Matt Shannon of F-Response has been kind enough to send a copy of F-Response TACTICAL to me for review.
I have never written a product review before so please be gentle with me. I’m hoping that product reviews will become a regular item on the Forensic 4cast website.
On with the show…
F-Response software is designed to retrieve data from live systems through a network connection without altering the data on the original device.
The Hardware
Unlike previous releases of F-response, TACTICAL has dual dongles. Â These dongles are uniquely paired and are clearly marked as ‘Examiner’ and ‘Subject’ and are provided in a handy little dongle case.
When conducting an investigation the subject dongle will be plugged into the computer to be examined and the examiner dongle will be plugged into your examination machine. Â At the moment the subject dongle only supports Windows (version 7 included), OS X, and Linux. The examiner dongle only supports Windows operating systems at the moment. Â Support for other operating systems will, no doubt, follow in the near future.
The Software
The process of getting access to the subject machine is somewhat simpler than in ‘Field Kit’ edition. In field kit edition an examiner would need to plug the dongle into a computer, find the IP address of that computer, enter that IP into their examination machine, and enter a username and password to connect.
With TACTICAL plug the subject dongle in to any computer on a network and start the software. It sends out a beacon across the network. Once you plug the examination dongle into your examination machine, run the software, and click on ‘Auto Connect’ it will find the beacon and automatically connect to the subject machine. No username or password is necessary as the verification is performed by the paired dongles.
Once a connection has been made the user is presented with a list of storage devices connected to that computer.  This includes internal hard drives, RAIDs, external USB devices, etc.  The one thing that I did notice, however, is that the F-Response subject dongle also appears in this list.  This has potential for causing confusion if the examiner does not take care when conducting an investigation.  In order to connect to a disk/volume a user simply right-clicks on the desired item and selects ‘Login to F-Response Disk’.
At this point the examiner is free to use whatever tools they see fit to conduct their investigation. Â As with other F-Response releases TACTICAL is vendor neutral so any of your typical forensic tools should work. I’ve tested TACTICAL with X-Ways, EnCase, FTK Imager, Drive Prophet, Histex, and so on. Each can perform their tasks exactly the same as if the device was plugged directly into the examination machine.
Conclusion
First the good:
- This is a superior product to the field kit edition.
- It will ease the process of gathering data from live systems and be of great use to many investigators.
- The instructions are straight forward and simple to follow.
- Compared with other similar products TACTICAL is a steal at only $490 ($390 for Law Enforcement, government, and non-profit organisations) for a year’s license.
The not-as-good:
- F-Response does not encrypt traffic. If you want to protect the data you’ll have to set up something yourself.
- Although TACTICAL support Windows, Linux, and OS X as subjects, at the moment it only supports Windows on the examiner’s side. I suspect that Matt Shannon and his crew are working on this and expect them to address this before much longer.
With each release F-Response gets better and better. I personally can’t wait to see what they have in store in the future.
What are you thoughts? The comment are open for you to leave your own point of view.
4 responses to “F-Response TACTICAL Review”
Nice review Lee! Only recommendation is maybe adding a couple of screenshots next time. Otherwise, very informative.
Good review, but how much does it cost? Also, have a happy boxing day. Strange how the English celebrate pugilism.
Good job Lee. Very informative review.
KP
Both TACTICAL and other versions of F-Response require authentication as per iSCSI RFC, you are quite correct that there is no encryption. It is possible to achieve this via vpn or reverse ssh. Not a problem on a trusted network segment, which IME for most engagements it is fine.
Although Matt has not produced client apps for OSX or Linux, there are free and open source tools that will allow you to connect to iSCSI targets on these platforms.
Also, it is only with Linux that you can have the ability to query the live physical memory using something like Volatility 😉