 32 and 64bit F Response 3 09 04 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Passive Hibernation Suspend prevention F Response FK CE EE when running under Windows will prevent the passive hibernation suspend of the MUI Active suspend hibernation actions such as closing the laptop screen etc will still be performed Changes affecting F Response Consultant Edition Windows F Response Consultant Connector now provides a Clear Messages option that removes all text from the Messages Panel F Response Consultant Edition f response ce exe now has the ability to completely hide the dialog window on the remote machine with a simple key sequence ALT CTRL F12 This sequence will hide the GUI and restore the GUI Changes affecting F Response Enterprise Edition Windows Issue in password generation for command l
39. ble o Start Starts the License Manager Server o Stop Stops the License Manager Server o Uninstall Uninstalls the License Manager Service executable 16 Installing and starting the F Response License Manager Before you can begin using F Response Enterprise and Consultant Edition you must install and start the F Response License Manager service Double click on the F Response License Manager Monitor icon in the System Tray to bring up the License Manager console F F Response License Manager Monitor 5 xi License Manager Configuration IP Address 192 168 1 14 TCP Port 5681 m License Manager Control Install Install F Response LM Service J Set to Auto Start Start Start F Response LM Service z Stop Stop F Response LM Service Uninstall Uninstall F Response LM Service E F Response License Manager Monitor console Main Window Install the F Response License Manager service by pressing the Install button After the service is installed it will allow you to change the bound IP Address and TCP Port the service will install in the stopped position iF F Response License Manager Monitor m License Manager Configuration IP Address l 192 168 1 14 x TCP Port 5681 m License Manager Control instal Install F Response LM Service m Set to Auto Start Wa Start Start F Response LM Service lt gt Stop Stop F Response LM Service Uninstall Uninstall F R
40. ble now included for 64bit FreeBSD on Intel 102 Changes affecting all versions of F Response New F Response Dongle Updater has been added to Enterprise Consultant Covert Consultant and Field Kit This new updater uses a new upt2 file format and removes the requirement to download a separate dongle updater from the F Response website when renewing or upgrading your license Windows 8 Support for all F Response Examiner products FEMC FCC etc has been added F Response target executable for Windows now better able to handle physical memory on Windows 2000 systems F Response 4 0 04 1 contains the following new features and enhancements Changes affecting Enterprise Edition and Consultant Covert Edition F Response Cloud Connector now supports Windows Azure Blob Storage Changes affecting all versions of F Response Improved handling of non standard mount points in Linux Improved Physical Memory access stability based on further input from the Volatility Project F Response 4 0 04 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition New F Response Cloud Connector providing direct read only access to Cloud Storage Environments including Amazon S3 Rackspace Cloud Files HP Public Cloud and any vi Openstack implementation F Response Enterprise Management Console now correctly detects Apple OSX 10 8 target computers and deploys the appropriate
41. ce code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE PROJECT AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE 138 OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 2000 2010 Marc Alexander Lehmann lt schmorp schmorp de gt Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this lis
42. check the CHAP logon information check box and input the Username and Password defined on the F Response Field Kit user interface Select Ok to complete iSCSI Initiator Properties 86 Provided the Username and Password information was entered correctly and any necessary firewall modifications have been performed you should see Status Connected At this point the remote Physical Disk is considered a local Physical Disk on your analysis workstation You can connect to additional targets if desired using the same process General Tools Hardware Sharing Security Quota Type Local Disk File system NTFS WB Used space 67 495 841 792 bytes 62 8 GB Ji Free space 8 612 671 488 bytes 8 02 GB Capacity 76 108 513 280 bytes 70 8 GB i Drive H Disk Cleanup I Compress drive to save disk space IV Allow Indexing Service to index this disk for fast file searching As noted earlier the remote Physical Disk has been attached by the iSCSI Initiator and operating system which in this instance is presented as Local Disk H This drive is also accessible as a raw Physical Disk using any Computer Forensics or eDiscovery application You can use Device Manager to verify that the remote devices appear as local physical disks 87 F Response Field Kit Edition Disconnecting from an F Response Target When you are finished reviewing the disk close all open disk access programs e g Folders ope
43. ction of the following copyright notice list of conditions and disclaimer Copyright c 2009 2014 Petri Lehtinen lt petri digip org gt Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Copyright c 1998 2011 The OpenSSL Project All rights reserved 135 Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this lis
44. ctions on using F Response in the desired mode The Consultant Covert Edition Installation package installs the following software F Response License Manager and License Manager Monitor F Response Consultant Covert Console FCC F Response Cloud Connector FC F Response Consultant Connector FCC F Response Accelerator FAR F Response Consultant COM Object FCCCTRL F Response Enterprise Target Code All Supported Platforms F Response Consultant Target Code All Supported Platforms F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed 12 Consultant Edition If you possess a license for F Response Consultant or Enterprise Edition then you may use your F Response FOB with either the Field Kit FK Target code or Consultant Edition CE Target code at your discretion Please refer to the Field Kit Edition section of the User Manual for instructions on using F Response in Field Kit mode The Consultant Edition Installation package installs the following software e F Response License Manager and License Manager Monitor e F Response Consultant Connector FCC e F Response Connector FC e F Response Accelerator FAR e F Response Consultant COM Object FCCCTRL e F Response Consultant Target Code All Supported Platforms e F Response Dongle Updater The default installation is to Program Files gt F Resp
45. ctive Clients Machine Name 192 168 1 210 Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk 192 168 1 210 F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Select individual targets or multiple targets and select Start F Response to start the remote F Response Enterprise service 49 File Scan Deployment Connect Active Clients Help Machine Name Status 192 168 1 210 F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Icon badges indicate F Response has been successtully started on the target computer IP Address 192 168 1 210 Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 i The Active Clients tab will also show more information about the remote F Response Enterprise targets currently connected to your license dongle including platform hostname and IP Address 50 File Scan Deployment Connect Active Clients Help il Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk 192 168 1 210 F Response Not Installed I
46. default configured web browser pre populated to connect to the Flexdisk target e Help o About Presents a splash screen indicating the version information of the F Response Consultant Connector Console FCC Tab Controls e Connect o Displays a listing of the F Response Target s after a successful Discovery Request e Messages o Displays informational Messages during operation if errors occur they will be noted here e Active Clients o Queries the F Response License Manager Service to obtain active clients for the F Response LM dongle This list includes IP Address Network Name and Platform 61 Consultant Edition Configuring the FCC Console Quick Configure Quick Configure x Host Configuration Flexdisk Port Cancel TCP Port 3260 Username Password The Quick Configure dialog allows you to quickly configure the port username and password value for the F Response connection e Host Configuration o Flexdisk Port The TCP Port the remote F Response Consultant edition is listening on for incoming Flexdisk HTTPS connections o TCP Port The TCP Port the remote F Response Consultant edition is listening on for incoming F Response connections o Username The Username configured on the remote F Response Consultant edition target o Password The Password configured on the remote F Response Consultant edition target 62 Consultant Edition Configuring the FCC
47. delete files alter Meta data or effect any other changes on the machine under inspection using F Response What you did do was fool your analysis machine into believing that the file is deleted and thus your analysis machine is no longer presenting the file to you as available Q have a personal firewall running on my computers Do need to change firewall settings to use F Response A Possibly F Response does create temporary exceptions in the Windows Firewall during execution Furthermore these exceptions are removed when the application exits However if you are using a firewall other than the Microsoft Windows Firewall you may need to set an exception F Response machines must be able to send and receive on port 3260 this default is changeable and if using the Enterprise or Consultant Edition also port 5681 this default is changeable We recommend disabling the firewall for the duration of the session during ad hoc usage e g temporary consultant use at a third party site and tuning the firewall configurations to allow F Response connectivity for planned enterprise deployment Q have a remote user that accidentally deleted a file Can use F Response to recover deleted files A F Response will enable you to use your recovery tool of choice to recover the file s to a location other than the target machine You cannot restore the file directly to the target machine via F Response because you do not have write capabi
48. discovery requests e F Response Consultant Executable Executable e Use the browse button to locate the F Response Enterprise executable to install Typically located in C Program Files F Response F Response Consultant Edition Pressing OK opens the file save dialog allowing you to select a destination for the F Response Consultant executable Memory Driver if necessary and the F Response configuration file Save in E Autocontfigure e 0e E My Recent Documents E Desktop J My Documents My Computer K File name response gt Nivea Save as type Filetype ini 7 Cancel Places Z Save the Autoconfigure package to a usb disk or portable storage device so that it can be taken to the target computer for execution 64 Consultant Edition Using F Response Consultant Edition for Windows e Step 1 o To use the F Response Consultant Edition insert a valid F Response FOB key into a USB port of the computer on which you will be running the F Response License Manager Service and then execute the F Response License Manager Service on that computer e Step 2 o If you are using the Autoconfigure feature unique to the Consultant Edition jump to Step 7 o If you are not using the Autoconfigure feature make the F Response CE Target code available to the machine to be analyzed via USB network share CD etc and execute the F Response CE Target code The follow
49. dition for Windows 79 F Response Field Kit Edition Using F Response Field Kit Edition for Unix Linux Apple OSX reaccnsdeccaccescdedensdededecensccecdtomoeadeeeseencaneasee ce dunmaneereeeneneeenees cepa eebopneeeds 81 F Response Field Kit Edition Connecting to an F Response Target eeeee 82 F Response Field Kit Edition Disconnecting from an F Response Target 05 88 F gt Response Flexdisk c lt csccccccsecccsscercccataes ccesccesscasreessceseseseeees RRRA AAR TARTE a 90 What is a F Response Flexdisk cc sec c cece ennc cece eee eeeneeeeeeeeeeeneeeeeeeeeessaees 90 How do access and use a F Response Flexdisk cccccceeeesscccccceeeessseeseeeeeees 90 Frequently Asked QUESTIONS cc ccccc eee e een ne cece eee eenneeee eee eeeneeeeeeeeeeeeseeeeeeeeeees 91 SUPPOML isccccsssesesesesccecececpaeepeonaesooraneeonareooparepenanenoreanoeseanooonarenonanenenanenosnces 95 Linux License Manager and Accelerator cc cee eeeeeeeec cence eee eeceeeeneeeeeeeeeeeeee 96 MISSION GUIGGS kesesa aiaa aaa tite ote ithe ANNAN ANANN EARRA ARAARA EEEE EANA eee ots 98 Software Revision History ssssssessessssseseesssesseeeesseeecesssseeeeessseseeeseseeeeeees 99 Appendix A Overview of the F Response Enterprise Edition Windows Command Line Dae a 2253 A E A A E E A A 113 Appendix B Overview of the F Response Enterprise Edition Unix Command Line Interface pai eaaea
50. dows based F Response software now includes UAC support for proper prompting under Vista 2008 and Windows 7 New Features Consultant and Enterprise Edition Minor updates to the F Response License Manager including better dongle stability improved error codes additional support for the Windows Event Log Support for Sun Solaris 8 9 10 on SPARC Support for IBM AIX 5 3 on Power5 and Power6 F Response 3 09 1 New Features Consultant and Enterprise Editions only New Features Consultant Edition New F Response License Manager small faster easier to work with replaces the NetUniKey Updated F Response Consultant Connector Right click context menus throughout Support for removing Connect Tab target entries New Features Enterprise Edition New F Response License Manager small faster easier to work with Updated F Response Enterprise Management Console Right click context menus throughout Support for removing Connect Tab target entries Additional Custom Scan option for scanning by comma separated list of machine names or IP addresses Direct Connect dialog user interaction streamlined F Response 3 09 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Logical Volume and Physical Memory 32bit Windows Only support now F Response locates and provides access to physical disks logical volumes and physical memory 110 Automa
