F-Response Manual TACTICAL
Contents
1. Credential Valid Contigure Gmail Credentials Dialog Revision 5 0 1 Page 58 8 13 2013 All Versions Users Manual 5 0 1 Scanning for Email Account Targets Use the Scan menu to enumerate Email servers and accounts i F Response Email Connector Scan All Scan Gmail Email Accounts Scan Yahoo Email Accounts SAONE S65 F Re Email Connector Scan menu al F Response Email Connector Google Mail GMail Inactive i S 1155519993 Expir es 2 15 2015 4 0 6 2 Email Connector scan results Revision 5 0 1 Page 59 8 13 2013 All Versions Users Manual COREE 5 0 1 Connecting to Email Account Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Email Volume The FEMLC will begin processing the remote email and building a local cache This process may be stopped at any time using the Cancel Login to F Response Email Volume option Cancelled processes are restarted on the next Login operation The processing phase can take a considerable amount of time depending on the total number of messages size of the messages available bandwidth and any throttling of performance done by the email provider Once complete the newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer i F Response Email Connector x Google Mail GMail Connected Wie2. All Versions Users Manual 5 0 1 Using F Response TACTICAL to examine an Apple computer Launcher Method INSERT TACTICAL Subject Insert the F Response TACTICAL Subject USB Dongle into the Suspect s Apple OSX Computer Locate the newly created Removable Disk and double click on it to view the contents Navigate to the Launchers folder and double click on the appropriate launcher Inside the TACTICAL Subject folder is a launchers folder Inside the launchers folder you will find launchers for F Response TACTICAL for OSX double click on the launcher to execute F Response You will be prompted for Administrative Access INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Windows Computer Locate the newly created Removable Disk and double click on the f response tacex exe executable Select File Auto Connect Select the File menu item Auto Connect this will tell the TACTICAL Examiner to begin searching the local network for the Subject OPTIONAL If Auto Connect does not work Select the File menu item Manual Connect and input the IP Address in the Host IP Address field on the TACTICAL Subject See Above igion Gr ColorSync Utility gt Preview Console Name Terminal DigitalColor Meter Kind Application E Directory Size 40 5 MB on disk ime Player El Directory Utility
3. Auto Connect All Versions Users Manual 5 0 1 Mar Manual Connect x Exit E F Response TACTICAL Examiner E iqn 2008 02 com f response tactical preppe disk 3 Inactive EF ign 2008 02 com f response tactical preppc disk 2 Inactive Page 19 Inactive Inactive Inactive 8 13 2013 al All Versions Users Manual Using F Response TACTICAL to examine a Linux computer Manual Method INSERT TACTICAL Subject Insert the F Response TACTICAL Subject USB Dongle into the Suspect s Linux Computer Locate the newly created Removable Disk and open a Terminal Window Navigate to the USB Storage Device and execute the program Navigate to the folder containing the F Response TACTICAL Subject for Linux f response tacsub lin exe or f response tacsub lin 64 exe in this instance that folder is media disk Next execute the program as root or using sudo Root or account password will be required The command line is sudo f response INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Windows Computer Locate the newly created Removable Disk and double click on the f response tacex exe executable Select File Auto Connect Select the File menu item Auto Connect this will tell the TACTICAL Examiner to begin searching the local network for the Subject OPTIONAL If Auto Connect does not work Select the
4. d 4 0 6 F Logged in Email Account target assigned the E drive letter Revision 5 0 1 Page 60 8 13 2013 All Versions Users Manual fa 501 Disconnecting from Email Account Targets You can disconnect from a storage target by selecting the target right clicking to open the context menu and selecting Logout of F Response Email Volume The volume will be disconnected and the assigned drive letter will now be removed al F Response Email Connector Google Mail GMail Inactive 4 F HWID 155519993 Expires 2 15 2015 4 0 6 5 Logged out of the Email Volume Revision 5 0 1 Page 61 8 13 2013 All Versions Users Manual TACTICAL 50 1 F Response Flexdisk F Response Flexdisk Web Viewer Target TACTICAL PREPPC internet Protected Mode Off av 100 v F Response Flexdisk Web Viewer What is a F Response Flexdisk The F Response Flexdisk Patented is a web based disk access and representation tool The Flexdisk uses standard web technologies HTTPS REST to provide direct access to the remote target machines Logical and Physical targets in both raw and logical format The Flexdisk can be accessed and used from any modern web browser and also exposes a feature rich and extensible application programming interface API accessible from any system capable of making and interpreting web queries and JSON How do access and use a F Response Flexdisk Using the F Res
5. Revision 5 0 1 All Versions Users Manual 5 0 1 nu BUTS Lure 101701 TACTICAL Users Manual Version 5 0 1 Page 1 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Table of Contents Welcome to F Response TACTICAL swcisesscscisasvssassassevessnsecsavnaeseessanssessenaneisecsatiisseracnaneenseisneeaenas 4 SUPPE PoU ON a aan nana en ann ne ec tee ne tes De De 5 PO OUI SIMCS ss a en A on Pts et de 5 F Response TACTICAL License FOB Pair sccscsscrscssesscvscssensavsusncueavaususvenvarsussensausussensarsuseansars 7 Getting started with F Response TACTICAL ssssssssssnsnsrsnsnsrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnrnrnnnnnenenenenene 8 Installing the F Response TACTICAL Management Software Optional Recommended 8 Managing F Response TACTICAL ssssssssusnsonsnnnnnnnnunnnnunnnnunnnnunnnnunnnnunnnnunnnnunnnunnnnunnnnunnnnnnnnne 12 Backing up your F Response TACTICAL Licenses ccscseceeeeeeceeseeeeseeeeeeseeeetereeserensesensetanes 12 Restoring the F Response TACTICAL Software cccscsecsesecseseeseeeseeeeseeeeeeeaesetereeserensesensesanes 13 Restoring your F Response TACTICAL LICENSES rennes 14 Download new F Response TACTICAL Licenses ccceceesecseeeeseeeeeeeeseeeeseeeesetereeserenserensenanes 15 Using F Response AC CA a a ee ee 16 Using F Response TACTICAL Examiner for the first time on a Windows Vista Windows 2008 or Windows 7 COMM LU LLS PE din ceed eaeataeencateii
6. Cloud Connector scan results Revision 5 0 1 Page 49 8 13 2013 All Versions Users Manual 5 0 1 Connecting to Cloud Storage Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Cloud Storage Volume The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer F F Response Cloud Storage Connector Sean s 3 Amazon 53 Sean s 53 Amazon 53 Sean s 53 Amazon 53 Sean s 53 Amazon 53 Sean s 3 Amazon 53 Logged in Cloud Storage target assigned the E drive letter Revision 5 0 1 Page 50 8 13 2013 All Versions Users Manual 5 0 1 Disconnecting from Cloud Storage Targets You can disconnect from a storage target by selecting the target right clicking to open the context menu and selecting Logout of F Response Cloud Storage Volume The volume will be disconnected and the assigned drive letter will now be removed FE F Response Cloud Storage Connector Sean s 53 Amazon 53 Inactive Sean s 53 Amazon 53 Inactive EE Gorilas_Bananas Sean s 53 Amazon 53 Inactive 2 Gorilla Scripts Sean s 53 Amazon 53 Inactive TF Generalstuff Sean s 53 Amazon 53 Inactive TD 155519963 Expir ires 4 27 2013 4 0 4 Zz Logged in Cloud Storage target assigned the E drive letter Revision 5 0 1 Page 51 8 13 2013 All Versions Users Manual TUNER 5 0 1 F Response Database Object Con
7. F F Response Database Object Connector Database Credential dialog Credentials can be either native credentials Microsoft SQL Server Native Accounts or Windows Credentials Revision 5 0 1 Page 53 8 13 2013 All Versions Users Manual 5 0 1 al Scanning for Database Object Targets Use the Scan menu to enumerate Microsoft SQL Servers and Databases The scanning process will use the local plugins xml file to test database format and table structure Periodically new plugins xml files will be placed on the F Response Website to add support for new Database formats and models F F Response Database Object Connector WS55_Content_e58f8446cde0 Microsoft Sharepoint Microsoft SQL Server Inactive 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQL Server Inactive 3 Wws5_Content_ccee4cbfa6c04 Microsoft Sharepoint Microsoft SQL Server Inactive Ez wss_Content_c4ed960e 12af Microsoft Sharepoint Micrasoft SQL Server Inactive g E Wel Content GhosO d ithe Micrnen Chearannint Micrnent CO Corsar Tarbes H HWID 155601020 Expi ires 7 5 2014 4 0 6 2 Database Object Connector scan results F F Response Database Object Connector 1 16 2013 7 48 PM Database Application Registry Service DB 49efe2032d174372a 1fb076a08d69d2a unknown format r 1 16 2013 7 48 PM Database Bdc_Service_DB 95f6d Sdeb0ch437bb 2a44ac f029 187d unknown format not accessible 1 16 2015 7 48 PM Data
8. It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 44 8 13 2013 All Versions Users Manual TUNER 5 0 1 Google Drive Credentials Google Drive uses the web standard OAUTH2 for providing application access to accounts With OAUTH2 the application user in this case the F Response Cloud Connector user does not have knowledge of the Google Drive username or password Therefore in order to connect the Google Drive using the Cloud Connector the Google Drive user must expressly approve access The following dialog and details further illustrate this process Google Drive Credentials x M Shannon 0836741 GDOCS 4681 F Response 1288448 GDOCS21527 Matthew Shannon 1 GDOCS12056 Sean Lvnch 0778758 GDOCS5468 Configure Google Drive Credentials The first step is to get the account holder to Authorize the Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the account holder F Response Cloud Connector is requesting permission to View the files and documents in your Google Drive F Perform these operations when l m not using the application Res a Cloud Conne
9. Agile Risk Management LLC DB Fi F Response TACTICAL Examiner 3 09 05 File Connect Help Connect Messages comected A F Response TACTIC File Connect Help Auto Connect Manual Connect Exit HHw1D 100001 Expir es 11 iF F Response TACTIC File Connect Helo x Auko LE Host Configuration Manual IP Addr 192 168 1 10 Exit TCP Port 3260 Login to the presented devices Select one or more F Response Targets then right click and select Login to F Response Disk to login to an F Response Disk Use the Local Disk column to identify the newly attached device on your computer OPTIONAL Select the Connect menu item Open F Response Flexdisk to launch the default browser and connect to the F Response Flexdisk web viewer on the remote target computer Revision 5 0 1 Beacon Found Remove F Response Disk All Versions Users Manual 5 0 1 iF F Response TACTICAL Examiner _ ol x File Connect Help Connect Messages Pion 2008 02 com f response matthew shannons machook ocal rdisk1 Inactive Inactive EE ign 2008 02 com f response matthew shannons macbook ocal rdiskO Inactive Inactive Eign 2008 02 com f response matthew sh Login to F Response Disk Logout of F Response Disk Open F Response FlexDisk Page 27 8 13 2013 N gt F zH z N or 2 5 0 1 Using the TACTICAL Examin
