F-Response Manual (All Versions)
Contents
1. Revision 5 0 3 Page 69 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 F Response Consultant Covert Edition Consultant Covert Edition Overview The Consultant Covert Edition provides all the capabilities of the F Response Consultant Edition see the following F Response Consultant Edition section of this document however it additionally provides a limited covert deployment console capable of deploying and starting F Response on a single active target Please refer to the following sections to learn more about configuring the F Response Consultant Covert Console e F Response Enterprise Configuring Deployment Options e F Response Enterprise Configuring Credentials e F Response Enterprise Scanning Direct Connect Only Revision 5 0 3 Page 70 5 29 2014 All Versions E F Response Users Manual 5 0 3 F Response Consultant Edition Consultant Edition Overview of the F Response Consultant Connector Fi F Response Consultant Connector File Connect Help Connect Messages Active Clients Local Disk HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Menu Options e File o Quick Configure Opens a dialog to configure the TCP Port Username and Password for use during Discovery Request or Login phases o Create Autoconfigure Opens a dialog for creation of an Autoconfigure package for F Response Consultant Edition o Clear Messages Clears any infor2. roe lastasi File Scan Deployment Connect Active Clients Help Deployment Machine Name Domain Workgroup Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Icon badges indicate F Response has been successtully installed on the target computer isie Erta LAs g k 4 lt z n VT PNS O ee IUS PHOCC IVIG He _ ee WEhoVie a oe a LS File Scan Deployment e Clients Help Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Select individual targets or multiple targets and select Start F Response to start the remote F Response Enterprise service Revision 5 0 3 Page 62 5 29 2014 3 All Versions lai ecard Users Manual 5 0 3 Deployment Machine Name Domain Workgroup Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Icon badges indicate F Response has been successfully started on the target computer Active Clients IP Address Platform 192 168 1 210 Windows 2008 Vista Custom Scan Complete 1 Detected Expires 12 17 2011 The Active
3. EE Target Code Consultant Edition CE Target code or the Field Kit FK Target code at your discretion Please refer to the respective user manual sections for instructions on using F Response in the desired mode The Consultant Covert Edition Installation package installs the following software e F Response License Manager and License Manager Monitor F Response Consultant Covert Console FCC F Response Cloud Connector FCLDC F Response Consultant Connector FCC F Response Accelerator FAR F Response Consultant COM Object FCCCTRL F Response Enterprise Target Code All Supported Platforms F Response Consultant Target Code All Supported Platforms F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed Revision 5 0 3 Page 10 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Consultant Edition If you possess a license for F Response Consultant or Enterprise Edition then you may use your F Response FOB with either the Field Kit FK Target code or Consultant Edition CE Target code at your discretion Please refer to the Field Kit Edition section of the User Manual for instructions on using F Response in Field Kit mode The Consultant Edition Installation package installs the following software e F Response License Manager and License Manager Monitor F Response
4. F Response Flexdisk updated with new programmable API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More information on the Flexdisk API is available in the API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Updates to the F Response Enterprise COM Scripting object to support Flexdisk configuration options Improved handling of gt 2TB disks for non Windows platforms F Response Enterprise for AIX and SCO now more accurately locates and presents physical devices Changes affecting Consultant Edition F Response Flexdisk updated with new programmable API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More information on the Flexdisk API is available in the API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Improved handling of gt 2TB disks for non Windows platforms F Response Consultant for AIX and SCO now more accurately locates and presents physical devices Changes affecting Field Kit Edition Improved handling of gt 2TB disks for non Windows platforms o lerator F Response Flexdisk updated with new programmable API o Flexdisk now has programmable API using simple RESTful web methods and JSON text encoding More info