51. e 4 More information on Openstack is available at www openstack org Prerequisites In order to use F Response you will require the following 1 A valid F Response License key FOB F Response FOB which can be purchased from the F Response Web site www F Response com A copy of the latest F Response Installation Package for the version selected 1 F Response Enterprise Edition 2 F Response Consultant Covert Edition 3 F Response Consultant Edition 4 F Response Field Kit Edition Microsoft iSCSI initiator software included by default with Windows Vista and above and freely available for download from the Microsoft web site Note The Microsoft iSCSI Software Initiator is available as a free download from http www microsoft com downloads for the following operating systems e Microsoft Windows Server 2003 e Microsoft Windows XP This version should not be installed on the following operating systems e Windows Vista e Windows Server 2008 e Windows 7 The Microsoft iSCSI Software initiator is integrated into Windows Vista Windows Server 2008 and Windows 7 therefore there is no need to install this package on those operating system versions The Microsoft iSCSI Software initiator configuration utility on Windows Vista and Windows Server 2008 can be accessed from the control panel in classic mode or from administrative tools in Windows Server 2008 Source Microsoft iSCSI Software Initiator 2 x User Gu
52. e Email gt Amazon 53 Database gt Rackspace CloudFiles HP Helion Storage OpenStack Cloud Storage Dropbox OneDrive Google Drive Google Apps for Business Drive Office365 Sharepoint Office365 OneDrive for Business Credentials gt Cloud Storage As the credential location and process for acquiring those credentials changes frequently for almost all cloud providers including each one in this manual would quickly become obsolete Please refer to the specific Mission Guide on the F Response Website for details on cloud provider you are attempting to access F Response Mission Guides are available at https www f response com support missionguides 21 Scanning for Cloud Storage Targets Use the Scan menu to enumerate cloud storage containers buckets by service File Credentials Scan Connect View Help Azure Blob Storage Amazon 53 Rackspace CloudFiles HP Helion Storage OpenStack Cloud Storage Dropbox OneDrive Google Drive Office 365 Sharepoint Office 365 OneDrive for Business F Response Connector Scan Cloud Storage menu File Credentials Scan Connect View Help Target Description Provider Status Local Volu s3 standard Amazon 3 Amazon Si Inactive s3 jumbo Amazon 3 Amazon Si Inactive s3 empty Amazon 3 Amazon Si Inactive nobananas today Amazon 3 Amazon Si Inactive gorillatesting Amazon 3 Amazon Si Inactive F Response Connector scan results 22
53. e Customer acknowledges that the Agile Software may include or require the use of software programs created by third parties and the Customer acknowledges that its use of such third party software programs shall be governed exclusively by the third party s applicable license agreement 3 Software License Restrictions 3 1 No Reverse Engineering Other Restrictions Customer shall not directly or indirectly i sell license sublicense lease redistribute or transfer any Agile Software ii modify translate reverse engineer decompile disassemble create derivative works based on or distribute any Agile Software iii rent or lease any rights in any Agile Software in any form to any entity iv remove alter or obscure any proprietary notice labels or marks on any Agile Software Customer is responsible for all use of the Software and for compliance with this Agreement and any applicable third party software license agreement 3 2 Intellectual Property Agile retains all title patent copyright and other intellectual proprietary rights in and ownership of the Agile Software regardless of the type of access or media upon which the original or any copy may be recorded or fixed Unless otherwise expressly stated 130 herein this Agreement does not transfer to Customer any title or other ownership right or interest in any Agile Software Customer does not acquire any rights express or implied other than those expressly grant
54. e Edition If you possess a license for F Response Enterprise Edition then you may use your F Response FOB with any of the F Response Target code offerings including the Enterprise Edition EE Target Code Consultant Covert Edition CE C Target Code Consultant Edition CE Target code or the Field Kit FK Target code at your discretion Please refer to the respective user manual sections for instructions on using F Response in the desired mode The Enterprise Edition Installation package installs the following software e F Response License Manager and License Manager Monitor e F Response Enterprise Management Console FEMC e F Response Connector FC e F Response Accelerator FAR e F Response Enterprise COM Object FEMCCTRL e F Response Enterprise Target Code All Supported Platforms e F Response Consultant Target Code All Supported Platforms e F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed 11 Consultant Covert Edition If you possess a license for F Response Consultant Cover Edition then you may use your F Response FOB with any of the F Response Target code offerings including the Enterprise Edition EE Target Code Consultant Edition CE Target code or the Field Kit FK Target code at your discretion Please refer to the respective user manual sections for instru
55. e asked to use sudo as an extra step in an effort to make you aware of the actions your account is temporarily capable of SSH Keys Many system administrators prefer to allow remote connections only when they are attempted using a special cryptographic key file the SSH Key File F Response allows you to specify a key file for access however unless your account is the root or superuser 122 account you will need to provide the appropriate password for su or sudo F Response supports both OpenSSH and Putty SSH Key files F Response allows you to access the remote machine with any combination of user account and credential however let s go through a few common scenarios below T User Password Root errr I 55H Key File Using the root or superuser account with a password F s Using the root or superuser account with an SSH Key OpenSSH or Putty M ord eeeeeeee I Root Password wel Ej EE Using a general user account sudo and a user password for access and sudo permissions 123 Using a general user account sudo and a user password for sudo permissions plus an SSH Key for access Iv Vv Jmshannon zi E howe T 55H Key File Using a general user account su and a user password for access plus the root password for su permissions M m User Password a feeeeeeee I Root MV SSH Key File Using a general user account su and a SSH key for access plus
56. e to add support for new Database formats and models F File Credentials Scan Connect View Help Cloud Storage gt Email Microsoft SQL Server Sharepoint 2010 Database Object Connector Scan menu iption Provider Status File Credentials Scan Connect View Help Target Description Provider Status Local Volu WSS_Content_e58f8446cde041318a305 192 168 1 2 Microsoft S Inactive WSS_Content_cfbd5f6ff98b4d9283b8d 192 168 1 2 Microsoft S Inactive WSS_Content_ccee4cbfa6c04fa3ac6e84 192 168 1 2 Microsoft S Inactive WSS_Content_c4ed960e12af4e94869b0 192 168 1 2 Microsoft S Inactive WSS_Content_6b8e9cd10bde40398f3b0 192 168 1 2 Microsoft S Inactive WSS_Content_034e246c479a4e089bd01 192 168 1 2 Microsoft S Inactive SharePoint_AdminContent_2748d23d 192 168 1 2 Microsoft S Inactive Messages x a Database not a Sharepoint Database Scanning F Response Connector scan results File Credentials Scan Connect View Help Target Description Provider Status Local Volu WSS_Content_e58f8446cde041318a305 192 168 1 2 Microsoft S Inactive WSS_Content_cfbd5f6ff98b4d9283b8d 192 168 1 2 Microsoft S Inactive WsSS_Content_ccee4cbfa6c04fa3ac6e84 192 168 1 2 Microsoft S Inactive v Messages x 192 168 1 206 Report ServerTempDB Database not a Sharepoint Database 192 168 1 206 Search_Service_Application_CrawlStoreDB_6612268ad6c647cabf459
57. e unreasonably withheld conditioned or delayed This Agreement shall be binding upon and inure to the benefit of the Parties successors and permitted assigns if any 11 5 Force Majeure Neither Party shall be liable for any delay or failure due to a force majeure event and other causes beyond its reasonable control This provision shall not apply to any of Customer s payment obligations 11 6 Redistribution Compliance 134 a F Response distributes software libraries developed by The Sleuth Kit TSK The license information and source code for TSK can be found at http www sleuthkit org If any changes have been made by Agile to the TSK libraries distributed with the F Response software those changes can be found online at http www f response com TSKinfo b A portion of the F Response Software was derived using source code provided by multiple 3rd parties which requires the following notices be posted herein and which applies only to the source code F Response code is distributed only in binary or object code form F Response source code and any revised 3rd party code contained within the F Response source code is not available for distribution The name of 3rd parties included below are not being used to endorse or promote this product nor is the name of the author being used to endorse or promote this product This information is presented solely to comply with the required license agreements which require reprodu
58. ea e os sr auncncoceenss oon ns osastun Grocecere ees oar eeacntere a oo eins ean ee eee em eam ean eS 47 Enterprise Edition Using F Response Enterprise Edition for Windows Deployment WTC OLE the EMG asa saan EE IEE io bern eben caine N 57 F Response Consultant Covert Edition cc cee cece e cece e eee e eee eeeeeeteeeeeeeeeeeeee 59 Consultant Covert Edition OVErview ccc cece sec e see e eee e nsec ene eeneeeeeeeeeeeeees 59 F Response Consultant Eqitioniwscssscscsieesisiiesssdsesesedsesesssssesevecscevevessvevsesesessessaas 60 Consultant Edition Overview of the F Response Consultant Connector 60 Consultant Edition Configuring the FCC Console Quick Configure 2 62 Consultant Edition Configuring the FCC Console Create AutoConfigure 63 Consultant Edition Using F Response Consultant Edition for Windows 65 Consultant Edition Using F Response Consultant Edition for Unix based Targets 71 F Response command line help on analyst machine cccscceesscceeeseeeeeseeeeeees 71 Consultant Edition Using the F Response Consultant Connector eeeeeee 73 F Response Accelerator Consultant Consultant Covert and Enterprise Only 77 Field Kit EditiON eRe REC EMEP CRC RC CUR eC TT TRC RCP CeCe Terre eC ree ener errr rene n err er rer rrr RAAS 79 F Response Field Kit Edition Using F Response Field Kit E
59. ected to your analysis machine and the F Response License Manager must be started Execute the F Response License Manager Monitor fm F Response Enterprise Edition gt F Response Enterprise Management Console ig F Response License Manager Monitor Start Menu Folder Contents The first time the F Response License Manager Monitor F Response LM software is executed it will display a System Tray icon indicating the License Manager server is not installed F Response LM Not Installed iF F Response License Manager Monitor O xj License Manager Configuration IP Address TCP Port 568 m License Manager Control Install Install F Response LM Service J Set to Auto Start Start Start F Response LM Service t a Stop Stop F Response LM Service Uninstall Uninstall F Response LM Service F Response License Manager Monitor console Main Window 15 The representation above shows a running F Response License Manager Monitor Details of the information in the Network tab fields are as follows e License Manager Configuration o IP Address Local machine IP address currently listening for incoming F Response Enterprise Consultant Edition License Validation requests o TCP Port Local machine TCP port currently listening for incoming F Response Enterprise Consultant Edition License Validation requests e Operation o Install Installs the License Manager Service executa
60. ecuted by the Parties this Agreement shall control in the event of any conflict with an exhibit Sections 2 3 5 7 8 and 9 and all warranty disclaimers use restrictions and provisions relating to Agile s intellectual property ownership shall survive the termination or expiration of this Agreement The Parties are independent contractors for all purposes under this Agreement 11 8 Changes to this agreement Agile will entertain changes to this agreement on a case by case basis Changes to this Agreement may require that the Customer pay an additional administrative fee depending on the scope and complexity of the changes required by the Customer The additional administrative fee if any must be paid before the license will be activated 139 Appendix J Renewing F Response Dongle License Updating the F Response Dongle FK CE CE C EE Purpose This document identifies the steps to be taken to update your F Response USB license key FOB FOB in the event that you have upgraded or renewed your license What You Need In order to update your FOB you will require the following 1 The f response_ lt lic _expdate gt upt2 file you received from Customer Support after purchasing your license renewal or upgrade from the F Response web site 2 Your FOB of course Note Upgrades and renewals are tied to a specific FOB so be certain that you insert the proper FOB for use with the provided upt2 file 3 A copy of the lates
61. ed in this Agreement 4 Ordering amp Fulfillment Unless otherwise set forth in an Agile generated Estimate pricing is set forth on the F Response website and is subject to change at any time Each order shall be subject to Agile s reasonable acceptance Unless otherwise set forth in an Agile generated Estimate Delivery terms are FOB Agile s shipping point 5 Payments Customer agrees to pay amounts invoiced by Agile for the license granted under this Agreement If any authority imposes a duty tax or similar levy other than taxes based on Agile s income Customer agrees to pay or to promptly reimburse Agile for all such amounts Unless otherwise indicated in an invoice all Agile invoices are payable thirty 30 days from the date of the invoice Agile reserves the right to charge and Customer agrees to pay Agile for every unauthorized copy or unauthorized year an amount equal to the cost per copy per year per computer or per user whichever is greater as a late payment fee in the event Customer fails to remit payments when due or Customer otherwise violates the payment provisions of this Agreement In addition to any other rights set forth in this Agreement Agile may suspend performance or withhold fulfilling new Customer orders in the event Customer has failed to timely remit payment for outstanding and past due invoices 6 Confidentiality 6 1 Definition Confidential Information means a any non public technical or
62. ed potential service marked for deletion issue Updated Spanish language text as per user input Changes affecting Consultant Edition F Response Consultant Edition updated to address potential service marked for deletion issue F Response Flexdisk updated with minor API corrections based on user feedback F Response Consultant Edition now includes support for 64bit Linux platforms Changes affecting Field Kit Edition F Response Field Kit Edition updated to address potential service marked for deletion issue F Response 4 0 02 1 contains the following new features and enhancements Changes affecting Enterprise Edition Enterprise Encryption is now updated to properly handle logical volumes and 2TB devices Changes affecting Consultant Edition Improved handling of gt 2TB disks for non Windows platforms Changes affecting Field Kit Edition Improved handling of gt 2TB disks for non Windows platforms F Response 4 0 02 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise now provides the option to encrypt all read actions directed to remote targets o Encryption is AES using 256 bit keys o Encryption is optional and can be enabled or disabled o Encryption requires Windows Vista or better on the Examiner machine ie the machine running either the FEMC or the F Response Accelerator F Response Flexdisk updated with new programmab