10. E a eo 65 Appendix D Master Software License AGreQMent ccscecsscecseceeseceeeeeeeeeseeeeseesesessneenereesetanees 66 Appendix E Legal NOUCOS iccccspavccavs increas E T 70 Revision 5 0 1 Page 2 8 13 2013 All Versions Users Manual TACTICAL EXAMINER 5 0 1 CA NOICE aoran eE scat oe ato ces sae E 70 Tadema kS ee E 70 A E Ol RION oea A A E A 70 Discal PR RS E EE aan tober c cemmstics ammatntinaeatobertas 70 Patents oo cccecceeceeeceeeceeeceeeaeenaeeeaeeeaeeeaeeeaeeeaeeeaeenaeeeaeenaeeeaeeeaneaaeenaeenaeenaeengeenaeenageeeanengnengnenanenas 70 Revision 5 0 1 Page 3 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Welcome to F Response TACTICAL Thank you for purchasing F Response TACTICAL You have now extended the capabilities of your existing arsenal of tools to enable them to work over an IP network F Response TACTICAL accomplishes this through the use of a Patented US 7 899 882 process a part of which includes leveraging the Internet Small Computer Systems Interface iSCSI protocol standard as defined in RFC 3720 http www ietf org rfc rfc3720 txt Revision 5 0 1 Page 4 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Supported Platforms The F Response TACTICAL Subject executable is capable of providing remote forensically sound read only physical hard drive connectivity on the following platforms Platforms supported by F Response TACTICAL e Windows 2000 Professiona
11. Manual 5 0 1 Rea Managing F Response TACTICAL Backing up your F Response TACTICAL Licenses F Response TACTICAL Manager x Manage your F Response TACTICAL ackup TACTICAL Licenses Version 4 00 01 Required Information for completing the selected operation Examiner E Refresh Drives Subject F F Response TACTICAL Manager Backup TACTICAL Licenses We recommend using the F Response TACTICAL Manager to backup your F Response TACTICAL License files to your Analyst or Investigators computer prior to using F Response TACTICAL for the first time Insert both F Response TACTICAL Fobs into your computer and select the appropriate drive letter for the Examiner and Subject device If the drive letter is not listed press Refresh Drives to re populate the drop down listing of available devices Press Start to begin the backup operation F Response TACTICAL Manager P F Response TACTICAL License Backup Succeeded File Edit View Favorites Tools Help Q Back gt Bi a Search Folders i E File and Folder Tasks x i 2 Make new folder endpoint lic tactical lic Ue Publish this Folder to the web Kf Share this folder TACTICAL License files are stored in C Program Files F Response F Response TACTICAL Tactical License Backup Revision 5 0 1 Page 12 8 13 2013 All Versions Users Manual 5 0 1 Rea Restoring the F Response TACTICAL Software F Response TA
12. Q Is the F Response iSCSI connection encrypted 1 2 ve ol Does F Response work as an agent Q I established an F Response connection tried to view the remote Documents and Settings folder and received a message that I don t have permission to view that folder Why don t I have access 1 Q Do I change any data on the target computer by using F Response A Once the F Response Target code is executed and the network connection is established the practitioner conducting the analysis cannot edit or alter data on the machine under inspection via the F Response connection Executing or starting the F Response service does of course effect some change to the target computer but the changes are about as minimal as they can be for analysis that is being conducted on a live machine Q I am connected via F Response I navigated to a file on the remote computer hit delete and it appears to be gone Did I really delete the file A No you didn t delete the file You cannot delete files alter Meta data or effect any other changes on the machine under inspection using F Response What you did do was fool your analysis machine into believing that the file is deleted and thus your analysis machine is no longer presenting the file to you as available Q I have a personal firewall running on my computers Do I need to change firewall settings to use F Response A Possibly F Response does create temporary exceptions in
13. Response TACTICAL At this point you can remove the F Response TACTICAL Examiner dongle Revision 5 0 1 Page 17 8 13 2013 INSERT TACTICAL SUBJECT Insert the F Response TACTICAL Subject USB Dongle into the Suspect s Windows Computer Locate the newly created Removable Disk and double click on the f response tacsub exe executable ress the START Button Press the START button on the F Response TACTICAL Subject application window OPTIONAL Hide the WINDOW Enable FLexdisk Press CTRL ALT F12 to hide the F Response TACTICAL Subject Window The same key sequence will restore the window You can enable Flexdisk access by checking the Flexdisk box INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Windows Computer Locate the newly created Removable Disk and double click on the f response tacex exe executable Select File Auto Connect Select the File menu item Auto Connect this will tell the TACTICAL Examiner to begin searching the local network for the Subject Revision 5 0 1 FE F Response TACTICAL Examiner All Versions Users Manual i 5 0 1 Fie Edit View Favorites Tools Help er r v pi a Search 4 Folders fl Address r Address E 1 File and Folder Tasks bool TACTICAL Subject g Make a new folder f response tacsub exe SM Publich this Falder tn the F Respon
14. be enforceable to the maximum extent permissible under law and the remainder of this Agreement shall remain in full force and effect Customer and Agile agree that this Agreement shall not be governed by the U N Convention on Contracts for the International Sale of Goods 11 3 Notices Any notices under this Agreement will be personally delivered or sent by certified or registered mail return receipt requested or by nationally recognized overnight express courier to the address specified herein or such other address as a Party may specify in writing Such notices will be effective upon receipt which may be shown by confirmation of delivery 11 4 Assignment Customer may not assign or otherwise transfer this Agreement without the Agile s prior written consent which consent shall not be unreasonably withheld conditioned or delayed This Agreement shall be binding upon and inure to the benefit of the Parties successors and permitted assigns if any 11 5 Force Majeure Neither Party shall be liable for any delay or failure due to a force majeure event and other causes beyond its reasonable control This provision shall not apply to any of Customer s payment obligations 11 6 Redistribution Compliance a F Response distributes software libraries developed by The Sleuth Kit TSK The license information and source code for TSK can be found at http www sleuthkit org If any changes have been made by Agile to the TSK libraries d
15. charge and Customer agrees to pay Agile for every unauthorized copy or unauthorized year an amount equal to the cost per copy per year per computer or per user whichever is greater as a late payment fee in the event Customer fails to remit payments when due or Customer otherwise violates the payment provisions of this Agreement In addition to any other rights set forth in this Agreement Agile may suspend performance or withhold fulfilling new Customer orders in the event Customer has failed to timely remit payment for outstanding and past due invoices 6 Confidentiality 6 1 Definition Confidential Information means a any non public technical or business information of a party including without limitation any information relating to a party s techniques algorithms software know how current and future products and services research engineering vulnerabilities designs financial information procurement requirements manufacturing customer lists business forecasts marketing plans and information b any other information of a party that is disclosed in writing and is conspicuously designated as Confidential at the time of Revision 5 0 1 Page 66 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 disclosure or that is disclosed orally and is identified as Confidential at the time of disclosure or c the specific terms and conditions of this Agreement 6 2 Exclusions Confidential Informati
16. installation package on the machine to be analyzed The following screen captures show the steps involved in installing F Response Enterprise Edition software on the analysis machine l Setup F Response TACTICAL Welcome to the F Response TACTICAL Setup Wizard Thank you for purchasing F Response TACTICAL Please remember the most current version of F Response TACTICAL 16 always available online at www response com This setup application will install F Response TACTICAL on pour Computer kis recommended that you close all other applications before Continuing Click Nest to continue or Cancel to exit Setup Initial Installation Window F Response TACTICAL Manager will only backup one set of TACTICAL licenses do not attempt to backup multiple licenses on one computer Revision 5 0 1 Page 8 8 13 2013 All Versions Users Manual PRM 9 0 1 EXAM 5 x IF l Setup F Response TACTICAL License Agreement Please read the following important information before continuing E TACTICAL Please read the following License Agreement You must accept the terms of this agreement before continuing with the installation END USER LICENSE AGREEMENT FOR AGILE RISK MANAGEMENT LLC SOFTWARE F Aesponse Software Terns IMPORTANT PLEASE READ THIS MASTER SOFTWARE LICENSE AGREEMENT AGREEMENT CAREFULLY BY INSTALLING COPYING OF OTHERWISE USING THE SOFTWARE THAT ACCOMPANIES THIS AGREEMENT YOU AGRE
17. pi Fo Search Tr Folders E Address er File and Folder Tasks ol TACTICAL Examiner FI Make a new folder F F Response TACTICAL Examiner 3 09 05 oO x File Connect Help Connect Messages F Response Target p JE F Respo Fils Connect Help Auto Connect Manual Connect Exit HWID 10000 1 iF F Response TACTIC File Connect Help x Auto Conn xi Cancel Host Configuration IP Addr 192 168 1 10 TCP Port 3260 Manual Co Exit Page ZZ 13 2013 Login to the presented devices Select one or more F Response Targets then right click and select Login to F Response Disk to login to an F Response Disk Use the Local Disk column to identify the newly attached device on your romniitar OPTIONAL Select the Connect menu item Open F Response Flexdisk to launch the default browser and connect to the F Response Flexdisk web viewer on the remote target computer Revision 5 0 1 All Versions Users Manual 5 0 1 E F Response TACTICAL Examiner O x File Connect Help Connect Messages in 2008 02 com f response new host 11 sdb Inactive Inactive EZ ign 2008 02 com f response new host 11 sda Inactive Inactive 22 fign 2008 02 com f esponse new host 11 Login to F Response Disk Ina Logout of F Response Disk Remove F Response Disk Open F Response FlexDisk
18. response tacex exe F Response TACTICAL Examin Agile Risk Management LLC DB iF F Response TACTICAL Examiner 3 09 05 File Connect Help Connect Messages Fe TE EE F Response TACTIC File Connect Help Auto Connect Manual Connect Exit HWID 100001 Expir es 11 iF F Response TACTIC File Connect Helo CL Connect x aia Host Configurati nok ost Configuration L x ss IP Addr 192 168 1 10 Exit TCP Port 3260 ema Pag Login to the presented devices Select one or more F Response Targets then right click and select Login to F Response Disk to login to an F Response Disk Use the Local Disk column to identify the newly attached device on your computer OPTIONAL Select the Connect menu item Open F Response Flexdisk to launch the default browser and connect to the F Response Flexdisk web viewer on the remote target computer Revision 5 0 1 Beacon Found Remove F Response Disk All Versions Users Manual 5 0 1 F F Response TACTICAL Examiner ioj x File Connect Help LE ign 2008 02 com f response matthew shannons machookocal rdisk1 Inactive Inactive Riq 2008 02 com f response matthew shannons machook ocal rdiskO Inactive Inactive Biqgn 2008 02 com f esponse matthew sh4 Login to F Response Disk Logout of F Response Disk Open F Response FlexDisk Page 25 8 13 2013