5. Cancel z Z 2x Save the Autoconfigure package to a usb disk or portable storage device so that it can be taken to the target computer for execution Revision 5 0 3 Page 75 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Consultant Edition Using F Response Consultant Edition for Windows e Stepi o To use the F Response Consultant Edition insert a valid F Response FOB key into a USB port of the computer on which you will be running the F Response License Manager Service and then execute the F Response License Manager Service on that computer e Step 2 o If you are using the Autoconfigure feature unique to the Consultant Edition jump to Step 7 o If you are not using the Autoconfigure feature make the F Response CE Target code available to the machine to be analyzed via USB network share CD etc and execute the F Response CE Target code The following consultant validation box will appear F F Response Consultant Validation E File Consultant Laptop Workstation IP Address 192 168 1 4G Port 5681 Not Connected Validate Cancel Autoconfigure F Response Consultant Edition Validation User Interface See Appendix A for field information detail o Enter the IP address of the computer running the F Response License Manager service in this case our F Response LM server is listening on port 5681 at address 192 168 1 6 and select valid
6. F Response Consultant Covert is now better able to detect Windows machines even if they are running SSH SFTP services Improved handling of deployment to remote Windows machines with non standard root directories and paths New Export MSI option exports the F Response target executable and configuration file along with all necessary settings to a simple Microsoft Installer which can be easily deployed to target machines using 3 party deployment tools Changes affecting all versions of F Response F Response Apple OSX executables now signed with registered Apple Developer certificate F Response Linux and Apple OSX executables now able to better detect non standard device paths and mount points and automatically add these as available targets Thanks to assistance from AAron Walters Michael Ligh and the Volatility Project F Response Physical Memory access now has greatly improved stability in large memory environments F Response 4 0 03 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition F Response Enterprise now includes support for 64bit Linux platforms F Response Enterprise Management Console now correctly detects Apple OSX 10 7 target computers and deploys the appropriate software F Response Flexdisk updated with minor API corrections based on user feedback F Response Enterprise Service Uninstall issue addressed removed potential service mar
7. SSH with SFTP Subsystem services available o Credentials User account capable of assuming superuser privileges or superuser account e Platform Specific Notes o Apple SSH is not enabled by default on Apple OSX however it can be enabled via the System Preferences via the Remote Login Service The exact location of this option will vary by operating system release and version Revision 5 0 3 Page 128 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 Appendix G F Response Target Naming Convention The following outlines the F Response Target naming convention e All Platforms o iqn 2008 02 com f response HOSTNAME e Windows o Physical Disk disk X where x is the physical disk number o Logical Volume vOl X where x is the logical volume letter o Physical Memory pmem e Non Windows o Physical Disk lt disk name gt platform dependent Revision 5 0 3 Page 129 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Appendix H Icon Legend Icon _ Platform Name Details None Network Domain Icon indicates a Network Domain or or Workgroup Workgroup computers listed under this icon have identified themselves as being a member of the group Unknown Unknown Icon indicates this computer platform is unknown or valid credentials could not be established check the Messages tab for further details Apple Apple F Response Icon indicates an Apple Computer if no Not Instal
8. Terminology The iSCSI terms Target and Initiator are used throughout this manual The choice of initiator and target verbiage in the iSCSI definitions may prove confusing to forensics practitioners because target carries a different definition in the field of computer forensics versus iSCSI In computer forensics the system to be analyzed is generally referred to as the subject system whereas the system to which forensically sound data is collected is generally referred to as the target system In this manual the forensic subject is an iSCSI target i e F Response Target code is executed on the machine to be analyzed For this reason we want to make clear that the use of the word target in this manual refers to the iSCSI definition and not the forensics definition The definitions for Target and Initiator used in this manual are as follows Target F Response Target code is to be executed on the machine s to be analyzed All references to target in this manual refer to the machine s being analyzed using F Response target code Initiator An iSCSI initiator is used to establish network connections to machines running F Response Target code iSCSI initiator software must be installed on the machine from which analysis is to be conducted over the network F Response Target code has been tested with Microsoft iSCSI Initiator 2 0 software included by default with newer Win