63. ely a Windows XP machine not running in Classic mode for credential authentication This is typically the case when attempting to connect to XP machines not part of a Windows Domain To switch the target machine to Classic you must open the Local Security Policy Administration Tool under Control Panel Administrative Tools You will then select Local Policies gt Security Options and change the value of Network Access Sharing and Security Model for Local Accounts to Classic Local Users authenticate as themselves This is only necessary in when using the FEMC to deploy F Response to XP or greater computers not part of a Windows Domain ity Settings 0 xi File Action View Help 7 6 x eB a s cess Shares that can be accessed anonymously H E User Rights Assignment 9 Security Options Public ke If the target machine is a Windows 7 Vista or newer Windows OS and not joined to a Domain ie Workgroup Member then a key will need to be added to the registry of the target machine You can manually create and add this key to the registry by following these steps To create your registry key copy the following information into Notepad HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies Syst em LocalAccountTokenFilterPolicy dword 00000001 93 10 11 12 13 Save this file as LocalAccountTokenFilterPolicy reg and then copy it to your target
64. emote targets Audit logs are found in the Application Event Logs of the F Response License Manager F Response Enterprise is now fully Terminal Services Remote Desktop aware allowing multiple users on a single machine to run the F Response Enterprise Management Console FEMC simultaneously F Response Enterprise now provides target support for OpenSolaris Changes affecting Consultant Edition The F Response Consultant Connector Scripting Object FCCCTRL has been released with methods and properties to automate connecting to deployed F Response Consultant Edition Targets Sample scripts for using the object have been provided for Visual Basic Script Perl and Python F Response Consultant now provides target support for OpenSolaris F Response 3 09 07 contains the following new features and enhancements Changes affecting All Versions F Response All Versions now provides support for physical memory access under both 32bit and 64bit Windows environments Added a F Response Linux lt 60 Meg Boot CDROM that provides access to F Response FK CE EE and TACTICAL Boot CDROM is available to all licensed customers Corrected an issue where disk read errors on the target side could cause an iSCSI disconnect that was not automatically reconnected Changes affecting Enterprise Edition The F Response Enterprise Scripting Object FEMCCTRL has been updated to include improved error handling additional objects properties and met
65. enna e eee e eee eeeeeeeeeeeeeeseeeeeeeeeees 15 Using the F Response License Manager Software CE and EE Onlly eeeeeeeees 15 Installing and starting the F Response License Manager cccescceeescceeeseeeeeeees 17 F Response Connector Cloud Storage cscs ecce eect eee eee eenceenceenceeeeeesseeneeenoes 19 Using the F Response Connector for Cloud Storage Targets TAC CE CE C and EE 19 Configuring Cloud Storage Options c cece cece sce e eect eee eeeeenceenceeeeeeeeeeeeeees 20 Configuring Cloud Storage Credentials cece cece ec ceeceeeeeeenceenceenseeseeseees 21 Scanning for Cloud Storage Targets ccecce eee ence ene eeneeeeeeeenseenceeeseeeeeeeeeees 22 Connecting to Cloud Storage Targets ccceeece enc ee eect eceeeeeeenceenceteseeeeeeseeees 23 Disconnecting from Cloud Storage Targets cceeecc ence ence eeeeeteeeneeeneeeteeeees 24 F Response Connector Database Objects ccc cece eee e cece nc eenceeneeeeeeeeseeeneeeeees 25 Using the F Response Connector for Database Objects Sharepoint TAC CE CE C and EE esc iia iti ict i i it lt ti te bt le 25 Configuring Database Server Credentials ccc ccceecce nce eeeeeenceenceeeceeeeeeeeees 26 Scanning for Database Object Targets ccc ecce cece ec e eee eeeeeenceenceeeseeeeeeeees 27 Connecting to Database Object Targets cceeecc ence ence eee eenceenceeeseee
66. eseeeees 28 Disconnecting from Database Object Targets cc cece cece eee e eee eeeceeneeeneeeeeeeees 29 F Response Connector Email ccccceccccecccesccecccescescceesseesseesasessseesseeeaes 30 Using the F Response Connector for Email TAC CE CE C and EE 30 Configuring Connector Email Options eee ee eee cece eee tc eee eeceeeeeeeeeeeeeeees 31 Configuring Email Credentials cc cece cece cece eee eee eee eeceeeeneeeeeseeeeeesseeees 32 Scanning for Email Account Targets cee eceee cece ee eec eee enceeeeeceeeeeseeeeeeeeeees 33 Connecting to Email Account Targets cee eeee eee e cece e ee eececeeeceeeeeeeeeteceeees 34 Disconnecting from Email Account Targets ssssssssesssecssscsssscssscessecsssesseeo 35 F Response Enterprise cee cece cece cence eee e nee eeeeeeeeeneeeeeeseeeeeneeeeeeeeeeeeeeeeeeee 36 Enterprise Edition Overview of the F Response Enterprise Management Console FEMC sspssyesinvonapes ob A ARE eR MERRIER 36 Enterprise Edition Configuring the FEMC Deployment Options eeeee eee 40 Enterprise Edition Configuring the FEMC Credentials 2 cee eeee ee eee ee eee eeeeees 43 Enterprise Edition SCANNING i ccccscccestacerrisscistcecsssaasesesasesetersdeesessaeaaceeeasesecs 45 Enterprise Edition Deploying and Managing F Response using the FEMC All Supported PLGAET OL ETNS ao
67. esponse LM Service F Response License Manager Monitor Stopped Position 17 Start the F Response License Manager service by pressing the Start button Your F Response FOB must be inserted prior to starting the License Manager server F F Response License Manager Monitor E x License Manager Configuration IP Address TCP Port License Manager Control Install Install F Response LM Service F Set to Auto Start F Start Start F Response LM Service HEL Stop Stop F Response LM Service Uninstall Uninstall F Response LM Service F Response License Manager running and waiting for licensing requests The F Response License Manager is now running and waiting for licensing requests The License Manager automatically creates Windows Firewall exceptions for the service application however if you are using other firewall products you many need to add exceptions as necessary 18 F Response Connector Cloud Storage Using the F Response Connector for Cloud Storage Targets TAC CE CE C and EE Disclaimer The F Response Connector and legacy Connector products F Response Email Connector Cloud Connector and Database Object Connector provide access to 3rd party data sources via Application Programming Interfaces APIs and internal structures presented by the provider 3rd party provided data sources are by their very nature volatile The afore mentioned F Response product
68. fficial support for the GlobalSAN iSCSI Initiator for Apple OSX Improved thread management performance Updated Version information to 1 18 Changes affecting F Response Field Kit Edition Graphical user interface now includes the F Response license expiration date Changes affecting F Response Consultant Edition Graphical user interface now includes the F Response license expiration date 111 Autoconfigure option for F Response Consultant edition added allows F Response Consultant Edition to be run from CD or to be provided to IT staff with no repeated configuration needed F Response 1 17 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Modified disk capacity return value in accordance with SCSI parameters Corrected issue relating to STOP ERROR for Microsoft iSCSI Initiator in select circumstances Updated Version information to 1 17 Changes affecting F Response Field Kit Edition Modified License controls to allow more leeway when dealing with inaccurate system clocks Changes affecting F Response Consultant Edition Improved performance of IP validation look up process Changes affecting F Response Enterprise Edition Modified iSCSI Target IP selection based on IP target for Discovery Added command line options a r to add and remove F Response Enterprise Service using user defined name 112 This appendix provides deta
69. for Linux Vers red on the targ p l 4 u lt d lt no command options Examples f response lm lin lin64 F Response License Manager for Linux 32 and 64 bit The F Response License Manager for Linux provides F Response License Manager services from the Linux platform 32 and 64 bit It currently does NOT provide the encryption services that are available from the Windows version of the License Manager if that is a requirement in your environment you will have to continue to use the Windows License Manager Use the d option plus a amp to run the License Manager Service Running the command without any options will return a list of the active clients ger Linux ersion h This help page p lt port gt am d ager server send to backgrou x fresponselm Init Script Sample In addition to the above binaries you will also find a sample init initialization script that could be used to configure the License Manager to run at boot Please refer to the specific Linux server and distribution for more details on setting up init scripts etc 97 Mission Guides What are Mission Guides F Response Mission Guides were designed to simplify the process of using F Response software in new and unfamiliar scenarios Mission guides offer a possible solution to your task working with you each step of the way through instruction that is direct and to the point Much smaller than a manual Mission Guides
70. form None Unknown Apple FreeBSD HPUX AIX Name Network Domain or Workgroup Unknown Apple F Response Not Installed FreeBSD F Response Not Installed HP Unix F Response Not Installed IBM AIX F Response Not Installed 127 Details Icon indicates a Network Domain or Workgroup computers listed under this icon have identified themselves as being a member of the group Icon indicates this computer platform is unknown or valid credentials could not be established check the Messages tab for further details Icon indicates an Apple Computer if no badge is present the Apple computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a FreeBSD Computer if no badge is present the FreeBSD computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a HP Unix Computer if no badge is present the HP Unix computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a IBM AIX Computer if no badge is present the AIX computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Linux SCO Solaris OpenSolaris SunOS Windows GreyScale All P
71. formation on this process see Enterprise Edition Using F Response Enterprise Edition for Windows Deployment without the FEMC e Export MSI o This button will open a file save dialog box to export a MSI installer pre configured with the appropriate configuration and settings This MSI installer can be used with any deployment application that support MSI based installations including Windows Active Directory Group Policy 42 Enterprise Edition Configuring the FEMC Credentials After completing the Deployment Options Config dialog the next step is to configure the F Response target s login credentials via the Credentials Configure dialog All information inputted will not be saved or pre populated for future usages For obvious reasons credentials are not stored when the application is exited The Credentials Configure window is divided into two areas to provide credential information for F Response targets Windows Domain Network Credentials and Unix Credentials Please refer to the guidelines below for configuring the FEMC target Credentials Credentials Configure presen Windows Domain Network Credentials Username Domain Optional Password Add Username Domain Optional Remove J F Use Current User Credentials Unix Credentials User Account Assume Root Password F User User Pa le Browse Root Username AcctType AuthType Assume Root F Response Enterprise Manageme
72. g new platforms o Android ARM o NetGear NAS SPARC Changes affecting Consultant Edition Added auto IP detection to the F Response Consultant Connector FCC to enable automatic configuration of the F Response License Manager LM IP Address F Response License Manager Monitor LMM now opens the dialog automatically on first load F Response License Manager now automatically populates Validation Port and IP in Configure Options F Response Consultant now provides target support for the following new platforms o Android ARM o NetGear NAS SPARC 106 F Response 3 09 08 3 09 08 1 contains the following new features and enhancements Changes affecting All Versions F Response All Windows Versions now provides support for accessing physical disks gt 2TB theoretical limit of 8 Zettabytes Corrected an issue with the 32bit Physical Memory access driver that caused stability issues in certain situations Changes affecting Enterprise Edition 3 09 08 1 The F Response Enterprise Scripting Object FEMCCTRL 3 09 08 1 has been updated to include improved error handling and revised methods Contains updated FEMCCTRL COM Object corrected to handle Credential creation issue and modified Configure File path Sample scripts for using the object have been provided for Visual Basic Script Perl Python and C F Response Enterprise now provides explicit audit logs for Login Logout Failed Login Start Stop operations on r
73. hard drives e Version O This is the version of F Response Consultant Edition target code that you are using in this case Version 4 00 01 119 Appendix D Overview of the F Response Field Kit User Interface This appendix provides an explanation of the fields presented by the F Response Field Kit User Interface which is presented upon execution of the F Response Field Kit User Interface Target code on the computer to be analyzed id F Response Remote Forensics Field Kit File Host Information Hostname win bst9v6rgoen Host IP Address 192 168 1 218 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 Username mshannon Username must be 1 or more characters Password ssssssssssss2 Password must be 12 or more characters Version 4 0 01 License Key HW ID 155519116 License Expires 12 17 2011 F Response Field Kit Edition User Interface An explanation of the fields presented by the F Response Field Kit Edition Target code is as follows e Host Information o Hostname This is the Machine Name or Host Name of the local machine upon which the F Response Target code has been run o Host IP Address This is a drop down listing of the IP addresses configured on this local Target machine If there are multiple addresses present you should select the one most readily accessible as this will be the address you connect to from your remote analysis machine via the Initiat