19. the Windows Firewall during execution Furthermore these exceptions are removed when the application exits However if you are using a firewall other than the Microsoft Windows Firewall you may need to set an exception F Response machines must be able to send and receive on port 3260 this default is changeable We recommend disabling the firewall for the duration of the session during ad hoc usage e g temporary consultant use at a third party site and tuning the firewall configurations to allow F Response connectivity for planned enterprise deployment Q I have a remote user that accidentally deleted a file Can I use F Response to recover deleted files A F Response will enable you to use your recovery tool of choice to recover the file s to a location other than the target machine You cannot restore the file directly to the target machine via F Response because you do not have write capability on that machine but you can recover the file and make it available to the user via email network share etc Q Is the F Response iSCSI connection encrypted Revision 5 0 1 Page 63 8 13 2013 All Versions Users Manual 5 0 1 am gt C z 20 mi gt Sod A By default no However AES 256 bit Encryption is available in F Response Enterprise edition Alternatively there are native methods to accomplish this if needed E g using Microsoft IPSec policy manager you can create a configuration to enforce an IPSec policy in your ente
20. 13 Login to the presented devices Select one or more F Response Targets then right click and select Login to F Response Disk to login to an F Response Disk Use the Local Disk column to identify the newly attached device on your romniitar OPTIONAL Select the Connect menu item Open F Response Flexdisk to launch the default browser and connect to the F Response Flexdisk web viewer on the remote target computer Revision 5 0 1 All Versions Users Manual 5 0 1 E F Response TACTICAL Examiner Ezio 2008 02 com f response new host 11 sdb Inactive Inactive EZ ign 2008 02 com f response new host 11 sda Inactive Inactive Login to F Response Disk Ina Logout of F Response Disk Remove F Response Disk Open F Response FlexDisk Page 21 8 13 2013 FARMER All Versions Users Manual 5 0 1 Using F Response TACTICAL to examine a Linux computer Launcher Method INSERT TACTICAL Subject Insert the F Response TACTICAL Subject USB Dongle into the Suspect s Linux Computer Locate the newly created Removable Disk and double click to view contents Navigate to the Launchers folder and double click on the appropriate launcher Inside the TACTICAL Subject folder is a launchers folder Inside the launchers folder you will find launchers for both the standard and 64bit versions of F Response TACTICAL Subject for Linux Double click on the appropriate launcher to exe
21. AP based mail storage as local read only logical volumes or network shares Any Email service indicated as disabled or grayed out is a premium service and only available with F Response Consultant edition or above The FEMLC does not require executables or agents be deployed to the remote servers The FEMLC does require a locally attached F Response licensed dongle TACTICAL Examiner at all times F Response Email Connector _ 0 x File Scan Connect Help Connect Messages Description Messages Provider Connected Local Volume F Response Email Connector Revision 5 0 1 Page 57 8 13 2013 All Versions Users Manual 5 0 1 Configuring Email Credentials Before you can connect to Email service you must first input valid credentials The FEMLC supports Gmail Yahoo Mail and most generic IMAP servers Credentials can be tested before they are added using the Test Credential button Once the credential has been validated press the Add button to add them to the list of credentials to be used then press Save to exit the dialog Email credentials are not saved between executions of the FEMLC W F Response Email Connector Configure GMail Email Account Credentials Configure Yahoo Email Account Credentials Configure Generic IMAP Account Credentials Configure OFrice S65 Account Gredentials File gt Configure Credentials Configure GMail Credentials Email Address nan fomai com
22. CTICAL Manager a xX Manage your F Response TACTICAL restore TACTICAL Device Software Required Information for completing the selected operation Examiner E S Refresh Drives Subject F F Response TACTICAL Manager Restore TACTICAL Device Software Should the F Response TACTICAL software ever be accidentally deleted or if you have downloaded and installed a new version of F Response TACTICAL it will be necessary to update and restore the software to your F Response TACTICAL Fobs Insert both F Response TACTICAL Fobs into your computer and select the appropriate drive letter for the Examiner and Subject device If the drive letter is not listed press Refresh Drives to re populate the drop down listing of available devices Press Start to begin the Restore Update operation F Response TACTICAL Manager x Lg 1 F Response TACTICAL Software Restore Complete F Response TACTICAL Manager Restore TACTICAL Device Software Completed Successfully Revision 5 0 1 Page 13 8 13 2013 All Versions Users Manual 5 0 1 Rea Restoring your F Response TACTICAL Licenses x Manage your F Response TACTICAL estore TACTICAL Licenses Required Information for completing the selected operation Examiner E Refresh Drives Subject F F Response TACTICAL Manager Restore TACTICAL Licenses Should the F Response TACTICAL licenses ever be accidentally deleted or if you have downlo
23. CY OR COMPLETENESS OF RESPONSES OF RESULTS OF WORKMANLIKE EFFORT OF LACK OF VIRUSES AND OF LACK OF NEGLIGENCE ALL WITH REGARD TO THE SOFTWARE AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE ALSO THERE IS NO WARRANTY OR CONDITION OF TITLE QUIET ENJOYMENT QUIET POSSESSION CORRESPONDENCE TO DESCRIPTION OR NON INFRINGEMENT WITH REGARD TO THE SOFTWARE 8 Limitations and Exclusions 8 1 Limitation of Liability and Remedies NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER INCLUDING WITHOUT LIMITATION ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANY OTHER THEORY IN LAW OR IN EQUITY THE ENTIRE LIABILITY OF AGILE AND ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF THIS AGREEMENT AND YOUR EXCLUSIVE REMEDY HEREUNDER SHALL BE LIMITED TO THE TOTAL AMOUNT PAID BY CUSTOMER FOR THE LICENSE THE FOREGOING LIMITATIONS EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE 8 2 Exclusion of Incidental Consequential and Certain Other Damages TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN NO EVENT SHALL AGILE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL INCIDENTAL PUNITIVE INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFI
24. Created 7 11 08 9 46 PM amp Disk Utility Modified oo 10 45 Grab Last opened 9 11 09 10 42 Grapher AM 5 Java Preferences Version 2 0 2 Y PLACES System Preferences ye Keychain Access More info Desktop ly TextEdit amp Migration Assistant D Time Machine Network Utility S Transmission E ODBC Administrator i v mshannon Documents Applications i TrueCrypt Podcast Capture B UnRarx X RAID Utility Y SEARCH FOR VE Utilities amp Remote Install Mac OS X System Profiler A Terminal amp VoiceOver Utility il Today D Yesterday L Il Past Week C launchers mme mme SS mer T nr Date Modified F Response TACTI Launcher desktop Yesterday 10 31 AM amp F Response TACTICAL OSX Launcher Yesterday 11 21 AM M F Response TACTI Launcher desktop Feb 28 2012 11 13 AM ane sudo F Response TACTICAL Subject Apple 0S X Edition Version 4 00 03 F Response Disk dev rdiskO 312581808 sectors 512 sector size 152627 MB write blocked storage on F Response DiskirdiskO F Response Disk dev rdiski 3891200 sectors 512 sector size il MB write blocked storage on F Response Disktrdisk1 Removable Disk F File Edit View Favorites Tools Help Q r gt 7 T be Search 4 Folders El Address Sa Fs File and Folder Tasks a TACTICAL Examiner 5 Mak f response tacex exe F Response TACTICAL Examin
25. E TO THE TERMS OF THIS AGREEMENT IF YOU DO NOT AGREE DO NOT INSTALL COPY OR OTHERWISE USE THIS SOFTWARE AND IF APPLICABLE RETURN IT TO THE PLACE OF PURCHASE B do not accept the agreement lt Back Cancel Standard Terms and Conditions 10 x 6 Setup F Response TACTICAL Select Destination Location a Where should F Response TACTICAL be installed p TACTICAL FT Setup will m tal F Response TACTICAL into the following Folder To continue click Nest IF pou would like to select different folder click Browse C Program Files4F Response Browse At least 4 5 ME of free disk space is required lt Back Cancel Select Destination Window Revision 5 0 1 Page 9 8 13 2013 All Versions Users Manual TUNER 5 0 1 Setup F Response TACTICAL Select Start Menu Folder Where should Setup place the program s shorbcuts Setup will create the program s shortcuts in the following Start Menu folder To continue click Next Fou would like to select different folder click Browse Browse Back Cancel Select Start Menu Folder Window Setup F Response TACTICAL Ready to Install Setup is now ready to begin installing F Response TACTICAL on pour computer TACTICAL Click Install to continue with the installation or click Back if vou want to review or change any settings Destination location C Program Files F Response Start Menu fold
26. File menu item Manual Connect and input the IP Address in the Host IP Address field on the TACTICAL Subject See Above a E aE 2 0 GB Media root omshannon desSktop media disk TACTICAL SUDIECL File Edit View Terminal Tabs Help mshannon mshannon desktop sudo su sudo password for mshannon root mshannon desktop home mshannon cd media disk TACTICAL Subject 9 0 1 root mshannon desktop media disk TACTICAL Subject f response tacsub Lin F Response TACTICAL Subject Linux Edition Version 3 09 05 F Response Disk dev sda 16777216 sectors 512 sector size 8192 MB write blocked storage on F Response Disk sda F Response Disk dev sdb 3891200 sectors 512 sector size 1900 MB write blocked storage on F Response Disk sdb Removable Disk F File Edit Address F 1 View Favorites Tools Help F Response TACTICAL Examiner 3 09 05 File Connect Help Connect Messages F Response Target alo x F F Responsem TACTIC File Connect Help Ayko Connect Manual Connect Exit fo ut 100001 iF F Response TACTIC File Connect Help CI x Soko Conn xi Cancel Host Configuration IP Addr 192 168 1 10 TCP Port 3260 Manual Co Exit Page 20 File and Folder Tasks 2 f response tacex exe F Response TACTICAL Examin F2 Make a new folder Agile Risk Management LLC DB 8 13 20