9. button to start listening for incoming connections o When the service is started one temporary file is created if the Physical Memory option has been enabled This file Mnemosyne sys is the physical memory driver necessary for providing access to physical memory o At this time the F Response Consultant Edition client has been successfully validated and the F Response Consultant Connector Active Clients Tab shows the remote client s IP address Machine name and Platform as shown below i F Response Consultant Connector J Eo File Connect Help Connect Messages Active Clients 192 168 1 218 WIN BST9V6RGOEN Windows 7 HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Active Clients Tab shows F Response Consultant Edition remote client or target computer The Consultant Edition permits you to establish multiple connections To examine multiple targets simply start the remote F Response Consultant Service on each Target and they will each appear in the F Response Consultant Connector Active Clients Tab Revision 5 0 3 Page 77 5 29 2014 All Versions lai F Response Users Manual 9 0 3 This completes F Response preparation for this session Remember you will need the four entries selected in the User Interface from Step 2 above in order to establish the connection to access the computer s drives over the network Refer to the section on using the F Response Consultant Connector to
10. e _ eee e LL amazon Sign Up My Account Console webservices AWS Management Console AWS Products amp Solutions Entire Site My Account ipp Account Activity Usage Reports Security Credentials a Amazon Web Services Main Page Locate the Access Credentials section and record copy paste the Access Key ID then press Show to open a secondary window containing the Secret Access Key Access Credentials There are three types of access credentials used to authenticate your requests to AWS services a access keys b 509 certificates and c key pairs Each access credential type is explained below Access Keys lial X 509 Certificates Key Pairs Use access keys to make secure REST or Query protocol requests to any AWS service API We create one for you when your account is created see your access key below Your Access Keys Created Access Key ID Secret Access Key Status August 19 2010 agh423jka941dIt0438 Show Active Make Inactive Create a new Access Key Amazon AWS Access Key and Secret Access Key The preceding credentials Access Key and Secret Key must be entered in the corresponding fields in the Configure S3 Credentials dialog The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Revision 5 0 3 Page 20 5 29 2014 All Versions lai F Response Users Manual
11. to the extent any Customer purchase or sales order contains terms or conditions that conflict with or supplement this Agreement such terms and conditions shall be void and have no effect and the provisions of this Agreement shall control Unless otherwise expressly set forth in an exhibit that is executed by the Parties this Agreement shall control in the event of any conflict with an exhibit Sections 2 3 5 7 8 and 9 and all warranty disclaimers use restrictions and provisions relating to Agile s intellectual property ownership shall survive the termination or expiration of this Agreement The Parties are independent contractors for all purposes under this Agreement Revision 5 0 3 Page 135 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Appendix J Renewing F Response Dongle License Updating the F Response Dongle FK CE CE C EE Purpose This document identifies the steps to be taken to update your F Response USB license key FOB FOB in the event that you have upgraded or renewed your license What You Need In order to update your FOB you will require the following 1 The f response_ lt lic _expdate gt upt2 file you received from Customer Support after purchasing your license renewal or upgrade from the F Response web site 2 Your FOB of course Note Upgrades and renewals are tied to a specific FOB so be certain that you insert the proper FOB for use with the provided upt2 file 3 A copy of