74. hares IMAP gt Individual Messages in eml format subject to provider throttling Office365 gt Individual Messages Calendar Items Contacts and Tasks in native formats subject to provider throttling Additional Exchange Distinguished Folders are checked but may not be available under all accounts The FC does not require executables or agents be deployed to the remote servers The FC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Response dongle connected via the F Response License Manager at all times File Credentials Scan Connect View Help Target Description Provider Status Local Volu F Response Connector 30 Configuring Connector Email Options There are a number of options that can be configured when using the F Response Connector to access Email accounts these options include Cache Location C Users frestest AppData Local F Response IMAP Options Max data downloaded in a 24hr period in gigabytes ex 2 or zero to disable 9 RecordLog C Temp Browse F Response Email Connector Configure Options e Cache Location o All Email content is cached locally use this option to specify a location to store cache files e IMAP Options o Max data downloaded in a 24hr period in gigabytes ex 2 Many providers restrict the total amount of data that can be downloaded in a 24hr period For insta
75. he API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Updates to the F Response Enterprise COM Scripting object to support Flexdisk configuration options Improved handling of gt 2TB disks for non Windows platforms F Response Enterprise for AIX and SCO now more accurately locates and presents physical devices F Response 4 0 01 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise Management Console FEMC now provides rapid deployments options which condense the standard deployment steps o Install Start F Response Will install start and issue discovery against a remote F Response target o Stop Remove F Response Will stop and remove F Response from a remote target Added an Active Clients menu to allow for the selective enabling or disabling of the standard continuous polling mechanism used to update active clients Added an Export option to the Deployment Options dialog to make the manual deployment process easier Export button will allow the user to save off a copy of the ini file and selected executable prepared for manual deployment Added the new patent pending F Response Flexdisk capabilities to F Response Enterprise Windows Linux and OSX Apple targets Added the new F Response Accelerator to allow many to many connectivity for F Response Enterprise and Co
76. hods 107 Sample scripts for using the object have been provided for Visual Basic Script Perl Python and C Corrected an issue where the FEMC Unix Deployment options may be incorrectly loaded presented Added additional platform checking options to handle Linux and Apple OS builds returning non typical chipset types and processor configurations F Response 3 09 06 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise now provides full deployment via the Enterprise Management Console FEMC to all supported platforms FEMC now has both a Credentials and Options Configure panel including platform specific configuration options and Unix based credentials The Messages panel now indicates the presence of new messages with the notation The Custom Scan dialog now presents the last custom scan performed Microsoft iSCSI Initiator issues related to listing targets on 64bit Windows platforms have been resolved The FEMC now determines the License Manager IP Address automatically if it is running and correctly updates the configuration information without user interaction Changes affecting Consultant Edition F Response Consultant now offers the option for configuring to bind to all IP addresses both in autoconfigure generation and on the CE client GUI The Messages panel now indicates the presence of new messages with the notation Microsoft iSCSI Initi
77. ide Nov 2007 The diagram below shows a high level architecture for F Response The F Response FOB is located at the analysis machine Consultant Enterprise and the F Response Target code may be running on any number of corporate networked computers Internal Network Computers Tisrerisgesics a Beeereuuecece v j Local Forensics Analyst L i F Response Enterprise High Level Architecture F Response License FOB In order to use the F Response application you must have a valid F Response License key FOB F Response FOB such as the one shown below This key must be inserted into the USB port of the computer running the F Response License Manager Server the examiner s analysis machine in the case of Enterprise Consultant Editions or the target machine if using the Field Kit Edition Since the F Response FOB uses the USB Human Interface Device drivers it should be immediately recognized by all supported versions of Microsoft Windows as shown below i Found New Hardware x USB Human Interface Device Operating System response to insertion of the F Response FOB Once the F Response FOB has been inserted and recognized by your analysis machine you are ready to start the Enterprise Edition of F Response on the remote workstation and establish an F Response network connection such that you may begin analysis using your tool s of choice 10 Getting started with F Response Enterpris
78. ils regarding the command line options for installing uninstalling and configuring F Response Enterprise on each target machine The help text is shown in the following screen capture Windows system32 cmd exe This help page CCreate gt Install the service with default servic CDelete gt Uninstall the service with default serv service name lt Create gt Install the service with a user defined service name service name Delete gt Uninstall the service with a user defined service name u lt username gt Username must be 1 or more characters p lt password gt Password must be 12 or more characters i lt port gt iSCSI port default is 3260 f lt port gt Flexdisk port OPTIONAL Providing a port will enable the Flexdisk s lt server ip IP address of the F Response LM Server o lt server port gt Port of the F Response LM Server default is 5681 m lt 1 gt Enable Physical Memory access disabled 1 enabled Examples To install F Response Enterprise f response ent c Or to install F Response Enterprise as a different service name f response ent a XYZ Company Testing Service To uninstall F Response Enterprise f response ent d Or to uninstall F Response Enterprise as a different service name f response ent r RYZ Company Testing Service To configure F Response Enterprise settings f response ent u jsmith 1 p password123456 i 3260 s 192 168 1 1 o
79. ine usage of F Response Enterprise corrected F Response Enterprise Management Console now provides a Clear Messages option that removes all text from the Messages Panel The F Response Enterprise installation package now includes a partial implementation of the F Response Enterprise Management Console in a language neutral fully scriptable COM object This object will allow a technical user of F Response Enterprise to script actions typically initiated manually in the FEMC For a sample script see the C Program Files F Response folder F Response 3 09 03 New Features All versions Username and Password length are now more flexible Username must be 1 ANSI characters Password must be 12 16 ANSI characters in keeping in line with specifications New Features Consultant and Enterprise Edition Minor updates to both management consoles reflecting the changed password length criteria Also additional error informational messages in the Messages panel when issuing a Discovery Request Login or Logoff Management Consoles will automatically enable iSCSI services on Vista operating systems when started if they are not already on 109 F Response 3 09 02 New Features All versions All F Response software Windows has been translated into German Spanish and Simplified Chinese Username and Password length are now more flexible Username must be 1 ANSI characters Password must be 12 ANSI characters All Win
80. ing consultant validation box will appear id F Response Consultant Validation Coj a File Consultant Laptop Workstation IP Address 192 168 1 d Port 5681 Not Connected Validate Cancel Autoconfigure F Response Consultant Edition Validation User Interface See Appendix A for field information detail o Enter the IP address of the computer running the F Response License Manager service in this case our F Response LM server is listening on port 5681 at address 192 168 1 6 and select validate The following appears albeit with the fields empty if a valid license key is found 65 id F Response Remote Forensics Consultant Edition fo 8 File Host Information Status Physical Memory Hostname win bst9v6 rgoen Online Disabled Host IP Address 192 168 1 218 Enabled All IP Addresses V Flexdisk Flexdisk V TCP Port 3261 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 isensame mahannan Username must be 1 or more characters Password s ssssssssss Password must be 12 or more characters Validated and Licensed Stop ster Version 4 00 01 F Response User Interface configured for use See Appendix B for field information detail Step 3 o Select an IP Address from the Host IP Address drop down arrow to bind the F Response Target code to a local IP address currently in use by the computer In this case we ha
81. into the F Response Field Kit user interface Select OK iSCSI Initiator Properties Default 84 The machine running your Target code now appears in the Target Portals listing under the Discovery tab Once this is complete provided all inputs are valid select the Targets Tab iSCSI Initiator Properties x General Discovery Targets Persistent Targets Bound Volumes Devices Select a target and click Log On to access the storage devices for that target Click details to see information about the sessions connections and devices for that target Targets ign 2008 02 com f response charybdis 1 Inactive Details Log On Refresh The Targets tab will show a valid target for each physical device on the F Response Field Kit Target computer In the above instance there are two valid physical disks on the remote computer In addition you will note the network name of the computer in this case charybdis which is included in the target name to differentiate multiple targets Select a target to connect to and select Log On Log On to Target x Target name J Automatically restore this connection when the system boots J Enable multi path A Only select this option if iSCSI multi path software is already installed on your computer Advanced Cancel Now select the Advanced button 85 Advanced Settings Under Advanced Settings
82. ion files that will be used on any number of machines to be analyzed o Three files are created fresponse ini flexdmgr dll if Flexdisk is enabled and Mnemosyne sys if Physical Memory is Enabled o At this time the F Response Consultant Edition Automatic Configuration is complete o The examiner can prepare an Autoconfiguration CD ROM thumb drive or other delivery mechanism using the three files shown above i e 1 f response ce exe 2 fresponse ini 3 Mnemosyne sys if Physical Memory is enabled 4 flexdmgr dll if Flexdisk is enabled e Step 9 o When analysis is to be conducted these three files are simply placed in on the machine to be analyzed Run f response ce exe and the following appears if a valid license key is found Ps id F Response Remote Forensics Consultant Edition x File Host Information Status Physical Memory Hostname win bst9v6rgoen Online C Disabled Host IP Address 192 168 1 218 Enabled All IP Addresses V Flexdisk Flexdisk V TCP Port 3261 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 Denari ahanon Username must be 1 or more characters Password 22sseee2 Password must be 12 or more characters Validated and Licensed Stop ster Version F Response User Interface configured for use See Appendix B for field information detail o All of the fields are pre populated since the configuration has a
83. ject matter covered by this Agreement To the extent the terms of any Agile policies or programs for support services conflict with the terms of this Agreement the terms of this Agreement shall control This Agreement shall be governed by the laws of the State of Florida USA without regard to choice of law provisions You and Agile agree to submit to the personal and exclusive jurisdiction of the Florida state court located in Tampa Florida and the United States District Court for the Middle District of Florida If any provision of this Agreement is held to be illegal or unenforceable for any reason then such provision shall be deemed to be restated so as to be enforceable to the maximum extent permissible under law and the remainder of this Agreement shall remain in full force and effect Customer and Agile agree that this Agreement shall not be governed by the U N Convention on Contracts for the International Sale of Goods 11 3 Notices Any notices under this Agreement will be personally delivered or sent by certified or registered mail return receipt requested or by nationally recognized overnight express courier to the address specified herein or such other address as a Party may specify in writing Such notices will be effective upon receipt which may be shown by confirmation of delivery 11 4 Assignment Customer may not assign or otherwise transfer this Agreement without the Agile s prior written consent which consent shall not b
84. laris 8 9 10 SPARC f response ce e sun Oracle Solaris OpenSolaris Intel f response ce e sun i386 IBM AIX 5 1 5 2 5 3 6 1 Power 5 f response ce e aix p5 IBM AIX 5 1 5 2 5 3 6 1 Power 6 f response ce e aix p6 71 HP Unix 11iv2 11iv3 Itanium f response ce e hpux FreeBSD 7 Intel i386 f response ce e fbsd FreeBSD 7 8 x64 Intel f response ce e fbsd 64 SCO Unix Open Server 6 Unixware 7 f response ce e sco Intel i386 Google Android ARM f response ce e android arm NetGear ReadyNAS SPARC f response ce e readynas sparc Example Usage Scenario 1 The F Response target platform is Linux and the F Response License Manager Server is on 192 168 1 6 Port 5681 Make the F Response CE Target code available to the machine fo be analyzed via USB network share CD etc Execute the F Response Target code on the machine as Root please see Appendix E Understanding Unix Credentials for more information At the command line on the target platform type response ce e lin S 192 168 1 6 P 5681 u lt FRESUSERNAME gt p lt FRESPASSWORD gt i 3260 Scenario 2 Using the F Response Autconfigure file fresponse ini created using F Response Consultant Connector The F Response target platform is Linux Make the F Response CE Target code and the f response ini created by the Consultant Connector available to the machine fo be analyzed via USB network share
85. latforms Icon s Badges appear over icons Badge Name ld F Response Started Linux F Response Not Installed SCO Unix F Response Not Installed Sun Solaris F Response Not Installed Windows F Response Not Installed Machine not accessible Icon indicates a Linux Computer if no badge is present the Linux computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a SCO Unix Computer if no badge is present the SCO computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a Sun Solaris Computer if no badge is present the Solaris computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Icon indicates a Windows Computer if no badge is present the Windows computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details A grayscale icon indicates the target computer is not accessible with the credentials provided Details This badge indicates F Response has been started on the target Computer 128 F Response Stopped This badge indicates F Response has been stopped on the target Computer 129 Appendix Master Software License Agreement AGILE RISK MANAGEMENT