27. Page 23 8 13 2013 All Versions Users Manual 5 0 1 Using F Response TACTICAL to examine an Apple computer Manual Method INSERT TACTICAL Subject Insert the F Response TACTICAL Subject USB Dongle into the Suspect s Apple OSX Computer Locate the newly created Removable Disk and open a Terminal Window Navigate to the USB Storage Device and execute the program Navigate to the folder containing the F Response TACTICAL Subject for OSX f response tacsub osx in this instance that folder is Volumes NO NAME Next execute the program as root or using sudo admin or account password will be required The command line is sudo f response tacsub osx INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Windows Computer Locate the newly created Removable Disk and double click on the f response tacex exe executable Select File Auto Connect Select the File menu item Auto Connect this will tell the TACTICAL Examiner to begin searching the local network for the Subject OPTIONAL If Auto Connect does not work Select the File menu item Manual Connect and input the IP Address in the Host IP Address field on the TACTICAL Subject See Above Ca Utilities ColorSync Utility D Prev D NeoOffice Console Name Terminal Fy Photo Booth DigitalColor Meter Kind Application k Preview 2 Directo
28. T 5 0 1 ug The app F Response Cloud Connector would like to connect with your Dropbox This app will have access to your entire Dropbox Please make sure you trust this app before proceeding You re currently signed in as If you meant to User must approve access to the F Response Cloud Connector connect from another account you can sign out Regardless of the option selected the account holder must approve access to their Dropbox account upon approval the web browser will be redirect to a page at F Response com with the Request Token and optional Verifier F Response OAuth Helper Request Token CjBuhw7 sls Please copy and paste the Request Token and Verifer above and input it into the Connector dialog where indicated If you are not the end user please copy and paste these values and email them to the F Response product end user F Response com OAuth Helper Page The Request Token value and any optional Verifier as displayed on that page must be inputted into the Dropbox Credentials dialog in the Request Token box After this is complete press Validate Access to validate the newly acquired Request Token Validate Access will confirm the account holder s account details and present that information in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential
29. TS OR CONFIDENTIAL OR OTHER INFORMATION FOR BUSINESS INTERRUPTION FOR PERSONAL INJURY FOR LOSS OF PRIVACY FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE FOR NEGLIGENCE AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT EVEN IN THE EVENT OF THE FAULT TORT INCLUDING NEGLIGENCE MISREPRESENTATION STRICT LIABILITY BREACH OF CONTRACT OR BREACH OF WARRANTY OF AGILE OR ANY SUPPLIER AND EVEN IF AGILE OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY INDIRECT INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LIABILITIES RELATED TO A LOSS OF USE PROFITS GOODWILL OR SAVINGS OR A LOSS OR DAMAGE TO ANY SYSTEMS RECORDS OR DATA WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT WARRANTY TORT Revision 5 0 1 Page 67 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 INCLUDING NEGLIGENCE PRODUCT LIABILITY OR OTHERWISE EVEN IF ADVISED IN ADVANCE OR AWARE OF THE POSSIBILITY OF ANY SUCH LOSS OR DAMAGE 9 Verification Agi
30. aded and copied new license files to your computer it will be necessary to update and restore the licenses to your F Response TACTICAL Fobs Insert both F Response TACTICAL Fobs into your computer and select the appropriate drive letter for the Examiner and Subject device If the drive letter is not listed press Refresh Drives to re populate the drop down listing of available devices Press Start to begin the Restore Update operation F Response TACTICAL Manager x LL I F Response TACTICAL License Restore Succeeded F Response TACTICAL Manager Restore TACTICAL Licenses Completed Successfully Revision 5 0 1 Page 14 8 13 2013 All Versions Users Manual DT 5 0 1 Download new F Response TACTICAL Licenses F Response TACTICAL Manager ES Manage your F Response TACTICAL Operation Version Examiner E Refresh Drives Subject F F Response TACTICAL Manager Download TACTICAL Licenses After renewing your F Response TACTICAL you will be able to download replacement licenses directly from F Response Internet connection required Insert both F Response TACTICAL Fobs into your computer and select the appropriate drive letter for the Examiner and Subject device If the drive letter is not listed press Refresh Drives to re populate the drop down listing of available devices Press Start to begin the Download operation F Response TACTICAL Manager x P _l F Response TACTICAL Li
31. al X 509 Certificates Key Pairs Use access keys to make secure REST or Query protocol requests to any AWS service API We create one for you when your account is created see your access key below Your Access Keys Created Access Key ID Secret Access Key Status August 19 2010 agh423jka941dIt0438 Show Active Make Inactive Create a new Access Key Amazon AWS Access Key and Secret Access Key The preceding credentials Access Key and Secret Key must be entered in the corresponding fields in the Configure S3 Credentials dialog The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Revision 5 0 1 Page 34 8 13 2013 All Versions Users Manual TACTICAL FU 5 0 1 Configure Amazon 53 Credentials PO Test Credential AWS Access Key Ad AWS Secret Key Po Remove Configure S3 Credentials Use the Test Connection button to test the credentials against Amazon S3 If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 35 8 13 2013 All Versions Users Ma
32. base DefaultPowerPivotServiceApplicationDB unknown aS not accessible 1 16 2015 7 48 PM Database FASTContent_CrawlStoreDB_72f6d5b76ae3463fbb895f3429420ec unknown format not ac 1 16 2013 7 48 PM Database FASTContent_DB_88d6e0120c95479 18d8e98b9286c4663 unknown format not accessible 1 16 2013 7 48 PM Database FASTContent PropertyStoreDB_463d1c96d4e44b35ab9bf19bafSaecce unknown format no 1 16 2015 7 48 PM Database FASTQuery_CrawlStoreDB 7235e9e 124ea499358d9449d50366fb 1b unknown en not ace 1 16 2013 7 48 PM Database FASTQuery_DB_ed6b2e60d85241 1fb7897a47e0 137b6e unknown format not accessible 1 16 2015 7 48 PM Database FASTQuery_PropertyStoreDB _ 10ece821d7924 dab04a35b6b9d46d94 unknown er not ae es Databases not recognized are listed on the Messages Panel Revision 5 0 1 Page 54 8 13 2013 All Versions Users Manual 5 0 1 Connecting to Database Object Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Database Volume The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer F F Response Database Object Connector 7 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQLServer Inactive Microsoft Sharepoint Microsoft SQL Server Connected Wie 2 WSS_Content_ccee4cbfa c04 Microsoft Sharepoint Microsoft SQL Server Inactive TE w
33. cense Download Succeeded F Response TACTICAL Manager Download TACTICAL Licenses Completed Successfully Revision 5 0 1 Page 15 8 13 2013 All Versions Users Manual TACTICAL 5 0 1 Using F Response TACTICAL Using F Response TACTICAL Examiner for the first time on a Windows Vista or Windows 2008 Computer F Response TACTICAL includes a special low level operating system driver that needs to be deployed on the examiner computer prior to the first usage of F Response TACTICAL Examiner Important note this driver is only installed on the Examiner or Investigator computer and not the Subject computer In many cases the driver will install silently when you first open F Response TACTICAL Examiner however you may be prompted to upgrade the Microsoft KMDF Framework prior to continuing By agreeing to the upgrade F Response TACTICAL Examiner will initiate the upgrade process and prompt you when a reboot is required You may elect not to upgrade the Microsoft KMDF and forgo using F Response TACTICAL Examiner by selecting No F Response TACTICAL Examiner 3 09 05 x This machine is not running an up to date version of the Microsoft KMDF framework to continue F Response TACTICAL will update the framework If vou would like to continue press Yes otherwise press No and exit F Response TACTICAL If you press Yes please reboot when prompted Microsoft KMDF framework install complete please dose all _ applicati
34. ctor Allow access No thanks Leam more User must approve access to the F Response Cloud Connector Revision 5 0 1 Page 45 8 13 2013 All Versions Users Manual ET 5 0 1 Regardless of the option selected the account holder must approve access to their Google Drive account upon approval the web browser will be redirect to a page at F Response com with the Authorization Code F Response OAuth v2 Helper Authorization Code 4M4UBIHSUQDOT gcnev9dkSDifgp O0hsjG Please copy the Authorization code above and input it into the Connector dialog where indicated If you are not the end user please copy the code and email them to the F Response product end user F Response com OAuth Helper Page The Authorization Code as displayed on that page must be inputted into the Google Drive Credentials dialog in the Authorization Code box After this is complete press Validate Access Validate Access will confirm the account holder s account details and present that information in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 46 8 13 2013 All Versions Users Manual TUNER 5 0 1 Microsoft Skydrive Credentials Microsoft S
35. cute TACTICAL INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Windows Computer Locate the newly created Removable Disk and double click on the f response tacex exe executable Select File Auto Connect Select the File menu item Auto Connect this will tell the TACTICAL Examiner to begin searching the local network for the Subject OPTIONAL If Auto Connect does not work Select the File menu item Manual Connect and input the IP Address in the Host IP Address field on the TACTICAL Subject See Above Revision 5 0 1 File Edit View Go Bookmarks Tabs Help Back v Forward a Ee Q I Location media SUBJECT TACTICAL Subject launchers Places w x _ ij sansforensics aul gt Desktop F Response TACTICAL PASTER File System OSX Launcher app Linux Launcher El Netw Flopp SUBJE 0 GE Media aunchers File Browser File Edit View Terminal Help maF Response TACTICAL Subject Linux Edition Version 4 00 63 F Response Disk dev sda 62914560 sectors 512 sector size 30720 MB write blocked storage on F Response Disk sda F Response Disk dev sdb 62914560 sectors 512 sector size 30720 MB write blocked storage on F Response Disk sdb F Response Disk dev sdc 3891200 sectors 512 sector size 1906 MB write blocked storage on F Response Disk sdc File Edit View Favorites Tools Help Koy Back GQ
36. elow a li mene oral 101701 101701 menee 100001 The F Response TACTICAL Examiner License FOB Examiner must be inserted into the USB port of the analyst or investigator s computer The F Response TACTICAL Subject License FOB Subject must be inserted into the USB port of the subject or target of inspection computer The F Response TACTICAL License FOBs are USB Storage devices they will be immediately recognized as USB Flash Storage disks on all supported platforms You will note that each FOB has a physical switch with designations for locked and unlocked This is a physical write block feature that protects your USB device from being written to when the switch is in the locked position We recommend using the subject FOB in its locked state especially when being used on untrusted machines Revision 5 0 1 Page 7 8 13 2013 lg All Versions TACTIC Users Manual EXAMINE 501 Getting started with F Response TACTICAL Installing the F Response TACTICAL Management Software Optional Recommended Download and install the F Response TACTICAL Management software to your investigator or analyst computer This installation contains a backup of all TACTICAL software deployed on the Examiner and Subject FOBs in addition a management application that will allow you to backup and restore your F Response TACTICAL licenses The default installation is to Program Files gt F Response Do not install this