12. 3 F Response Autconfigure file f response ent exe ini created by the F Response FEMC Console following a successful Configuration C Program Files F Response F Response Enterprise f response ent exe ini sudo f response ce e lin c fresponse ini Revision 5 0 3 Page 120 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Appendix C Overview of the F Response Consultant User Interface This appendix provides an explanation of the fields presented by the F Response Consultant User Interface which is presented upon execution of the F Response Consultant Edition User Interface Target code on the computer to be analyzed EF F Response Remote Forensics Consultant Edition Lo I mE File Host Information Status Physical Memory Hostname win bst9v rgoen Onie C Disabled Host IP Address 192 168 1 218 Enabled All IP Addresses w Flexdisk Flexdisk w TCP Port 3261 Remote Configuration TCP Port 32760 TCP Port must be between 1 and 65 554 ee ien Username must be 1 or more characters Password askazia Password mustbe 12 or more characters Validated and Licensed Stop start Version 400 01 F Response Consultant Edition User Interface An explanation of the fields presented by the F Response Consultant Edition Target code is as follows e Host Information o Hostname This is the Machine Name or Host Name of the local machine upon which the F Response Target code has been r
13. 5 0 3 Configure Amazon 53 Credentials Amazon Simple Storage Service 53 Credentials AWS Access Key fo Add AWS Secret Key Po Remove Configure S3 Credentials Use the Test Connection button to test the credentials against Amazon S3 If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials Lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 21 5 29 2014 All Versions E PResponse Users Manual 5 0 3 Rackspace Cloud Files Credentials Rackspace Cloud Files Credentials are found on the Rackspace Management Console see manage rackspacecloud com The specific credentials required are available under the Your Account menu item under API Access see below rackspace Home Welcome GI Hosting ee welcome mih Your Account e Account Ai Reports a Amounts shown her Billing Username amp Contacts API Access Cloud Servers Rackspace Cloud Management Console Main Page Locate the API Access section and record copy paste the Username then press Show Key to open a secondary window containing the API Key e Enable API Access Username testuserl API Key ween eee eee eee Th
14. Manage Access Keys Regenerating keys will affect any Virtual Machines Media Services or applications using this storage account Learn more PRIMARY ACCESS KEY odhthvd fustanskjdigs90s9vbkjmr09uis409t gldfjgonidsb0ss24 Manage Keys gt Manage Access Keys Primary Access Key Revision 5 0 3 Page 34 5 29 2014 All Versions E r Response Users Manual 5 0 3 Microsoft Windows Azure provides both a Primary and Secondary Access key You can use either of these keys along with the Storage account name to authenticate to the Windows Azure Blob Storage Service The Password field requires the password used to login to the HP Public Cloud Web Console The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Configure Microsoft Windows Azure Credentials X Microsoft Windows Azure Storage Service Credentials Description fi Test Credential Account Name OO add Primary Access Key Ten fresponse fresponse Configure Windows Azure Blob Storage Credentials Use the Test Connection button to test the credentials against Windows Azure Blob Storage If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud S
15. The volume will be disconnected and the assigned drive letter will now be removed ue F Response Email Connector Google Mail GMail Inactive F d o HWD55519993 Expires 2 15 2015 4 0 6 Z Logged out of the Email Volume Revision 5 0 3 Page 49 5 29 2014 All Versions E F Response Users Manual 5 0 3 Microsoft Office 365 Native Exchange Web Services In addition to IMAP support the F Response Email Connector also includes support for Office 365 using native exchange web services This support is only available for F Response Consultant edition and above customers In order to access Office 365 data you will need the email address password and the specific exchange server hosting the Office 365 account This can be determined using the Office 365 web interface Refer to the URL bar when accessing Office365 email to determine the appropriate server for the requested account S https pod51034 outlook com owa exsvurl 1 amp ll cc 1033 amp modurl 08realm FResponse365 onmicrosoft c r Office 365 new mail search mail and people pD all unread tome flagged i INBOX CONVERSATIONS BY DATE a Favorites TUESDAY a Inbox 153 Sean J Lynch x The Geek Stuff How Email Works Em Tue 2 10p Sent Items From noreply feedproxy google com mailto nore The above example indicates the server hosting that Office365 account is pod51034 outlook com Revision 5 0 3 Page 50 5 29 2014 All Versi
