Connect to a remote Windows target(s) disk using F
Contents
1. vol where is a letter corresponding to a volume on the remote physical disk For example F Response Target Connected Local Disk Pa ign 2z008 02 com f response winxppro Zk vol c Connected VWeAPhysicalDrivel q P PP y Pa ign 2008 02 com f response winxppro 2k8 disk 0 Connected VWAPhysicalDrivez q P PP y 2 ign 2008 02 com f response winzkadv val c Inactive Inactive i ld F Response F Response Mission Guide Email support f response com Connecting to Windows target s using F Response Enterprise Edition Website www f response com Rev 2 0 YahooIM fresponse_s April 2 2013 Phone 1 800 317 5497 The first target in this list is on the target machine named winxppro 2k8 and we can tell by the last piece of the name this is the logical volume C on that machine The second target in this list is on the same machine but represents the entire physical disk and any logical volumes it may contain as shown by the last portion of the naming convention disk 0 The third and last target in this list we are not currently connected to but can tell by the naming convention it is volume C on the machine named win2kadv Troubleshooting My Windows target shows in the scan list yet it does not appear under the deployment tab You just need to refresh the full view by double clicking the root of the scan tree I am unable to connect to the remote F Response Windows target it just shows up with a question mark Chec2. F Response Mission Guide Email support f response com Connecting to Windows target s using F Response Enterprise Edition Website www f response com Rev 2 0 YahooIM fresponse_s April 2 2013 Phone 1 800 317 5497 Your Mission Connect to a remote Windows target s disk using F Response Enterprise Edition Note This guide assumes you have installed F Response Enterprise Edition your F Response licensing dongle Is plugged into your analyst machine the F Response License Manager Monitor is installed and running and the F Response Enterprise Management Console FEMC has been started For more information please reference the F Response User Manual or the F Response Enterprise Edition Video on the F Response Website F Response EE supports Windows 2000 2003 XP Vista 2008 7 8 32 amp 64 Bit Step 1 Ready the Console Before using the FEMC some configuration is required You will need to configure the Deployment Options Configure and Credentials Configure windows The details can be found in the F Response Manual but to accomplish our mission as quickly as possible here are some quick configuration suggestions In the FEMC go to File Configure Options and the Deployment Options Configure window will open Deployment Optom Configure Good news some of the work here has already been done for Response Configurston you and typically once you input this information you won t need nap ec to change it ag
3. ain You ll only need to fill in the Host ereryooor YOSE Mamery C Configuration and Windows Service Install Configuration areas TCP Pot s li eute Port 3261 P Ade ree sae Under Host configuration enter a username and password for F apap tate Response to use while communicating with your Windows target machine s You can make it anything you would like Leave the Paswoord eeeeeeeeeeeee ee eee TCP port default at 3260 Although not part of our objective it s Serve More F flesponse ESN oea rerepa worth noting that Physical Memory can be captured and Executable C Program Flies Resporce F Respo arouse presented as a local disk for Windows machines by selecting the physical memory check box here Urex Platform Soeohic Deployment Optors Matform Reset Cuctent Resat l re ond Pest ai Under F Response Windows Service Install Configuration you will Pre Start need to enter in a Service Name and Description your choice Post Stop entirely and select the Windows version of F Response as the Madtonad Targets Executable If you installed F Response with the standard defaults you can browse to the C Program Files F Response F Response Enterprise Edition directory and choose the f response ent exe file Dopor Export MSI The IP Address of your License Manager your analyst machine s IP and default port of 5681 will automatically populate under the Validation Configuration section The Unix Platform Speci
4. fic Deployment Options portion of the window the lower half can be ignored as we are not concerned with Unix targets for our mission 1 la F Response F Response Mission Guide Email support f response com Connecting to Windows target s using F Response Enterprise Edition Website www f response com Rev 2 0 YahooIM fresponse_s April 2 2013 Phone 1 800 317 5497 Next you need to configure your Windows login credentials to deploy F Response to your Windows target machine s In the FEMC go to File Configure Credentials and the Credentials Configure window will open Under the Windows Domain Network Credentials section of the window you can enter the user name and password for a local account on the target machine or a domain account by specifying the domain along with the user name and Windows Conan Me teort Credentials Username Domain Optional Password DaSSwO rd Dych FRESWINAS ELTTI e roe aeS Click the Add button and the information is added to the list of j credentials F Response will use to access the Windows target machines choosing targets will be explained in step 3 of this document Credentials Configure ise Curent User Credentials Assume Root Peeves Additionally there is the option to bypass the list of credentials and use the account you are currently logged into your analyst laptop with by checking the Use Current User Credentials box Once you have configured your deployment settings and l