37. eneansneens 50 Disconnecting from Cloud Storage Targets iii 51 F Response Database Object Connector s sssssssssrsrsrnrrrnnrnrnrnrnrnrnrnrnrnrnrnrnrnnnnnnennnenenenenennnn 52 Using the F Response Database Object Connector TACTICAL Examiner fdbc exe 52 Configuring Database Server Credentials sise 53 Scanning for Database Object Targets ini 54 Connecting to Database Object Targets iii 55 Disconnecting from Database Object Targets cccccccececceeeeeeeeeeeeeaeeeseeaeeaeeaeseeaesaesesaeeaeseeas 56 F Response Email CONMGCUON siteissctusstaacasctcativexeinead ene scndenseedieasncaasidebeiasnansniandansanaveasnennsiauiesans 57 Using the F Response Email Connector TACTICAL Examiner femic exe cccecceeeeeeeeeeeees 57 COMMON Emal Credential arctan a aa ae nt nn led a on cie 58 Scanning for Email Account Targets cccccccecseeceeeeeeeseeeeeeeesaeeaeeeeaeeaeseeeesaeeaesesaesaesesaesaesaeges 59 Connecting to Email Account Targets ccsccsesnceecseceececsecnecneaeensneansesouseseesnecesaesesneansneens 60 Disconnecting from Email Account Targets iii 61 FRAPON SA mi Le 0 LEE e E O 62 What is a F Response FlexdiSK cscscsscnsseonssenuscesneousnensaccnsnesuscenueoeauessauensnesusenusasnusensuenss 62 How do I access and use a F Response Flexdisk ccccceeseceeeeeeecaeeeeeeeeeeaeeeesesaeeeesesaeeaeseeas 62 Frequently Asked OUCSHONS ne nes Ua ne Dec bee ne eee a Go un cv ce dedans epc 63 SUPPO
38. enstack org Revision 5 0 1 Page 5 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 2 Microsoft iSCSI initiator software included by default with Windows Vista Server 2008 and Windows 7 operating systems and freely available for download from the Microsoft web site Only required on the Examiner computer Note The Microsoft iSCSI Software Initiator is available as a free download from http www microsoft com downloads for the following operating systems e Microsoft Windows 2000 e Microsoft Windows Server 2003 e Microsoft Windows XP This version should not be installed on the following operating systems e Windows Vista e Windows Server 2008 e Windows 7 The Microsoft iSCSI Software initiator is integrated into Windows Vista Windows Server 2008 and Windows 7 therefore there is no need to install this package on those operating system versions The Microsoft iSCSI Software initiator configuration utility on Windows Vista and Windows Server 2008 can be accessed from the control panel in classic mode or from administrative tools in Windows Server 2008 Source Microsoft iSCSI Software Initiator 2 x User Guide Nov 2007 Revision 5 0 1 Page 6 8 13 2013 lg All Versions TACTI Users Manual EXAMIN 5 0 1 F Response TACTICAL License FOB Pair In order to use the F Response TACTICAL application you must have a valid F Response TACTICAL License FOB pair F Response TACTICAL FOBs such as the ones shown b
39. entials Before you can connect to Cloud Storage services you must first input valid credentials While the credentials necessary vary by cloud storage provider all credentials must be input using one of the Configure Credentials dialog boxes Revision 5 0 1 Amazon 53 Cloud Storage Credentials HP Public Cloud Storage Credentials Windows Azure Cloud Storage Credentials Google Apps for Business Gredentials File gt Configure Credentials Page 33 8 13 2013 All Versions Users Manual 5 0 1 Amazon S3 Cloud Storage Credentials Amazon S3 Storage Credentials are found on the Amazon AWS Console see aws amazon com The specific credentials required are available under the Security Credentials link under My Account see below _ MONS sus amazon Sign Up My Account Console 8 webservices AWS Management Console AWS Products amp Solutions Entire Site My Account Ipp Account Activity Usage Reports E Security Credentials Amazon Web Services Main Page Locate the Access Credentials section and record copy paste the Access Key ID then press Show to open a secondary window containing the Secret Access Key Access Credentials There are three types of access credentials used to authenticate your requests to AWS services a access keys b 509 certificates and c key pairs Each access credential type is explained below Access Keys li
40. er F Response TACTICAL ri lt Back Cancel Confirm Installation Parameters Window Revision 5 0 1 Page 10 8 13 2013 All Versions Users Manual ET 5 0 1 is Setup F Response TACTICAL o xl Completing the F Response TACTICAL Setup Wizard Setup has finished installing F Aespanse TACTICAL on your computer Don t forget to insert both of pour F Aesponse TACTICAL Dongles and use the F Hesponse TACTICAL Manager to C backup your TACTICAL Licenses to your computer WEE In addition F Response requires the Microsoft SCSI Initiator EXAMINER Windows sF F vou have not already installed the Microsoft SCSI Initiator and are using Windows P please use the link 10 0 001 i below Windows Vista 2008 and F users already have SCSI Installed and will see no link Click Finish to esit Setup m Open Internet Explorer to download the C5 Initiator Installation Complete Window m F Response TACTICAL F F Response TACTICAL Manager if Uninstall F Response TACTICAL F Response TACTICAL includes TACTICAL Manager F Response TACTICAL Manager x Manage your F Response TACTICAL Operation Ree Backup TACTICAL Licenses Version Restore TACTICAL Device Software Restore TACTICAL Licenses Required Information For completing the selected Examiner a Refresh Drives Subject Operacion F Response TACTICAL Manager Application Revision 5 0 1 Page 11 8 13 2013 All Versions Users
41. er is not located in the United States and Customer agrees not to export any Software or other materials provided by Agile without first obtaining all required authorizations or licenses In the event the Software is provided to the United States government it is provided with only LIMITED RIGHTS and RESTRICTED RIGHTS as defined in FAR 52 227 14 if the commercial terms are deemed not to apply 11 2 Governing Law Severability This Agreement including any addendum or amendment to this Agreement which is included with the Software are the entire agreement between you and Agile relating to the Software and the support services if any and they supersede all prior or contemporaneous oral or written communications proposals and representations with respect to the Software or any other subject matter covered by this Agreement To the extent the terms of any Agile policies or programs for support services conflict with the terms of this Agreement the terms of this Agreement shall control This Agreement shall be governed by the laws of the State of Florida USA without regard to choice of law provisions You and Agile agree to submit to the personal and exclusive jurisdiction of the Florida state court located in Tampa Florida and the United States District Court for the Middle District of Florida If any provision of this Agreement is held to be illegal or unenforceable for any reason then such provision shall be deemed to be restated so as to
42. er adhesive chiad ten vaiarecnaioiieranseutenubiataneraiane ease 16 OPTIONAL Removing the F Response TACTICAL Examiner driver from a Windows Vista 20089 OF 7 COM cece ns nee sd exe AAE 17 Using F Response TACTICAL to examine a Windows computer 18 Using F Response TACTICAL to examine a Linux computer Manual Method 20 Using F Response TACTICAL to examine a Linux computer Launcher Method 22 Using F Response TACTICAL to examine an Apple computer Manual Method 24 Using F Response TACTICAL to examine an Apple computer Launcher Method Using the TACTICAL Examiner for Linux Command LINE ccceceeseceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeteeseseteeseeaees 26 Using the TACTICAL Examiner for Linux Command Line 28 Using the TACTICAL Examiner for Linux GUI cccececseeeeseeeeeeeeeeeeeeeeseeaeeeeeesetseeetaeeenenannes 30 F ReSpOnSe Cloud COMM CCIOl acceancevsccatesacacunssacctenspncane seu tanetcsncensnoeneubeitnesensnosbeieiuenecnsioesecie 32 Using the F Response Cloud Connector TACTICAL Examiner fcldc exe cccccecceeseeeeeeeeeees 32 Configuring CIOUG ChEGGHUGlS viaccess saviscwesansntessnwiasacveeinsaseeviasvedersiarsecesstaisaesveirssisessitaeevien 33 Scanning for Cloud Storage Target ccccscssecnccecsecnececarenscncaeeescneansescuscesarsnscnsaesessneatsneens 49 Connecting to Cloud Storage Targets ccccscssessccccsesnecncaeenecncaesnscneaeseeonsceseesnecnsansn
43. er for Linux Command Line All Versions Users Manual F Response TACTICAL Examiner includes a Linux based executable to allow for connections from Linux based machines to F Response TACTICAL Subject targets In order to effectively use the F Response TACTICAL Examiner for Linux f response tacex lin exe you will need to meet the following requirements in order to use the Linux Examiner on your machine e Open iSCSI e Compatibility Libraries for 32bit Applications e Root access native or via SU SUDO Please refer to the prior sections when using the TACTICAL Subject software however starting on Step 3 you will refer to the following steps to properly use the TACTICAL Examiner for Linux INSERT TACTICAL Examiner Insert the F Response TACTICAL Examiner USB Dongle into the Analyst or Investigator s Linux Computer Ensure the Examiner device is mounted and navigate to the TACTICAL Examiner directory on the Execute the TACTICAL Examiner for Linux in Autolocate mode Execute the TACTICAL Examiner for Linux with no commandline options as root or using su sudo root ex mach cd media EXAMINER root ex mach media EXAMINER cd TACTICAL Examiner root ex mach media EXAMINER TACTICAL Examiner root ex mach media EXAMINER TACTICAL Examiner f response tacex lin exe F Response TACTICAL Examiner Linux Version 4 00 01 F Response TACTICAL Examiner for Linux requires Open iSCSI Checking for Open iSCSI utils
44. forts to providing accurate information in this document we assume no responsibility for any inaccuracies that may be contained herein and we reserve the right to make changes to this document without notice Patents F Response is covered by United States Patent Numbers 8 171 108 7 899 882 and other Patents Pending Revision 5 0 1 Page 70 8 13 2013
45. hose of its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement provided that all such employees are bound by a written non disclosure agreement that contains restrictions at least as protective as those set forth herein 6 4 Injunctive Relief Each Party understands and agrees that the other Party will suffer irreparable harm in the event that the receiving Party of Confidential Information breaches any of its obligations under this section and that monetary damages will be inadequate to compensate the non breaching Party In the event of a breach or threatened breach of any of the provisions of this section the non breaching Party in addition to and not in limitation of any other rights remedies or damages available to it at law or in equity shall be entitled to a temporary restraining order preliminary injunction and or permanent injunction in order to prevent or to restrain any such breach by the other Party 7 DISCLAIMER OF WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AGILE AND ITS SUPPLIERS PROVIDE THE SOFTWARE AND SUPPORT SERVICES IF ANY AS IS AND WITH ALL FAULTS AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING BUT NOT LIMITED TO ANY IF ANY IMPLIED WARRANTIES DUTIES OR CONDITIONS OF MERCHANTABILITY OF FITNESS FOR A PARTICULAR PURPOSE OF RELIABILITY OR AVAILABILITY OF ACCURA