86. le API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More information on the Flexdisk API is available in the API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Updates to the F Response Enterprise COM Scripting object to support Flexdisk configuration options Improved handling of gt 2TB disks for non Windows platforms F Response Enterprise for AIX and SCO now more accurately locates and presents physical devices 104 Changes affecting Consultant Edition F Response Flexdisk updated with new programmable API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More information on the Flexdisk API is available in the API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Improved handling of gt 2TB disks for non Windows platforms F Response Consultant for AIX and SCO now more accurately locates and presents physical devices Changes affecting Field Kit Edition Improved handling of gt 2TB disks for non Windows platforms o lerator F Response Flexdisk updated with new programmable API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More information on the Flexdisk API is available in t
87. lity on that machine but you can recover the file and make it available to the user via email network share etc Q Is the F Response iSCSI connection encrypted A By default no However AES 256 bit Encryption is available in F Response Enterprise edition Alternatively there are native methods to accomplish this if needed E g using Microsoft IPSec policy manager you can create a configuration to enforce an IPSec policy in your enterprise governing ports 3260 or whatever port you have elected to use with F Response This could be used to force F Response to be used over an IPSec tunnel and thus allow you to have the F Response service start automatically with each boot If F Response is being used over the Internet and corporate policy dictates encryption over public networks then the existing corporate VPN capability should satisfy the encryption policy 92 7 Q Does F Response work as an agent A No It does not collect or store any data on the machine under inspection It does not report to a management server It does not have an inherent analysis or reporting capability 8 Q Can deploy F Response to Linux or Other Operating Systems OS s A Yes we have support for 7 Non Windows Operating systems See the platforms supported section of this document for further details 9 Q When I attempt to deploy F Response using the FEMC cannot even though have valid credentials A Your target machine is most lik
88. lready been auto configured In some cases the examiner may have an option to select a different IP Address from the Host IP Address drop down arrow to bind the F Response Target code to one of multiple local IP addresses in use by the computer In this case we have chosen to use the default 192 168 1 218 e Step 10 o Press the Start button to start listening for incoming connections 69 o At this time the F Response Consultant Edition client has been successfully validated and the F Response Consultant Connector Active Clients Tab shows the remote client s IP address Machine name and Platform as shown in the following figure F F Response Consultant Connector fo 2 eee File Connect Help Connect Messages Active Clients IP Address Hostname Platform 192 168 1 218 WIN BST9V6RGOEN Windows 7 HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Active Clients Tab shows F Response Consultant Edition remote client or target computer Repeat steps 9 amp 10 to make additional machines available for analysis Each will appear in the F Response Consultant Connector Active Clients Tab 70 Consultant Edition Using F Response Consultant Edition for Unix based Targets F Response Consultant Enterprise lt PLATFORM gt Version 4 00 03 Usage h This help page a lt path to devices gt Path to additional devices Comma separated ex dev md0 dev md1 S lt F
89. machines In order to utilize this service you ll want to familiarize yourself with Unix credentials User accounts and Credentials For our purposes there are two different user accounts we can use to gain sufficient access to a target non Windows based machine a general user account and root In the Unix world root is the superuser or Administrator As you can imagine using the superuser or root account can be dangerous therefore most system administrators allow general user account to perform actions requiring root level permission through one of two options su and sudo Assume User su Using su a general user account can assume superuser privileges for a limited period of time The user will require the root or superuser password to gain these privileges and once the su action is complete the user will effectively be able to perform any and all actions as root or superuser It is sometimes easiest to think of this process much like Windows User Account Controls Windows UAC in Microsoft Windows Vista and 7 you are asked to use su as an extra step in an effort to make you cognitive of the powerful capabilities your account now possesses Superuser do sudo Using sudo a general user is allowed to execute a specific command with superuser privileges In this instance the user need only enter their user password when prompted Again much like the Windows UAC process you ar
90. n software reviewing the disk etc Select the connected target from the iSCSI Initiator console and select Details Check the box for Identifier and select Log off Target Properties x Sessions Devices Properties This target has the following sessions Log off Refresh M Session Properties Target Portal Group 1 Status Connected Connection Count 1 M Session Connections To configure how the connections within this session are load balanced click Connections Connections WARNING If the disk is still in use i e Folders open software reviewing the disk etc Windows will not release the disk and will provide the following warning message Log Off from Session x x The session cannot be logged out since a device on that session is currently being used Be sure to close all open disk access before selecting Log off If the Initiator still does not permit the session to be logged off you can force the session to close by selecting the stubborn Target under the Discovery tab and selecting Remove 88 Target Properties Log off Reest Once successfully logged off the Session Identifier should be removed You can continue working adding and deleting sessions as needed or if you are finished working you may now close the Microsoft iSCSI initiator and stop F Response Field Kit on the Target computer 89
91. n SPARC e OpenSolaris Oracle Solaris 11 on Intel e IBM AIX 5 1 on Power e FreeBSD 7 8 on Intel i386 x64 F Response Flexdisk Supported Platforms Consultant Consultant Covert and Enterprise e Windows XP 2003 e Windows Vista 2008 32 amp 64bit e Windows 7 2008r2 32bit amp 64bit e Windows 8 8 1 2012 2012r2 32bit amp 64bit e Linux Glibc 2 3 5 32bit and 64bit e Apple OS X 10 3 Universal Binary 1 Linux glibc 2 3 5 includes Redhat Suse Ubuntu Fedora and many other distributions of Linux released during or after 2003 2 Intel only for Field Kit all others are Universal Binary 3 Platform support is further restricted to supported filesystems ext2 ext3 ntfs fat hfs hfs F Response Connector TACTICAL Version Cloud Providers e Amazon Web Services Simple Storage Service S3 e Windows Azure Blob Storage e Rackspace Cloud Files US and UK e HP Public Cloud e Any Openstack based Cloud Storage v1 series e Google Drive e Dropbox e Microsoft OneDrive Email Providers e Gmail Google Apps and Gmail e Yahoo Mail e Most IMAP based Email providers Database platforms e Microsoft Sharepoint 2010 Microsoft SQL Server F Response Connector CE and above Cloud Providers All included in TACTICAL Version plus e Microsoft Office 365 OneDrive for Business e Microsoft Office 365 Sharepoint e Box com Email Providers All included in TACTICAL Version plus e Microsoft Office 365 Exchang
92. nce Google limits the total to 2 5 Gig 24hrs By setting a limit here you enforce a soft throttle to limit the chances of account lockout By setting this value to zero you enforce no limits and allow the data to be downloaded at the maximum possible speed 5 More on Google Limits can be found at https support google com a answer 1071518 hl en 31 Configuring Email Credentials Before you can connect to Email service you must first input valid credentials The FC provides access to Gmail Yahoo Mail most generic IMAP servers and Office 365 native Exchange Web Services Credentials can be tested before they are added using the Test Credential button Once the credential has been validated press the Add button to add them to the list of credentials to be used Email credentials are not saved between executions of the FC Scan Connect View Help Description Provider Status GMail Email Yahoo Email Generic IMAP Email Office 365 Email Credentials gt Email Configure Gmail Credentials Dialog 32 Scanning for Email Account Targets Use the Scan menu to enumerate Email accounts and IMAP Mailboxes lg x Target Description Provider Status 2 fresponsechartest gmail com Appx Messages 1438 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Trash Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Starred Appx Mes
93. nformation of the F Response Enterprise Management Console FEMC Tab Controls e Deployment o Displays a listing of the computer s capable of administration as well as their Domain Workgroup and current status e Connect o Displays a listing of the F Response Target s after a successful Discovery Request e Messages o Displays informational Messages during operation if errors occur they will be noted here e Active Clients 38 o Queries the F Response License Manager Service to obtain active clients for the F Response LM dongle This list includes IP Address Network Name and Platform 39 Enterprise Edition Configuring the FEMC Deployment Options Prior to beginning any operations with F Response Enterprise Management Console you must complete the Deployment Options Configure dialog All information inputted will be saved and restored on future usages In many cases you may only need to enter this information once Please refer to the guidelines below for configuring the FEMC Deployment Options x M F Response Configuration License Manager Configuration M Host Configuration Pada 192 168 1 163 physical Memory F TCP Port 5681 Flexdisk V Port a261 TCP Port 3260 Username mshannon Password eeeceececcee F Response Windows Service Install Configuration Service Name l F Response Enterprise Service Description Remote Live Forensics Service Executable
94. not in limitation of any other rights remedies or damages available to it at law or in equity shall be entitled to a temporary restraining order preliminary injunction and or permanent injunction in order to prevent or to restrain any such breach by the other Party de DISCLAIMER OF WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AGILE AND ITS SUPPLIERS PROVIDE THE SOFTWARE AND SUPPORT SERVICES IF ANY AS IS AND WITH ALL FAULTS AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING BUT NOT LIMITED TO ANY IF ANY IMPLIED WARRANTIES DUTIES OR CONDITIONS OF MERCHANTABILITY OF FITNESS FOR A PARTICULAR PURPOSE OF RELIABILITY OR AVAILABILITY OF ACCURACY OR COMPLETENESS OF RESPONSES OF RESULTS OF WORKMANLIKE EFFORT OF LACK OF VIRUSES AND OF LACK OF NEGLIGENCE ALL WITH REGARD TO THE SOFTWARE AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE ALSO THERE IS NO WARRANTY OR CONDITION OF TITLE QUIET ENJOYMENT QUIET POSSESSION CORRESPONDENCE TO DESCRIPTION OR NON INFRINGEMENT WITH REGARD TO THE SOFTWARE 8 Limitations and Exclusions 8 1 Limitation of Liability and Remedies NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER INCLUDING WITHOUT LIMITATION ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES
95. nse Enterprise Edition for HP Unix f response ce e hpux 116 e F Response Enterprise Edition for FreeBSD f response ce e fbsd e F Response Enterprise Edition for SCO Unix f response ce e sco Example Usage Scenario 1 F Response License Manager Server on 192 168 1 6 Port 5681 sudo f response ce e lin S 192 168 1 6 P 5681 u mshannon p mshannon123456 i 3260 Scenario 2 F Response Autconfigure file fresponse ini created using F Response Consultant Connector sudo f response ce e lin c fresponse ini Scenario 3 F Response Autconfigure file f response ent exe ini created by the F Response FEMC Console following a successful Configuration C Program Files F Response F Response Enterprise f response ent exe ini sudo f response ce e lin c fresponse ini 117 Appendix C Overview of the F Response Consultant User Interface This appendix provides an explanation of the fields presented by the F Response Consultant User Interface which is presented upon execution of the F Response Consultant Edition User Interface Target code on the computer to be analyzed i F Response Remote Forensics Consultant Edition fo fea File Host Information Hostname win bst9v6rgoen Host IP Address All IP Addresses JV Flexdisk V TCP Port 3261 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 keman msheannon Username must be 1 or more characters Passw
96. nse dongle connected via the F Response License Manager at all times File Credentials Scan Connect View Help Target Description Provider Status Local Volu F Response Connector 25 Configuring Database Server Credentials Before you can connect to Database Server you must first input valid credentials The current version of the FC supports Microsoft SQL Server 2010 only however future versions will allow you to connect to other SQL based servers including Oracle etc The Database Credentials dialog will allow you to enter one or more Database credentials either Database Native Credentials SQL Native or Windows Domain Credentials Database Credentials are not saved between executions of the FC F File Credentials Scan Connect View Help Cloud Storage gt Description Provider Status Email gt Microsoft SQL Sever Credentials gt Database Credential Type Native Credential Windows Credential Username Domain Password Database Credential dialog Credentials can be either native credentials Microsoft SQL Server Native Accounts or Windows Credentials 26 Scanning for Database Object Targets Use the Scan menu to enumerate Microsoft SQL Servers and Databases The scanning process will use the local plugins xml file to test database format and table structure Periodically new plugins xml files will be placed on the F Response Websit
