F-Response TACTICAL Review

Matt Shannon of F-Response has been kind enough to send a copy of F-Response TACTICAL to me for review.

I have never written a product review before so please be gentle with me. I’m hoping that product reviews will become a regular item on the Forensic 4cast website.

On with the show…

F-Response software is designed to retrieve data from live systems through a network connection without altering the data on the original device.

The Hardware

Unlike previous releases of F-response, TACTICAL has dual dongles.  These dongles are uniquely paired and are clearly marked as ‘Examiner’ and ‘Subject’ and are provided in a handy little dongle case.

When conducting an investigation the subject dongle will be plugged into the computer to be examined and the examiner dongle will be plugged into your examination machine.  At the moment the subject dongle only supports Windows (version 7 included), OS X, and Linux. The examiner dongle only supports Windows operating systems at the moment.  Support for other operating systems will, no doubt, follow in the near future.

The Software

The process of getting access to the subject machine is somewhat simpler than in ‘Field Kit’ edition. In field kit edition an examiner would need to plug the dongle into a computer, find the IP address of that computer, enter that IP into their examination machine, and enter a username and password to connect.

With TACTICAL plug the subject dongle in to any computer on a network and start the software. It sends out a beacon across the network. Once you plug the examination dongle into your examination machine, run the software, and click on ‘Auto Connect’ it will find the beacon and automatically connect to the subject machine. No username or password is necessary as the verification is performed by the paired dongles.

Once a connection has been made the user is presented with a list of storage devices connected to that computer.  This includes internal hard drives, RAIDs, external USB devices, etc.  The one thing that I did notice, however, is that the F-Response subject dongle also appears in this list.  This has potential for causing confusion if the examiner does not take care when conducting an investigation.  In order to connect to a disk/volume a user simply right-clicks on the desired item and selects ‘Login to F-Response Disk’.

At this point the examiner is free to use whatever tools they see fit to conduct their investigation.  As with other F-Response releases TACTICAL is vendor neutral so any of your typical forensic tools should work. I’ve tested TACTICAL with X-Ways, EnCase, FTK Imager, Drive Prophet, Histex, and so on. Each can perform their tasks exactly the same as if the device was plugged directly into the examination machine.

Conclusion

First the good:

• This is a superior product to the field kit edition.
• It will ease the process of gathering data from live systems and be of great use to many investigators.
• The instructions are straight forward and simple to follow.
• Compared with other similar products TACTICAL is a steal at only $490 ($390 for Law Enforcement, government, and non-profit organisations) for a year’s license.

The not-as-good:

• F-Response does not encrypt traffic. If you want to protect the data you’ll have to set up something yourself.
• Although TACTICAL support Windows, Linux, and OS X as subjects, at the moment it only supports Windows on the examiner’s side. I suspect that Matt Shannon and his crew are working on this and expect them to address this before much longer.

With each release F-Response gets better and better. I personally can’t wait to see what they have in store in the future.

What are you thoughts? The comment are open for you to leave your own point of view.