46. ideos At the time of this writing available tutorials include gt Using F Response TACTICAL for Windows gt Using F Response TACTICAL for Apple gt Using F Response TACTICAL for Linux We take pride in providing prompt attention to your support needs and will support your F Response product for the period of your license term F Response support can be reached via Email support f response com Website https www f response com Software and documentation updates will be made available for download to registered users on the F Response web site E mail support is available to licensed software users We typically respond to your queries within 1 business day of receiving your request Revision 5 0 1 Page 65 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Appendix D Master Software License Agreement AGILE RISK MANAGEMENT LLC MASTER SOFTWARE LICENSE AGREEMENT TERMS AND CONDITIONS 1 Scope of Agreement Definitions This Agreement covers the license and permitted use of the Agile Risk Management LLC Agile F Response Software Unless otherwise defined in this section the capitalized terms used in this Agreement shall be defined in the context in which they are used The following terms shall have the following meanings 1 1 Agile Software or Software means any and all versions of Agile s F Response software 1 2 Customer means the person or entity identified on the invoice and
47. ific to where the account was created not where the examiner is located at present The default is the US region Revision 5 0 1 Page 36 8 13 2013 All Versions Users Manual TR 5 0 1 Configure Rackspace Cloud Files Credentials Configure Rackspace Cloud Files Credentials Use the Test Connection button to test the credentials against Rackspace Cloud Files If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 37 8 13 2013 lg All Versions Users Manual COREE 5 0 1 HP Public Cloud Credentials HP Public Cloud Credentials are found on the HP Public Cloud Console see console hpcloud com The specific credentials required are available under the Account menu item under Your API Keys see below 7 Cloud Products Documentation Community Blog Console Dashboard Compute Storage Account Overview Contact Information C Edit name address email time zone A Your API Keys U View API Keys for your services HP Public Cloud Management Console Main Page Locate the Service Endpoints section and record copy paste the Tenant ID Service Endpoints Tena
48. istributed with the F Response software those changes can be found online at http www f response com TSkKinfo b A portion of the F Response Software was derived using source code provided by Intel and Alistair Crooks NetBSD which requires the following notice be posted herein and which applies only to the source code F Response code is distributed only in binary or object code form F Response source code and any revised Intel and NetBSD code contained within the F Response source code is not available for distribution The name of Intel Corporation and NetBSD are not being used to endorse or promote this product nor is the name of the author being used Revision 5 0 1 Page 68 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 to endorse or promote this product This information is presented solely to comply with the required Intel and NetBSD license agreements which require reproduction of the following copyright notice list of conditions and disclaimer Intel License Agreement Copyright c 2000 Intel Corporation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the fo
49. jG Please copy the Authorization code above and input it into the Connector dialog where indicated If you are not the end user please copy the code and email them to the F Response product end user F Response com OAuth Helper Page The Authorization Code as displayed on that page must be inputted into the Skydrive Credentials dialog in the Authorization Code box After this is complete press Validate Access Validate Access will confirm the account holder s account details and present that information in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 48 8 13 2013 All Versions Users Manual 5 0 1 Scanning for Cloud Storage Targets Use the Scan menu to enumerate cloud storage containers buckets by service h F Response Cloud Storage Connector Scan All Scan Amazon 53 Cloud Storage FRE Scan Windows Azure Cloud Storage Scan Dropbox Cloud Storage Scan Google Drive Storage Cloud Connector Scan menu FE F Response Cloud Storage Connector Sean s 53 Sean s 53 Sean s 53 on 53 Inactive Sean s 53 zon 53 Inactive Sean s 53 zon 53 Inactive BVT 155519963 Expir es 4 27 2013 4 0 4 F
50. kspace API and model Openstack based cloud storage environments require the following credentials in order to successfully connect and authenticate e Username o Provided by the implementer this may be a simple textual value or may be a generated alphanumeric code e API Key o Provided by the implementer this is most likely to be a generated alphanumeric code e Authentication URL o Provided by the implementer this URL is necessary to authenticate to the Openstack based cloud storage environment OpenStack Storage Credentials OpenStack Storage Credentials Description Test Credential Username Add Configure Openstack Cloud Credentials Use the Test Connection button to test the credentials against Openstack based cloud storage environment If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 40 8 13 2013 All Versions Users Manual 5 0 1 Windows Azure Blob Storage Windows Azure Blob Storage Credentials are found on the Windows Azure Console see www windowsazure com Portal The specific credentials are available under Storage then the Manage Keys option at
51. kydrive uses the web standard OAUTH2 for providing application access to accounts With OAUTH2 the application user in this case the F Response Cloud Connector user does not have knowledge of the Skydrive username or password Therefore in order to connect the Microsoft Skydrive using the Cloud Connector the Skydrive user must expressly approve access The following dialog and details further illustrate this process Microsoft Skydrive Credentials F Response 899b831 5D2944 ted Matt Shannon e3b76 5021430 Configure Skydrive Credentials The first step is to get the user to Authorize the Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the account holder SIgn In Microsoft account What s this Eo meone example com Password Keep me signed in User must approve access to the F Response Cloud Connector Revision 5 0 1 Page 47 8 13 2013 All Versions Users Manual ET 5 0 1 Regardless of the option selected the account holder must approve access to their Skydrive account upon approval the web browser will be redirect to a page at F Response com with the Authorization Code F Response OAuth v2 Helper Authorization Code ANAUDIHSUQROT gcnev9dkSDifgp O0hs
52. l Server Advanced Server Windows XP Home Professional Professional 64bit Windows 2003 Server Windows Vista 32bit amp 64bit Windows 2008 32bit amp 64bit Windows 7 32bit amp 64bit Windows 8 32bit amp 64bit Windows 2012 32bit amp 64bit Linux Glibc 2 3 5 32bit and 64bit Apple OS X 10 3 10 4 10 5 10 6 10 7 10 8 Universal Binary Cloud Storage Environments supported by the F Response Cloud Connector e Amazon Web Services Simple Storage Service S3 Windows Azure Blob Storage Rackspace Cloud Files US and UK HP Public Cloud Any Openstack based Cloud Storage vi series Google Drive Microsoft Skydrive Dropbox Email Servers supported by the F Response Email Connector e Gmail e Yahoo Mail e Most IMAP based Email providers e Office 365 Native Exchange Web Services Database platforms and structures supported by the F Response Database Object Connector e Microsoft Sharepoint Microsoft SQL Server Prerequisites In order to use F Response TACTICAL you will require the following 1 A valid pair of F Response TACTICAL License key FOBs TACTICAL FOBs which can be purchased from the F Response Web site www F Response com F Response TACTICAL has received Windows 7 Compatibility validation from Microsoft a Linux glibc 2 3 5 includes Redhat Suse Ubuntu Fedora and many other distributions of Linux released during or after 2003 3 More information on Openstack is available at www op
53. le has the right to request Customer complete a self audit questionnaire in a form provided by Agile If an audit reveals unlicensed use of the Agile Software Customer agrees to promptly order and pay for licenses to permit all past and ongoing usage 10 Support Services 10 1 Rights and Obligations This Agreement does not obligate Agile to provide any support services or to support any software provided as part of those services If Agile does provide support services to you use of any such support services is governed by the Agile policies and programs described in the user manual in online documentation on Agile s support webpage or in other Agile provided materials Any software Agile may provide you as part of support services are governed by this Agreement unless separate terms are provided 10 2 Consent to Use of Data You agree that Agile and its affiliates may collect and use technical information gathered as part of the support services provided to you if any related to the Software Agile may use this information solely to improve our products or to provide customized services or technologies to you and will not disclose this information in a form that personally identifies you 11 Miscellaneous 11 1 Legal Compliance Restricted Rights Each Party agrees to comply with all applicable Laws Without limiting the foregoing Customer agrees to comply with all U S export Laws and applicable export Laws of its locality if Custom
54. llowing disclaimer in the documentation and or other materials provided with the distribution The name of Intel Corporation may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE Copyright 2006 Alistair Crooks All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other
55. materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 11 7 General This Agreement including its exhibits all of which are incorporated herein are collectively the Parties complete agreement regarding its subject matter superseding any prior oral or written communications Amendments or changes to this Agreement must be in mutually executed writings to be effective The Parties agree that to the extent any Customer purchase or sales order contains terms or conditions that conflict with or supplement this Agreement such terms and conditions shall be void and have no effect and the provisions of this Agreement shall control U
56. n any Agile Software in any form to any entity iv remove alter or obscure any proprietary notice labels or marks on any Agile Software Customer is responsible for all use of the Software and for compliance with this Agreement and any applicable third party software license agreement 3 2 Intellectual Property Agile retains all title patent copyright and other intellectual proprietary rights in and ownership of the Agile Software regardless of the type of access or media upon which the original or any copy may be recorded or fixed Unless otherwise expressly stated herein this Agreement does not transfer to Customer any title or other ownership right or interest in any Agile Software Customer does not acquire any rights express or implied other than those expressly granted in this Agreement 4 Ordering amp Fulfillment Pricing is set forth on the F Response website and is subject to change at any time Each order shall be subject to Agile s reasonable acceptance Delivery terms are FOB Agile s shipping point 5 Payments Customer agrees to pay amounts invoiced by Agile for the license granted under this Agreement If any authority imposes a duty tax or similar levy other than taxes based on Agile s income Customer agrees to pay or to promptly reimburse Agile for all such amounts Unless otherwise indicated in an invoice all Agile invoices are payable thirty 30 days from the date of the invoice Agile reserves the right to