97. nsultant customers Changes affecting Consultant Edition 105 Modified the F Response Consultant Connector FCC to improve responsiveness Added the new patent pending F Response Flexdisk capabilities to F Response Consultant Windows Linux and OSX Apple targets Added the new F Response Accelerator to allow many to many connectivity for F Response Enterprise and Consultant customers F Response 3 09 09 contains the following new features and enhancements Changes affecting All Versions F Response All Versions now provides support for accessing physical disks gt 2TB theoretical limit of 8 Zettabytes Modifications to correct authentication login logout issues when connecting from Linux open iscsi Changes affecting Enterprise Edition Adjustments to the F Response Enterprise Management Console FEMC to support different IP Address configurations Added logic to handle F Response Deployment to remote target machines using a non standard root drive F Response License Manager Monitor LMM now opens the dialog automatically on first load Addressed an issue with correctly handling alternate port selection from the command line or via configure options Icon display corrected for FEMC Direct Connect for Windows targets F Response License Manager now automatically populates Validation Port and IP in Configure Options F Response Enterprise now provides target support for the followin
98. nt Console Configuration Panel e Windows Domain Network Credentials O O Use the Add Remove buttons to add and or remove both Domain and Local machine credentials These credentials will be used to manage the remote F Response Target computer including Install Start Stop and Uninstall operations Use Current User Credentials This option removes the inputted credentials in favor of using the locally logged in user s credentials 43 e Unix Credentials User Account e Provides options for entering user account name and or type Assume Root e Allows for selecting a manner with which to assume root privileges further details on Unix Credentials is available in the Appendix E Understanding Unix Credentials Password e Provides the options for entering User or Root passwords along with the option for using an SSH Key file Putty or OpenSSH 44 Enterprise Edition Scanning The FEMC presents three different scanning menu options for detecting and enumerating potential F Response Enterprise target computers Scan Network by Domain Locates Windows Machines Only Scan by Domain Workgroup eS Scan by Domain Workgroup Domain Workgroup Entire Network v Scan Network by Domain Dialog Scan network by domain presents a dialog showing the detected Windows Network Domains and or Workgroups Select either an individual domain workgroup or the Entire Network Scan Network by IP Range
99. of Agile Risk Management LLC All other product names or logos mentioned herein are used for identification purposes only and are the trademarks of their respective owners Statement of Rights Agile Risk Management LLC products incorporate technology that is protected by U S patent and other intellectual property IP rights owned by Agile Risk Management LLC and other rights owners Use of these products constitutes your legal agreement to honor Agile Risk Management LLC s IP rights as protected by applicable laws Reverse engineering de compiling or disassembly of Agile Risk Management LLC products is strictly prohibited Disclaimer While Agile Risk Management LLC has committed its best efforts to providing accurate information in this document we assume no responsibility for any inaccuracies that may 141 be contained herein and we reserve the right to make changes to this document without notice Patents F Response is covered by United States Patent Numbers 8 171 108 7 899 882 9 037 630 9 148 418 and other Patents Pending 142
100. ollowing consultant validation box will appear F F Response Consultant Validation la o a File Consultant Laptop Workstation IP Address 5 r Port 5681 Not Connected Validate Cancel Autoconfigure F Response Consultant Edition Validation User Interface See Appendix A for field information detail o Select Autoconfigure The following box will appear i Automatic Configuration mE Validation Parameters IP Address 192 168 1 Port 5681 F Response Configuration All IP Addresses V Physical Memory V Check box to enable Flexdisk V Flexdisk 3261 TCP Port 3260 Username mshannon Password F Response Consultant Edition Automatic Configuration Option o In the Validation Parameters section enter the IP address and Port of the computer running the F Response License Manager service in this case our F Response LM server is listening on port 5681 at address 192 168 1 6 o In the F Response Configuration section enter the iSCSI TCP Port in this instance we chose to keep the default 3260 OPTIONAL enter the Flexdisk TCP Port in this instance we chose to keep the default 3261 username one or more characters and password value a minimum of 12 characters These values will be used later to authenticate the iSCSI Flexdisk network connection to this computer e Step 8 68 o Press the Save button to create the automatic Configurat
101. on This net result should be improved deployment capability for non windows systems F Response 4 0 06 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert and Consultant Edition 101 New F Response Database Object Connector providing access to embedded file database objects Supports Microsoft Sharepoint Databases on Microsoft SQL Server New F Response Email Connector providing access to remote IMAP email as a local read only volume Includes support for Gmail Yahoo Mail and any generic IMAP based SSL or Non SSL email server Windows 8 Support for all F Response Connector series products F Response License Update check now occurs silently when dongle is within ten days of expiration Corrected the License Manager Monitor to better handle rare timeout issues when starting the License Manager Service Changes affecting the Consultant version of F Response General usability updates for the F Response Consultant Connector context menu corrections etc Changes affecting all versions of F Response Updates to all versions of F Response to better support target machines with a large number of disk devices F Response 4 0 05 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition F Response Cloud Connector has been updated to use a new caching model which greatly improves speed and performance F Response Enterpri
102. on time values in addition to Unix timestamp values where possible F Response 5 0 0 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert and Consultant Edition Update to the F Response Cloud Connector including improved handling of non printable characters and support for the following newly added Cloud Storage environments o Google Drive Includes Google Drive and Google Apps for Business Drive access o Dropbox o Microsoft Skydrive Updates to the F Response Email Connector including improved handling of IMAP throttling newly added support for Office 365 using native Microsoft Exchange Web Services a new configure options dialog for selectable options and support for accessing Gmail Calendar exports Updates to the Database Connector including improved handling of potentially corrupt Sharepoint instance data Additional error details for all Connector Suite products as well as additional error details for non standard iSCSI interactions Corrections to the F Response COM Objects to handle Active Clients logic Updates to the F Response COM Object Script samples Updated version of the F Response executable for HPUX corrected potential incorrect drive size report Changes affecting the Enterprise and Consultant Covert version of F Response Updates to the F Response Enterprise Management Console or Covert Console to better handle unix systems with non standard shell interacti
103. onnecting to Database Object Targets You can connect to one or more storage targets by simply double clicking on target The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer x F File Credentials Scan Connect View Help Target Description Provider Status Local Volu Microsoft S Active WAG WSS_Content_cfbd 5f6ff98b4d9283b8d 192 168 1 2 Microsoft S Inactive WSS_Content_ccee4cbfaicO4fa3ache84 192 168 1 2 Microsoft S Inactive WSS_Content_c4ed960e12af4e94869b0 192 168 1 2 Microsoft S Inactive WSS_Content_6b8e9cd10bde40398f3b0 192 168 1 2 Microsoft S Inactive WSS_Content_034e246c479a4e089bd01 192 168 1 2 Microsoft S Inactive SharePoint_AdminContent_2748d23d 192 168 1 2 Microsoft S Inactive Logged in Database Storage target assigned the G drive letter 28 Disconnecting from Database Object Targets You can disconnect from one or more storage targets by simply double clicking on target Are you certain you wish to detach this share LOK cence Warning before detaching a connected share 29 F Response Connector Email Using the F Response Connector for Email TAC CE CE C and EE F Response TACTICAL Consultant Enterprise and Consultant Covert edition includes a copy of the F Response Connector FC The FC allows an examiner to mount select remote mail items as local read only logical volumes or network s
104. onse Do not install this installation package on the machine to be analyzed Only the F Response Consultant Edition Target Code is executed on the machine to be analyzed and this executable is placed in Program Files gt F Response gt F Response Consultant Edition upon completion of the package installation 13 Field Kit Edition F Response Field Kit Edition Target code is a stand alone executable exe The Field Kit Edition Installation package installs this software F Response Field Kit Edition Target code a copy of F Response Field Kit Edition Target Code which can be copied to any number of computers to be analyzed The Field Kit Edition Installation package installs the following software e F Response Field Kit Target Code All Supported Platforms e F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed Only the F Response Field Kit Edition Target Code is executed on the machine to be analyzed and this executable is placed in Program Files gt F Response gt F Response Field Kit Edition upon completion of the package installation 14 Licensing F Response Using the F Response License Manager Software CE and EE Only In order to validate your license F Response FOB from remote computers running F Response Enterprise or Consultant Edition target code you must have your FOB physically conn
105. or e Remote Configuration 120 o TCP Port This is the TCP port your remote or Initiator computer will use to connect to the local machine The iSCSI default is 3260 however you may assign another available TCP port if desired o Username The iSCSI protocol requires a username for the remote Initiator computer connection The username selected must be one or more characters in length This username will be used on the remote Initiator computer to access the local or Target machine s hard drives o Password The iSCSI protocol requires a password for the remote Initiator computer connection The password selected must be exactly 12 or more characters in length This password will be used on the remote Initiator computer to access the local or Target machine s hard drives e Version O This is the version of F Response Field Kit Edition target code that you are using in this case Version 4 00 01 e License Key HW ID O This is the Hardware ID of your F Response FOB This ID number is required when upgrading or renewing your F Response software license e License Expires O This is the expiration date of the license encoded to your F Response FOB This number will appear in red when your F Response software license is due to expire within 30 days 121 Appendix E Understanding Unix Credentials F Response uses Unix Credentials and the Secure Shell service SSH SFTP to access remote non Windows based
106. ord Password must be 12 or more characters ER C Version 4 00 01 F Response Consultant Edition User Interface An explanation of the fields presented by the F Response Consultant Edition Target code is as follows e Host Information o Hostname This is the Machine Name or Host Name of the local machine upon which the F Response Target code has been run o Host IP Address This is a drop down listing of the IP addresses configured on this local Target machine If there are multiple addresses present you should select the one most readily accessible as this will be the address you connect to from your remote analysis machine via the Initiator e Remote Configuration o TCP Port 118 This is the TCP port your remote or Initiator computer will use to connect to the local machine The iSCSI default is 3260 however you may assign another available TCP port if desired o Username The iSCSI protocol requires a username for the remote Initiator computer connection The username selected must be one or more characters in length This username will be used on the remote Initiator computer to access the local or Target machine s hard drives o Password The iSCSI protocol requires a password for the remote Initiator computer connection The password selected must be 12 or more characters in length This password will be used on the remote Initiator computer to access the local or Target machine s
107. order or other legal process to do so provided that the Receiving Party shall promptly upon learning that such disclosure is required give written notice of such disclosure to the Disclosing Party 6 3 Obligations Each Party shall maintain in confidence all Confidential Information of the disclosing Party that is delivered to the receiving Party and will not use such Confidential Information except as expressly permitted herein Each Party will take all reasonable measures to maintain the confidentiality of such Confidential Information but 131 in no event less than the measures it uses to protect its own Confidential Information Each Party will limit the disclosure of such Confidential Information to those of its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement provided that all such employees are bound by a written non disclosure agreement that contains restrictions at least as protective as those set forth herein 6 4 Injunctive Relief Each Party understands and agrees that the other Party will suffer irreparable harm in the event that the receiving Party of Confidential Information breaches any of its obligations under this section and that monetary damages will be inadequate to compensate the non breaching Party In the event of a breach or threatened breach of any of the provisions of this section the non breaching Party in addition to and
108. owing list identifies changes made to the F Response software F Response 6 0 3 3 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Updates and enhancements to the F Response Connector including o New option to set max retry attempt for OAuth based cloud service providers o New option for Dropbox to reset all content to lowercase necessary to reduce data duplication in accounts that are accessed both via Apple and Windows o Addition error handling for non standard and timeout responses from providers o Modifications to the encoding and decoding of Gmail provided messages o Updates to Amazon S3 necessary to handle non US buckets Updates to the Apple OSX F Response executable to reduce potential for sleep or hibernation while actively connected to Deployment modifications for Apple OSX El Capitan to handle changes in security F Response 6 0 2 0 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Additional supported remote cloud storage environments for CE and above users added o Box com Support for mounting offline email cache files created by the F Response Connector when accessing email accounts Complete redesign of the Gmail option for the F Response Connector Newly revised Gmail uses OAuth based web service specifically provided by Google for account