5. ies System LocalAccountTokenFilterPolicy dword 00000001 Save this file as LocalAccountTokenFilterPolicy reg and then copy it to your target machine Double click this file on the target machine to populate the registry with this key To remove follow the same steps as above this time with the following information HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System LocalAccountT okenFilterPolicy dword 00000000 If you are having issues not covered in this guide Please dont hesitate to contact us directly either on the web www f response com or via email support f response com or via IM YahooIM fresponse_s 5 la F Response
6. k the Messages tab It s possible the credentials are configured incorrectly I can deploy F Response but when I try to start it I get an error telling me it could not connect to Validation server Check if your license manager is bound to the correct local IP address on your analyst machine When I attempt to deploy F Response using the FEMC I cannot even though I have valid credentials This Is typically the case when attempting to connect to Windows machines not part of a Domain Your target machine is most likely a Windows XP machine not running in Classic mode for credential authentication To switch the target machine to Classic you must open the Local Security Policy Administration Tool under Control Panel Administrative Tools You will then select Local Policies gt Security Options and change the value of Network Access Sharing and Security Model for Local Accounts to Classic Local Users authenticate as themselves This Is only necessary in when using the FEMC to deploy F Response to computers not part of a Windows Domain If the target machine is a Windows 7 Vista or newer Windows OS and not joined to a Domain ie Workgroup Member then a key will need to be added to the registry of the target machine You can manually create and add it the registry by following these steps To create your registry key copy the following information into Notepad HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Polic
7. ogin credentials you are ready to use F Response to connect to your Windows target s Step 2 Scan for target Windows machines In the FEMC there are several ways to scan for your Windows target machine s For our purposes we assume you already have a list of machines you would like to connect to so we are going to use the custom scan option x Input a comma separated list of IP addresses and or machine names to be scanned ex MACHINE1 MACHINE 192 168 1 2 192 168 1 159 192 1568 1 179 192 168 1 4170 e C In the FEMC choose Custom Scan from the Scan menu enter your Windows machine name s or IP address each separated by a comma This data is retained so you may need to clear out any old information first Click OK to have F Response start scanning 2 la F Response F Response Mission Guide Email support f response com Connecting to Windows target s using F Response Enterprise Edition Website www f response com Rev 2 0 YahooIM fresponse_s April 2 2013 Phone 1 800 317 5497 Step 3 Deploy and start F Response on your target When the scan completes Windows machines can be identified in the list by the F Response Windows icon F Response can be deployed started and a discovery request issued in one step by using the Install Start F Response option Choose a Windows target machine from the Custom Scan list highlight and right click on it then select Install Start F Response E F Response Enterpri
8. pril 2 2013 Phone 1 800 317 5497 Here you can pick what disk s to connect to by highlighting and choosing Login to F Response Disk from the Connect drop down or right click menus Once you log into the target disk the F Response badge icon will change from gray to blue and the Connected status column will show as Connected Gimis Scan Coogi Jeee maswa boreas Sao Step 5 Fire up the tool of your choice F Response is a vendor neutral product Once F Response presents the remote target disk as a write blocked local connection we step out of your way so that you can select the right tool to get your job done At this point you can reach into your toolbox and apply the tool of your choice to the target disk s Understanding F Response Disk Naming F Response uses the following naming convention for target disks iqn 2008 02 com f response HOSTNAME O S disk name We are only concerned with the HOSTNAME O S disk name portion of the name HOSTNAME is the name of your Windows target machine If you only know the IP address a quick glance back at the Active Clients tab will help you tie the hostname to the address For the O S disk name F Response can access both remote physical disks and the logical volumes on those disks Windows identifies hard disks using the format disk The x portion is a number starting with zero representing the physical drive Windows identifies logical volumes in the format
9. se Management Console a ioj x Fie Scan Deployment Connect Active Clients Help i Custom Scan i CA a in zy Install Start F Response Stopi Remove F Response Install F Response Uninstall F Response Start Response Stop Response Issue Discovery Reguest Refresh Status rkgroup Open F Response Flexdiskt Custom Sca F Response Not Installed 192 1658 1 179 Custom Scan F Response Not Installed 192 168 1 159 Custom Scan F Response Not Installed Cus stom Scan Complete 3 Detected HWID 155601025 Expir ires 7 5 2014 4 0 06 Z The F Response Badge will turn green F indicating F Response is now running on the target machine If you have several Windows targets you need to install F Response on you can highlight them all under the deployment tab and choose Install Start F Response from the deployment drop down menu Step 4 Connect to disk s on your Windows target s Once F Response is installed and running on your target machines as seen by the icons with green badges you can find connect and open a write blocked connection to the remote disk s Click the Connect tab in the lower portion of the window to see the list of potential targets on the remote machines where F Response is installed and running la F Response F Response Mission Guide Email support f response com Connecting to Windows target s using F Response Enterprise Edition Website www f response com Rev 2 0 YahooIM fresponse_s A
Download Pdf Manuals
Related Search