57. nector Using the F Response Database Object Connector TACTICAL Examiner fdbc exe F Response TACTICAL edition includes a copy of the F Response Database Object Connector FDBC The FDBC allows an examiner to mount remote Microsoft SQL Server Database Objects Embedded Files BLOBS etc as local read only logical volumes or network shares Any Database option indicated as disabled or grayed out is a premium service and only available with F Response Consultant edition or above The Database Object Connector supports Microsoft Sharepoint only at present The FDBC does not require executables or agents be deployed to the remote Microsoft SQL Server s The FDBC does require a locally attached F Response licensed dongle TACTICAL Examiner at all times f F Response Database Object Connector 4 0 6 j F Response Database Object Connector Revision 5 0 1 Page 52 8 13 2013 All Versions Users Manual 5 0 1 Configuring Database Server Credentials Before you can connect to Database Server you must first input valid credentials The current version of the FDBC supports Microsoft SQL Server only however future versions will allow you to connect to other SQL based servers including Oracle etc The Database Credentials dialog will allow you to enter one or more Database credentials either Database Native Credentials SQL Native or Windows Domain Credentials Database Credentials are not saved between executions of the FDBC
58. nless otherwise expressly set forth in an exhibit that is executed by the Parties this Agreement shall control in the event of any conflict with an exhibit Sections 2 3 5 7 8 and 9 and all warranty disclaimers use restrictions and provisions relating to Agile s intellectual property ownership shall survive the termination or expiration of this Agreement The Parties are independent contractors for all purposes under this Agreement Revision 5 0 1 Page 69 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Appendix E Legal Notices Legal Notice Copyright 2013 Agile Risk Management LLC All rights reserved This document is protected by copyright with all rights reserved Trademarks F Response is a trademark of Agile Risk Management LLC All other product names or logos mentioned herein are used for identification purposes only and are the trademarks of their respective owners Statement of Rights Agile Risk Management LLC products incorporate technology that is protected by U S patent and other intellectual property IP rights owned by Agile Risk Management LLC and other rights owners Use of these products constitutes your legal agreement to honor Agile Risk Management LLC s IP rights as protected by applicable laws Reverse engineering de compiling or disassembly of Agile Risk Management LLC products is strictly prohibited Disclaimer While Agile Risk Management LLC has committed its best ef
59. now Open iSCSI iscsiadm found Listening for TACTICAL Beacon Located TACTICAL Beacon Discovery Results F Response Target 1qn 2008 02 com f response tactical preppc disk 0 F Response Target ign 2008 02 com f response tactical preppc disk 1 gt Only required on 64bit Linux Examiner machines Revision 5 0 1 Page 28 8 13 2013 gt 20 T gt or us i OPTIONAL Manual Connection If the Auto Locate option should fail use the following syntax to perform a manual connection f response tacex lin s lt TARGETIP gt p lt TARGET PORT gt Login to the presented devices Use the resulting output to login to a target device example login syntax is provided here Revision 5 0 1 All Versions Users Manual 5 0 1 root ex mach media EXAMINER TACTICAL Examiner f response tacex lin s L923 100s br p 3260 F Response TACTICAL Examiner Linux Version 4 00 01 F Response TACTICAL Examiner for Linux requires Open 1iSCST Checking for Open iSCSI utils now Open 1iSCSI iscsiadm found Discovery Results F Response Target ign 2008 02 com f response tactical preppc disk 0 F Response Target ign 2008 02 com f response tactical preppc disk 1 root ex mach media EXAMINER TACTICAL Examiner iscsiadm m node targetname ign 2008 02 com response tactical preppc disk 0 login Page 29 8 13 2013 mm 25 gt N co u pe K Using
60. nt Tenant ID 1237651235461 Service Endpoints Tenant ID The preceding credential Tenant ID must be entered along with the login email for the Cloud Console in the corresponding field in the Configure HP Public Cloud Credentials dialog for example 1237651235461 test test com The Password field requires the password used to login to the HP Public Cloud Web Console The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Revision 5 0 1 Page 38 8 13 2013 All Versions Users Manual TACTICAL 9 0 1 HP Cloud Storage Credentials escriptio a Test Credential Tenant D a Add asword Remove Authentication URL httos region a geo Lidentity hpdouds Configure HP Public Cloud Credentials Use the Test Connection button to test the credentials against HP Public Cloud Files If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 1 Page 39 8 13 2013 All Versions Users Manual ET 5 0 1 Openstack Based Cloud Storage Openstack is an open source cloud storage platform based on the Rac
61. nual 5 0 1 elect Autolocate or Manual Connect Use either the Autolocate or Manual Connect option to locate the remote Subject executable on the network F Response TACTICAL Examiner Linux AR Connect Autolocate Ctri A Manual Connect Ctri M Quit Ctri Q Login to the presented devices File Select a returned device listing Login Ctrl L and use the Connect gt Login to Logout Ctrl O login to the device then Connect gt Logout to disconnect a device F Response TACTICAL Examiner Linux Revision 5 0 1 Page 31 8 13 2013 All Versions Users Manual TRE 5 0 1 F Response Cloud Connector Using the F Response Cloud Connector TACTICAL Examiner fcldc exe F Response TACTICAL includes a copy of the F Response Cloud Connector FCLDC The FCLDC allows an examiner to mount remote Cloud based Storage containers as local read only logical volumes or network shares Any Cloud service indicated as disabled or grayed out is a premium service and only available with F Response Consultant edition or above The FCLDC does not require executables or agents be deployed to Cloud Storage providers The FCLDC does require a locally attached F Response licensed dongle TACTICAL Examiner at all times d F Response Cloud Storage Connector D HwiD 155519983 Expir 25 4 29 2014 5 0 0 FA F Response Cloud Connector Revision 5 0 1 Page 32 8 13 2013 All Versions Users Manual 5 0 1 Configuring Cloud Cred
62. nual 5 0 1 am gt z m D gt r Rackspace Cloud Files Credentials Rackspace Cloud Files Credentials are found on the Rackspace Management Console see manage rackspacecloud com The specific credentials required are available under the Your Account menu item under API Access see below rackspace Home Al Home Welcome e Hosting a Welcome lls Your Account e Account Reports P Amounts shown her Billing Username amp Contacts API Access Cloud Servers Rackspace Cloud Management Console Main Page Locate the API Access section and record copy paste the Username then press Show Key to open a secondary window containing the API Key e Enable API Access Username testuserl API Key ween eee eee This key must be included with your control panel username in all requests te Signatures please refer to Developer Resources for articles about the web st Username and API Key The preceding credentials Username and API Key must be entered in the corresponding fields in the Configure Rackspace Cloud Files Credentials dialog The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials In addition an Authentication URL must be selected either US or UK the drop down is available to the right of the Authentication URL text input The region is spec
63. on shall not include information which i is or becomes generally known to the public through no fault or breach of this Agreement by the receiving Party ii the receiving Party can demonstrate by written evidence was rightfully in the receiving Party s possession at the time of disclosure without an obligation of confidentiality iii is independently developed by the receiving Party without use of or access to the disclosing Party s Confidential Information or otherwise in breach of this Agreement iv the receiving Party rightfully obtains from a third party not under a duty of confidentiality and without restriction on use or disclosure or v is required to be disclosed pursuant to or by any applicable laws rules regulatory authority court order or other legal process to do so provided that the Receiving Party shall promptly upon learning that such disclosure is required give written notice of such disclosure to the Disclosing Party 6 3 Obligations Each Party shall maintain in confidence all Confidential Information of the disclosing Party that is delivered to the receiving Party and will not use such Confidential Information except as expressly permitted herein Each Party will take all reasonable measures to maintain the confidentiality of such Confidential Information but in no event less than the measures it uses to protect its own Confidential Information Each Party will limit the disclosure of such Confidential Information to t
64. only such person or entity Customer Shall not mean any assigns heirs or related persons or entities or claimed third party beneficiaries of the Customer 1 3 Documentation means Agile release notes or other similar instructions in hard copy or machine readable form supplied by Agile to Customer that describes the functionality of the Agile Software 1 4 License Term means the term of the applicable license as specified on an invoice or as set forth in this Agreement 2 Grant of Software License 2 1 Enterprise License Subject to the terms and conditions of this Agreement only Agile grants Customer a non exclusive non transferable license to install the Agile Software and to use the Agile Software during the License Term in object code form only 2 2 Third Party Software Customer acknowledges that the Agile Software may include or require the use of software programs created by third parties and the Customer acknowledges that its use of such third party software programs shall be governed exclusively by the third party s applicable license agreement 3 Software License Restrictions 3 1 No Reverse Engineering Other Restrictions Customer shall not directly or indirectly i sell license sublicense lease redistribute or transfer any Agile Software ii modify translate reverse engineer decompile disassemble create derivative works based on or distribute any Agile Software iii rent or lease any rights i