109. ponse Accelerator and F Response License Manager x86 and x64 Update to the F Response Cloud Connector including o Updates and enhancements to better address case sensitivity in cloud presented volumes Change includes adding unique identifiers to presented file names on all supported Cloud environments o Updates to Rackspace container detection now detects containers outside of the home container region Updates to the F Response Email Connector including o Updates to improve handling of non standard separator characters in IMAP mailstores o Numerous improvements for Office365 including Enhanced speed and stability Detection of MeetingRequestResponse entries Updates to the F Response Database Object Connector including o Updates to handle OLEDB connectivity and stability issues present on certain workstation configurations Changes affecting all versions of F Response Update to the F Response Physical Memory Driver for improved stability F Response 5 0 2 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Update to the F Response Cloud Connector including o Addition of CSV style log output for connected drive device content o Addition of options for alternate Modified Time values in Dropbox o Modifications to handle API changes and encodings for Dropbox Google Drive o Updates to include Dropbox revision history item
110. reacedeied ESTELLE SEESE EL ESTERE TEESEEISE SEEST EEEE ESSERE SEEE EESSI EEEE 116 Appendix C Overview of the F Response Consultant User Interface 00 118 Appendix D Overview of the F Response Field Kit User Interface eee ee eee 120 Appendix E Understanding Unix Credentials 00 cece cece cence cence eeeeeeeeeaeees 122 Appendix F Software Requirements on the Target Computer ccc eeeee eee ees 125 Appendix G F Response Target Naming Convention eeeeeeeeecceeeeeeeeeeeees 126 Appendix H ICON Legend cc eee ccc cece nent cece eee eee ne cece eee eeeneeeeeeeeeeneeeeeeeeeeees 127 Appendix Master Software License Agreement cee eeeee ence eeeeceeeeeeeeeeees 130 Appendix J Renewing F Response Dongle License ccceeessccccceeeessseceeeeeeeees 140 Updating the F Response Dongle FK CE CE C EE cece ee eeee cece cence eeeeceeees 140 PUI O AEE ceuaeeceeeceeeuaeetae ee eeeeneeeeeeeeeeeneeeneeenaes 140 What VOU NCCdintccaccscecceecassccsaccsuscaaecaseesaGecsascaaecuseesecessGecaecasecsecessaecsassts 140 Appendix K Legal Notices sssesssssssscssseossscsssecsssessscossseseseossecssecosseesseeoe 141 SDAIN OL CO eaen AE A E E A ones eve ence nae A 141 TLFAGEMALKS 2e2csspsscn2cosasaasrennsspesposanoonseonsspesposanoonseonsspesposaponssensspespesapennes 141 Statement OF RISNES 2 2 fi 112i iis cccmesecwmuancmacac ceded
111. rt the remote F Response Consultant Service on each Target and they will each appear in the F Response Consultant Connector Active Clients Tab This completes F Response preparation for this session Remember you will need the four entries selected in the User Interface from Step 2 above in order to establish the connection to access the computer s drives over the network Refer to the section on using the F Response Consultant Connector to complete the connection s and access the local machine s physical drives from remote Steps 7 through 10 below are applicable only if you are using the Autoconfigure feature unique to the Consultant Edition The Autoconfigure feature unique to the F Response Consultant Edition allows you to create a configuration file prior to running F Response target code on any number of machines to be analyzed This can be a valuable time saving feature if numerous machines are to be investigated or if an assistant is going to be starting the tool on a remote machine for the benefit of the examiner E g The examiner can prepare an Autoconfiguration CD ROM When analysis is to be conducted the CD is simply placed in the machine to be analyzed and F Response is run and started from the CD No further setup is required e Step 7 67 o Execute the F Response CE Target code on a suitable machine in order to create the portable configuration files to be used later on the machine s to be analyzed The f
112. s Updates to the F Response Email Connector including o Additional options on the Configure Options dialog to allow for more user directed decisions regarding throttling o Modifications to better handle UTF 8 and UTF 16 character encodings in folder names and paths o Adjustments to the throttling detection heuristics o Option to attach individual folders or the entire account Updates to the F Response Database Object Connector including o Updates to the SQL Server scanning dialog to improve handling of more complex connection strings 100 o Additional error reporting for database error responses Updates to the Linux 32 and 64bit F Response executable to improve device detection F Response 5 0 1 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Update to the F Response Cloud Connector including o Dropbox Updates to correct Modified Metadata prior release month values were off by one ie February would be identified as January etc Updates to the F Response Enterprise Management Console to detect remote machines with non standard root Windows System path Updates to the F Response HP_UX 11i executable to include detection of logical volumes Updates to the F Response Flexdisk Technology Linux Windows and OSX o JSON output now contains additional entries for alternate data streams with NTFS o JSON output includes higher resoluti
113. s Comma separated ex dev md0 dev md1 S lt F ResponseLM IP gt IP Address of F Response LM Server P lt F ResponseLM Port gt TCP Port of F Response LM Server optional defaults to 5681 u lt username gt F Response username must be 8 characters p lt password gt F Response password must be 14 characters i lt iSCSI Port gt iSCSI Port optional defaults to 3260 c lt path to fresponse ini gt Optional autoconfigure path if used no other commandline options are required F Response Consultant Enteprise Edition can either be run directly from the commandline using the various arguments indicated above or it can be run with the c lt path to fresponse ini gt option provided the path points to a valid fresponse ini file See the F Response Consultant Connector autoconfigure option to generate a valid fresponse ini The F Response Enterprise Edition for Linux Apple OS X HP_UX AIX Sun Solaris and FreeBSD is installed and available in the C Program Files F Response F Response Enterprise Edition folder The executable name will indicate which version is appropriate for your target platform F Response Enterprise Edition for Linux f response ce e lin e F Response Enterprise Edition for Apple OSX 10 3 10 4 10 5 Intel amp PPC f response ce e osx e F Response Enterprise Edition for Sun Solaris f response ce e sun e F Response Enterprise Edition for IBM AIX Power f response ce e aix p5 e F Respo
114. s Help Deployment Messages Active Clients Machine Name Domain Workgroup Status HWID 155519116 Expires 12 17 2011 F Response Enterprise Management Console Menu Options e File o Configure Configure F Response EMC for deploying and managing Remote F Response Target code o Clear Messages Clears any information or error messages currently in the Messages Panel o Exit Close and exit the F Response EMC e Scan o Scan by Domain 36 Opens a dialog for Windows Domain Workgroup scanning to detect F Response Enterprise installations and or potential targets o Scan by IP Address Opens a dialog for IP Address range scanning to detect F Response Enterprise installations and or potential targets o Direct Connect Opens a dialog for direct connect options for directly connecting to a remote computer via IP address or Network Name to detect F Response Enterprise installations and or potential targets o Custom Scan Opens a dialog for inputting a comma delineated listing of either computer names or IP addresses or both to scan to detect F Response Enterprise installations and or potential targets e Deployment o Install Start F Response Installs and then automatically starts F Response Enterprise on the selected computer s o Stop Remove F Response Stops then removes F Response Enterprise from the selected computer s o Install F Respon
115. s provide best effort for accessing and interacting with those 3rd party data sources however service disruptions API changes provider errors network errors as well as other communications issues may result in errors or incomplete data access F Response always recommends secondary validation of any 3rd party data collection F Response TACTICAL Consultant Consultant Covert and Enterprise edition includes a copy of the F Response Connector FC The FC allows an examiner to mount remote Cloud Storage containers Email Accounts and Sharepoint Documents Embedded Database Objects as local read only logical volumes or network shares The FC does not require executables or agents be deployed to remote systems The FC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Response dongle connected via the F Response License Manager at all times File Credentials Scan Connect View Help Target Description Provider Status Local Volu F Response Connector 19 Configuring Cloud Storage Options There are a number of options that can be configured when using the F Response Connector to access Cloud Storage these options include Number of retries to attempt before timing out 0 Dropbox Options For Modified Time use Modified Recommended Client MTime Do not show file revisions default is to show all file revisions Merge all folder paths
116. sages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Spam Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Sent Mail Appx Messages 5 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Important Appx Messages 167 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Drafts Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail All Mail Appx Messages 275 fresponsec Google Mai Inactive fresponsechartest gmail com Gmail Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com Test Slashes containing slashes Appx M fresponsec Google Mai Inactive fresponsechartest gmail com Test Slashes Appx Messages 0 fresponsec Google Mai Inactive fresponsechartest gmail com INBOX Appx Messages 263 fresponsec Google Mai Inactive F Response Connector scan results 33 Connecting to Email Account Targets You can connect to one or more storage targets by simply double clicking on target The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer The FC will begin processing the remote email and building a local cache This process may be stopped at any time double clicking on the clock icon Cancelled processes are restarted on the next Login operation The processing phase can take a
117. se Installs F Response Enterprise on the selected computer s o Uninstall F Response Uninstalls F Response Enterprise from the selected computer s o Start F Response Starts F Response Enterprise on the selected computer s o Stop F Response Stops F Response Enterprise on the selected computer s o Issue Discovery Request Issues an iSCSI Discovery request against the selected computer s or Active Client s o Open F Response Flexdisk Opens the default web browser to connect to the selected computer on the Flexdisk configured port HTTPS e Connect o Discovery F Response Disks 37 Opens a dialog providing iSCSI Discovery request capability by IP Address o Login to F Response Disk Initiates an iSCSI login on the selected F Response Enterprise Target o Logout of F Response Disk Initiates an iSCSI logout on the selected F Response Enterprise Target o Remove F Response Disk Deletes F Response Target entries for the selected machine from the Connect Tab e Active Clients o Poll Continuously Enables or Disables the continuous polling of the F Response License Manager If this menu option is unchecked the Active Clients panel will not accurately reflect Active Clients unless the Refresh menu option is used o Refresh Refreshes the Active Clients panel only available if Poll Continuously is unchecked e Help o About Presents a splash screen indicating the version i
118. se COM Object has been improved to better detect and deploy to newer versions of Linux including recent Ubuntu releases 12 04 12 10 F Response FreeBSD executable now included for 64bit FreeBSD on Intel Minor performance updates to the F Response Enterprise Management Console and Covert Console to improve speed and platform support F Response Enterprise Management Console and Covert Console now able better able to detect and deploy to legacy Windows computers F Response Enterprise COM Object for x64 Windows is now included with the standard installation on x64 examiner machines F Response Enterprise Management Console Cover Console and F Response Accelerator now remove legacy iSCSI target portals on logout to reduce confusion F Response Enterprise Management Console and Covert Console now able to assign a Service Description to the F Response Enterprise Service Optional Direct Connect option in the both management consoles has been multi threaded resulting in a faster and more robust user experience F Response Cloud Connector Enterprise version only no longer requires local dongle support license manager operation similar to Accelerator Changes affecting Consultant Edition F Response Consultant Connector now removes legacy iSCSI target portals on logout to reduce confusion F Response Consultant COM object for x64 Windows now included in the standard installation on x64 examiner machines F Response FreeBSD executa
119. software F Response Consultant Covert is now better able to detect Windows machines even if they are running SSH SFTP services Improved handling of deployment to remote Windows machines with non standard root directories and paths New Export MSI option exports the F Response target executable and configuration file along with all necessary settings to a simple Microsoft Installer which can be easily deployed to target machines using 3 party deployment tools Changes affecting all versions of F Response F Response Apple OSX executables now signed with registered Apple Developer certificate F Response Linux and Apple OSX executables now able to better detect non standard device paths and mount points and automatically add these as available targets Thanks to assistance from AAron Walters Michael Ligh and the Volatility Project F Response Physical Memory access now has greatly improved stability in large memory environments F Response 4 0 03 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition 103 F Response Enterprise now includes support for 64bit Linux platforms F Response Enterprise Management Console now correctly detects Apple OSX 10 7 target computers and deploys the appropriate software F Response Flexdisk updated with minor API corrections based on user feedback F Response Enterprise Service Uninstall issue addressed remov
120. sponse Enterprise Service Manual Local System Start the service Sy Google Updater Service Manual Local System SaHelp and Support Enables He Started Automatic Local System SRAHTTP SSL This servic Started Manual Local System S34 Human Interface Device Access Enables ge Disabled Local System Sy IMAPI CD Burning COM Service Manages C Manual Local System Sy Indexing Service Indexes co Manual Local System Sy IPSEC Services Manages I Started Automatic Local System Sa Logical Disk Manager Detects an Started Automatic Local System Baogical Disk Manager Administrative Service Configures Manual Local System yy X Extended F Response Enterprise Edition Service Management Console interface The F Response Enterprise service is controlled via the Microsoft Management Console for Services By default the service is installed in the Manual position such that it may be started during an investigation and stopped when no longer needed Once installed and configured the service need only be started each time it is to be used The default service name F Response Enterprise Service can be replaced with a user defined service name during installation with the a option 115 Appendix B Overview of the F Response Enterprise Edition Unix Command Line Interface F Response Consultant Enterprise lt PLATFORM gt Version 3 09 06 Usage h This help page a lt path to devices gt Path to additional device
121. ssage that don t have permission to view that folder Why don t have access o Ne 11 Q What port does the F Response EMC management console use to deploy and manage the F Response Service 12 Q Where does the F Response EMC management console install or place the F Response Enterprise executable and configuration file 13 Q What port does the F Response EMC management console use to deploy and manage the F Response Service 1 Q Can multiple initiators connect to a single F Response target machine A While the F Response target code is running any iSCSI initiator with access to the listening port can connect to the machine provided of course that the proper authentication credentials are provided 2 Q Do change any data on the target computer by using F Response A Once the F Response Target code is executed and the network connection is established the practitioner conducting the analysis cannot edit or alter data on the machine under inspection via the F Response connection Executing or starting 91 the F Response service does of course effect some change to the target computer but the changes are about as minimal as they can be for analysis that is being conducted on a live machine Q am connected via F Response navigated to a file on the remote computer hit delete and it appears to be gone Did really delete the file A No you didn t delete the file You cannot
122. ssue Discovery Request will obtain a complete listing of the available targets from the remote F Response Enterprise computers F Response Target Connected Local Disk B iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 de vol c Inactive Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive E iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive HWID 155519116 Expires 12 17 2011 51 The Connect Tab displays a listing of the accessible disks logical volumes and physical memory if available for each F Response Enterprise Target For more information on the naming convention used see Appendix G m paren Connect Active Clients Help F Response Target Connected Local Disk H iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive Et iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive Discover F Response Disks Inactive Login to F Response Disk Logout of F Response Disk Custom Scan Complete 1 Detected Remove F Response Disk 155519116 Expires 12 17 2011 Select one or more F Response Targets from the Connect Tab and use the Connect Menu Login to F Response Disk to authenticate and login to the
123. stall F Response Enterprise from accessible computers on the network The following is a step by step progression for using the FEMC to install start connect to disconnect from stop and uninstall F Response Enterprise on remote computers Fi F Response Enterprise Management Console a opex File Scan Deployment Connect Active Clients Help En FD 192 168 1 210 Deployment Connect Messages Active Clients Machine Name Domain Workgroup Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Completed Custom Scan operation results show one accessible computer Please see Appendix H for the complete icon legend defining the different platforms 47 File Scan Deployment Connect Active Clients ge W jg custom scan Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Installation of F Response can be performed by right clicking on a valid target icon Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Installation can also be performed on multiple targets by selecting them in the Deployment panel 48 File Scan Deployment Connect Active Clients Help Deployment Connect Messages A
124. t F Response Updater executable file which is freely available from the F Response Web site or installed as part of your F Response installation Step 1 Insert the FOB into an available USB port on a Windows machine Step 2 Execute there is no installation process the F Response Updater executable file The following screen appears Pie C Download and apply license update insert dongle first Internet required Apply license update from upt2 file Please select an F Response Upt2 File UPT2 File aa F Response Updater Step 3a 140 If you have Internet connectivity you can attempt to download your license file directly select the first option and press Update Step 3b If you wish to use a local upt2 file press the second option and type in or use the button to Browse to the location of the upt2 file you received from Customer Support for this FOB Note If you try to update the FOB for which this upt file was not intended you II do no harm but the process will fail Select Update When the process completes in a few seconds your license FOB has been updated and the process is complete Congratulations Your FOB has now been programmed for use with your most current license Appendix K Legal Notices Legal Notice Copyright 2015 Agile Risk Management LLC All rights reserved This document is protected by copyright with all rights reserved Trademarks F Response is a trademark
125. t File and Printer Sharing services for remote administration and deployment TCP Port 445 94 Support Didn t find what you re looking for in the manual Many of our customers find that our growing selection of brief tutorial videos offers the information to meet their immediate needs https www f response com support videos We take pride in providing prompt attention to your support needs and will support your F Response product for the period of your license term F Response support can be reached via Email support f response com Website Chat Support https www f response com Software and documentation updates will be made available for download to registered users on the F Response web site E mail support is available to licensed software users We typically respond to your queries within 1 business day of receiving your request 95 Linux License Manager and Accelerator F Response Consultant and above now includes an F Response License Manager and Accelerator for 32 and 64 bit Linux platforms The License Manager and Accelerator along with a sample init script for starting the License Manager automatically is included in the installation folder in the directory Linux Tools f response accel lin F Response Accelerator for Linux 32bit only The F Response Accelerator for Linux essentially uses the Linux iSCSI Initiator to assist with connecting to F Response Targets nse Accelerator
126. t of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 11 7 General This Agreement including its exhibits all of which are incorporated herein are collectively the Parties complete agreement regarding its subject matter superseding any prior oral or written communications Amendments or changes to this Agreement must be in mutually executed writings to be effective The Parties agree that to the extent any Customer purchase or sales order contains terms or conditions that conflict with or supplement this Agreement such terms and conditions shall be void and have no effect and the provisions of this Agreement shall control Unless otherwise expressly set forth in an exhibit that is ex
127. t of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAG
128. the remote computer s This name is completely user selectable Service Description e Description value that will be assigned to the F Response Enterprise service when installed on the remote computer s This description is completely optional Executable e Use the browse button to locate the F Response Enterprise executable to install Typically located in C Program Files F Response F Response Enterprise Edition f response ent exe e Unix Platform Specific Options ADVANCED Only supported on analyst machines running Microsoft Windows Vista or above if not supported option will be grayed out 41 o A platform based set of options that will be executed on the remote computer any changes made to the options are saved Optionally they can be reset using the Reset Current or Reset All buttons For additional information see the F Response Unix Platform options Appendix Pre Start e This is a shell command that will be run prior to starting F Response on the remote target Post Stop e This is a shell command that will be run directly after stopping F Response on the remote target Additional Targets e This option will allow you to specify additional targets that may not be detected automatically e Export o This button will open a file save dialog box to export the configuration information This is useful when you need to deploy F Response Enterprise via alternate means For more in
129. the root password for su permissions 124 Appendix F Software Requirements on the Target Computer The following outlines what software services and credentials are required to connect to a remote target computer via the F Response Enterprise Management Console FEMC e Windows All Versions o Software No additional o Services File and Printer Sharing Microsoft Services TCP Port 445 o Credentials Administrator or like permission sufficient to create a LocalSystem level service e Unix All Versions o Software No additional o Services SSH with SFTP Subsystem services available o Credentials User account capable of assuming superuser privileges or superuser account e Platform Specific Notes o Apple SSH is not enabled by default on Apple OSX however it can be enabled via the System Preferences via the Remote Login Service The exact location of this option will vary by operating system release and version 125 Appendix G F Response Target Naming Convention The following outlines the F Response Target naming convention e All Platforms o iqn 2008 02 com f response HOSTNAME e Windows o Physical Disk disk X where x is the physical disk number o Logical Volume vol X where x is the logical volume letter o Physical Memory pmem e Non Windows o Physical Disk lt disk name gt platform dependent 126 Appendix H Icon Legend Icon Plat
130. tic Firewall exceptions Windows Firewall Only F Response now creates and removes firewall exceptions automatically New platform support Linux glibc gt 2 3 5 and Apple OSX 10 4 10 5 Changes affecting F Response Consultant Edition Newly released F Response Consultant Connector streamlines the process of connecting and disconnecting from remote F Response Consultant Edition clients Newly released F Response License Manager Monitor Service replaces the NetUniKey server Provides a more streamlined interface and improved platform support options Changes affecting F Response Enterprise Edition Newly released F Response Enterprise Management Console streamlines the complete lifecycle of F Response Enterprise deploy connect disconnect and remove F Response Enterprise clients from a single interface Newly released F Response License Manager Monitor Service replaces the NetUniKey server Provides a more streamlined interface and improved platform support options Changes affecting F Response Field Kit Edition Support for Linux glibc 2 3 5 and Apple OS X 10 4 10 5 Intel only F Response 1 18 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Improved handling of foreign language versions of Windows Added support for non standard Windows Computer Names Improved on load drive probing Official support for the Open iSCSI Linux Initiator Un O
131. uch Liabilities arise out of or result from 1 any claim that the Software or Customer s use thereof violates any copyright trademark patent and or any other intellectual property rights 2 the negligence of Licensor in the course of providing any Services hereunder or 3 the representations or warranties made by Licensor hereunder or their breach Licensee shall promptly notify Licensor of any third party claim and Licensor shall at Licensee s option conduct the defense in any such third party action arising as described herein at Licensor s sole expense and Licensee shall cooperate with such defense 9 Verification 9 1 Agile has the right to request Customer complete a self audit questionnaire in a form provided by Agile If an audit reveals unlicensed use of the Agile Software Customer agrees to promptly order and pay for licenses to permit all past and ongoing usage 10 Support Services 10 1 Rights and Obligations This Agreement does not obligate Agile to provide any support services or to support any software provided as part of those services If Agile does provide support services to you use of any such support services is governed by the Agile policies and programs described in the user manual in online documentation on Agile s support webpage or in other Agile provided materials Any software Agile may provide you as part of support services are governed by this Agreement unless separate terms are provided 1
132. ve chosen 192 168 1 218 o Alternatively you can select All IP Addresses to bind to all available IP addresses Step 4 o Select the TCP Port In this instance we chose to keep the default 3260 o OPTIONAL Select the Flexdisk Port In this instance we chose to keep the default 3261 Step 5 o Enter in a username and password value These values will be used later to authenticate the network connection to this computer Step 6 o Press the Start button to start listening for incoming connections o When the service is started one temporary file is created if the Physical Memory option has been enabled This file Mnemosyne sys is the physical memory driver necessary for providing access to physical memory o At this time the F Response Consultant Edition client has been successfully validated and the F Response Consultant Connector Active Clients Tab 66 shows the remote client s IP address Machine name and Platform as shown below F F Response Consultant Connector o 2 eee File Connect Help Connect Messages Active Clients IP Address Hostname Platform 192 168 1 218 WIN BST9V6RGOEN Windows 7 HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Active Clients Tab shows F Response Consultant Edition remote client or target computer The Consultant Edition permits you to establish multiple connections To examine multiple targets simply sta
Download Pdf Manuals
Related Search