65. ons and reboot F Response TACTICAL Reboot Prompt Following a successful reboot you will be able to use F Response TACTICAL Examiner without further driver prompting If you receive this warning on a Windows 7 or 8 computer this means you are not using the latest F Response TACTICAL Please make sure to download the latest F Response TACTICAL Installer https www f response com support downloads and use the Restore Device Software option in the TACTICAL Manager Revision 5 0 1 Page 16 8 13 2013 F All Versions TACTIC Users Manual EXAMINE 501 OPTIONAL Removing the F Response TACTICAL Examiner driver from a Windows Vista 2008 or 7 Computer As indicated earlier F Response TACTICAL Examiner will install a low level driver on Windows Vista 2008 and Windows 7 computers prior to your first use If at some future point you would like to completely remove that driver from the system you can do this by selecting Help gt Remove Drivers in the F Response TACTICAL Examiner menu F Response TACTICAL Examiner 3 09 05 x Would you like to remove the F Response Drivers Windows Vista 2008 amp Win Only Do this when you are sure you would not like to use F Response on this machine again F Response TACTICAL Removal Prompt You will have the option of removing drivers only on Windows Vista 2008 and Windows 7 machines If you elect to proceed F Response TACTICAL Examiner will remove the driver and close F
66. ponse Flexdisk is as easy as working with a web browser The Flexdisk web viewer interface contains multiple icons as well as a clearly defined legend to cover their usage and meaning A sample of that legend appears below a ite recursive CSV of directory 3 Allocated Directory F Allocated File Download CSV of an individual file s Unallocated Directory Unallocated File metadata In addition to using the provided web viewer the F Response Flexdisk provides a rich and capable web services API that can be used to build mobile and web based applications that leverage F Response Flexdisk provided content 7 REST or Representational State Transfer is a web services development model that uses simple HTTP verbs such as GET and POST 8 JSON or Javascript Object Notation is a data formatting style considered smaller and easier to manipulate when compared to XML Revision 5 0 1 Page 62 8 13 2013 gt oc mi gt or All Versions Users Manual 5 0 1 Frequently Asked Questions Q Do I change any data on the target computer by using F Response Q I am connected via F Response I navigated to a file on the remote computer hit delete and it appears to be gone Did I really delete the file Q I have a personal firewall running on my computers Do I need to change firewall settings to use F Response Q I have a remote user that accidentally deleted a file Can I use F Response to recover deleted files
67. rprise governing ports 3260 or whatever port you have elected to use with F Response This could be used to force F Response to be used over an IPSec tunnel and thus allow you to have the F Response service start automatically with each boot If F Response is being used over the Internet and corporate policy dictates encryption over public networks then the existing corporate VPN capability should satisfy the encryption policy 6 Q Does F Response work as an agent A No It does not collect or store any data on the machine under inspection It does not report to a management server It does not have an inherent analysis or reporting capability 7 Q I established an F Response connection tried to view the remote Documents and Settings folder and received a message that I don t have permission to view that folder Why don t I have access A You have the access with the right tools You probably used Windows Explorer or an equivalent tool that is subject to the file permission settings for those folders If you use a forensics tool that can take advantage of your raw drive access then you won t have this issue Revision 5 0 1 Page 64 8 13 2013 lg All Versions TACTICAL Users Manual EXAMINER 501 Support Didn t find what you re looking for in the manual Many of our customers find that our growing selection of brief tutorial videos offers the information to meet their immediate needs https www f response com support v
68. ry Size 40 5 MB on disk Created 7 11 08 9 46 PM N O N AM E A QuickTime Player Directory Utility ai D Safari amp Disk Utility ee aT P Skype FF Grab Last opened 9 11 09 10 42 i ms fres vmhost i Spaces Grapher Stickies I Java Preferences Version 2 Y PLACES System Preferences ye Keychain Access _ More info Desktop 7 TextEdit amp Migration Assistant mshannon 2 Time Machine Network Utility 3 Documents Transmission E ODBC Administrator il TrueCrypt Podcast Capture Applications M UnRarX RAID Utility Y SEARCH FOR JE Utilities Remote Install Mac OS X 1 Today A Li System Profiler pt EE ET Terminal l Yesterday eee VoiceOver Utility Y Past Wee Last login Tue Oct 27 15 66 59 on ttv24ff new host 2 mehannon cd Volumes NON NAME TACTICALY Subject new host 2 TACTICAL Subject mehannon sudo f respornse tacsub osx Password F Response TACTICAL Subject Apple OS Edition Version 3 69 85 F Response Disk dev rdiska 312551888 sectors 512 sector size 152627 MB write blocked storage on F Response Disk rdisk F Response Disk dev rdiskil 3891288 sectors 512 sector size i MB write blocked storage on F Response Disk rdiski Removable Disk F File Edit View Favorites Tools Help Q sak r gt 7 wi e Search 1 Folders fel Address F File and Folder Tasks a TACTICAL Examiner Mak f
69. se TACTICAL Subjec Agile Risk Management LLC DB E F Response TACTICAL Subject Host Information i Hostname tactical preppc Di Host IP Address 192 168 1 3 M Flexdisk Port 3251 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 Version 4 00 01 License Key HW ID 100219 Start License Expires 3 31 2012 Removable Disk F File Edit View Favorites Tools Help Qt r v wi Po Search Folders fl Address Fe FA File and Folder Tasks CJ TACTICAL Examiner F9 Make a new folder f response tacex exe F Response TACTICAL Examin Agile Risk Management LLC DB F F Response TACTIC File Connect Help Auto Connect Manual Connect Exit Page 18 8 13 2013 OPTIONAL If Auto Connect does not work Select the File menu item Manual Connect and input the IP Address in the Host IP Address field on the TACTICAL Subject See Above Login to the presented devices Select one or more F Response Targets then right click and select Login to F Response Disk to login to an F Response Disk Use the Local Disk column to identify the newly attached device on your computer OPTIONAL Select the Connect menu item Open F Response Flexdisk to launch the default browser and connect to the F Response Flexdisk web viewer on the remote target computer Revision 5 0 1 FE F Response TACTIC File Connect Help
70. ss_Content_c4ed960e 12af Microsoft Sharepoint Microsoft SQL Server Inactive j F ICQ Content GhoesO d ithe LP am af i Micrnent CO Corsar Tarbes 4 r HWID 155601020 Expires 7 5 2014 4 0 6 F Logged in Database Storage target assigned the E drive letter Revision 5 0 1 Page 55 8 13 2013 All Versions Users Manual 5 0 1 Disconnecting from Database Object Targets You can disconnect from a storage target by selecting the target right clicking to open the context menu and selecting Logout of F Response Database Volume The volume will be disconnected and the assigned drive letter will now be removed F F Response Database Object Connector E w i Microsoft Sharepoint Microsoft SQL Server Inactive 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQL Server Inactive uwss content ccee4chfa c04 Microsoft Sharepoint Microsoft SQL Server Inactive 3 wss_Content_c4ed960e laf Microsoft Sharepoint Microsoft SQL Server Inactive j F Wel Content GhosO d ithe Aim i Micrnent CO Corsar Tarbes 4 r HWID 155601020 Expires 7 5 2014 4 0 6 F Logged out of the Database Volume Revision 5 0 1 Page 56 8 13 2013 lg All Versions Users Manual TACTICAL 5 0 1 F Response Email Connector Using the F Response Email Connector TACTICAL Examiner femlc exe F Response TACTICAL edition includes a copy of the F Response Email Connector FEMLC The FEMLC allows an examiner to mount remote IM
71. the TACTICAL Examiner for Linux GUI All Versions Users Manual 9 0 1 F Response TACTICAL Examiner includes a GUI Linux based executable to allow for connections from Linux based machines to F Response TACTICAL Subject targets In order to effectively use the F Response GUI TACTICAL Examiner for Linux f response tacex lin gui you will need to meet the following requirements in order to use the Linux Examiner on your machine e Open iSCSI e Compatibility Libraries for 32bit Applications e Root access native or via SU SUDO Please refer to the prior sections when using the TACTICAL Subject software however starting on Step 3 you will refer to the following steps to properly use the TACTICAL Examiner for Linux INSERT TACTICAL Examiner fa root ex mach cd media EXAMINER Insert the F Response TACTICAL root ex mach media EXAMINER cd Examiner USB Dongle into the 7 TACTICAL Examiner Analyst or Investigator s Linux root ex mach media EXAMINER TACTICAL Computer Ensure the Examiner Examiner device is mounted and navigate to the TACTICAL Examiner directory on the device root ex mach media EXAMINER TACTICAL Examiner f response tacex lin gul Execute the TACTICAL Examiner for Linux in Autolocate mode Execute the TACTICAL GUI Examiner for Linux with no commandline options as root or using su sudo 6 Only required on 64bit Linux Examiner machines Revision 5 0 1 Page 30 8 13 2013 All Versions Users Ma
72. the bottom of the page see below Windows Azure ALL ITEMS WEB SITES CLOUD SERVICES DB SOL DATABASES Windows Azure Management Console Main Menu Manage Access Keys Regenerating keys will affect any Virtual Machines Media Services or applications using this storage account Learn more PRIMARY ACCESS KEY odhfhvd amp fu3tanskjdfg890s9vbkjmr09ui3409tijgldfjgofi98b08324 regenera te Manage Keys gt Manage Access Keys Primary Access Key Revision 5 0 1 Page 41 8 13 2013 All Versions Users Manual ET 5 0 1 Microsoft Windows Azure provides both a Primary and Secondary Access key You can use either of these keys along with the Storage account name to authenticate to the Windows Azure Blob Storage Service The Password field requires the password used to login to the HP Public Cloud Web Console The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Configure Microsoft Windows Azure Credentials X Microsoft Windows Azure Storage Service Credentials Description fi Account Name Add Primary Access Key Rem I ove Configure Windows Azure Blob Storage Credentials Use the Test Connection button to test the credentials against Windows Azure Blob Storage If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials las
73. tly press Save to store the credentials on the examiner machine in an encrypted repository Revision 5 0 1 Page 42 8 13 2013 All Versions Users Manual COREE 5 0 1 Dropbox Credentials Dropbox uses the web standard OAUTH for providing application access to accounts With OAUTH the application user in this case the F Response Cloud Connector user does not have knowledge of the Dropbox username or password Therefore in order to connect the Dropbox using the Cloud Connector the Dropbox user must expressly approve access The following dialog and details further illustrate this process Dropbox Credentials Validate Access Request Token Validate Access Verifier Optional FResponseAG 46572 testacct Matt Shannon 76691 DB11178 Configure Dropbox Credentials The first step is to generate a token for requesting credentialed access An examiner may accomplish this by pressing on the Generate button Upon indication of a successful Token generation the examiner must now get the user to Authorize the newly generated Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the account holder Revision 5 0 1 Page 43 8 13 2013 All Versions Users Manual T
Download Pdf Manuals
Related Search