16. account holder F Response Cloud Connector is requesting permission to t View the files and documents in your Google Drive F Ferform these operations when l m not using the application Res pela Cloud Connector Allow access No thanks Leam more User must approve access to the F Response Cloud Connector Revision 5 0 3 Page 28 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Regardless of the option selected the account holder must approve access to their Google Drive account upon approval the web browser will be redirect to a page at F Response com with the Authorization Code F Response OAuth v2 Helper Authorization Code ANAUbIHSUQbOT_qcnev9dk3Dtigp OhsjG Please copy the Authorization code above and input it into the Connector dialog where indicated lf you are not the end user please copy the code and email them to the F Response product end user F Response com OAuth Helper Page The Authorization Code as displayed on that page must be inputted into the Google Drive Credentials dialog in the Authorization Code box After this is complete press Validate Access Validate Access will confirm the account holder s account details and present that information in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential It is important to note that all Cloud Stora
17. 2014 All Versions F Response Users Manual 5 0 3 Password e Provides the options for entering User or Root passwords along with the option for using an SSH Key file Putty or OpenSSH Revision 5 0 3 Page 57 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Enterprise Edition Scanning The FEMC presents three different scanning menu options for detecting and enumerating potential F Response Enterprise target computers Scan Network by Domain Locates Windows Machines Only Scan by Domain Workgroup Scan by Domain Workgroup Domain Workgroup Entire Network Gore Scan Network by Domain Dialog Scan network by domain presents a dialog showing the detected Windows Network Domains and or Workgroups Select either an individual domain workgroup or the Entire Network Scan Network by IP Range Locates Windows and Unix Machines Scan by IP Range Scan by IP Range IP Address Start 192 168 IP Address Stop 192 168 as Scan Network by IP Range Dialog Scan network by IP Range presents a dialog that accepts a start and end IP address inclusive for an IP Range to be scanned Revision 5 0 3 Page 58 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Direct Connect Locates Windows and Unix Machines Direct Connect Machine Name Machine Status Direct Connect Dialog Direct Connect presents a dialog that accepts a computer Network name or IP
18. 84 5 29 2014 All Versions F F Response Users Manual 5 0 3 Discover F Response Disks Issue Discovery Request Connected localDisk o Login to F Response Disk ol c Inactive Inactive Logout of F Response Disk Inactive Inactive Remove F Response Disk Inactive Inactive Open F Response Flexdisk HWID 155519116 Expires 12 17 2011 Select one or more targets and select Connect gt Login to F Response Disk to authenticate to and access the remote device j Bie Connect Help Connect Messages Active Clients Local Disk EF iqn 2008 02 com f response win bst9v6rgoen vol c Inactive Inactive EF iqn 2008 02 com f response win bst9vorgoen pmem Inactive Inactive A iqn 2008 02 com F response win bst9v6rgoen disk 0 Connected PhysicalDrivel a HWID 155519116 Expires 12 17 2011 S Following a successful login the Target icon will indicate connected and the Local disk column will show the locally connected disk that maps to the remote device Revision 5 0 3 Page 85 5 29 2014 All Versions lai Bena erasers Users Manual 5 0 3 Discover F Response Disks Issue Discovery Request s Connected Local Disk Login to F Response Disk Inactive Inactive Logout of F Response Disk Inactive Inactive PENO ee mee UNR Jisk Connected PhysicalDrivel Open F Response Flexdisk HWID 155519116 Expires 12 17 2011 A To logoff of the F Response Target se
19. Active Clients o Poll Continuously Enables or Disables the continuous polling of the F Response License Manager If this menu option is unchecked the Active Clients panel will not accurately reflect Active Clients unless the Refresh menu option is used o Refresh Refreshes the Active Clients panel only available if Poll Continuously is unchecked e Help o About Revision 5 0 3 Page 52 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Presents a splash screen indicating the version information of the F Response Enterprise Management Console FEMC Tab Controls e Deployment o Displays a listing of the computer s capable of administration as well as their Domain Workgroup and current status e Connect o Displays a listing of the F Response Target s after a successful Discovery Request e Messages o Displays informational Messages during operation if errors occur they will be noted here e Active Clients o Queries the F Response License Manager Service to obtain active clients for the F Response LM dongle This list includes IP Address Network Name and Platform Revision 5 0 3 Page 53 5 29 2014 All Versions E F Response Users Manual 5 0 3 Enterprise Edition Configuring the FEMC Deployment Options Prior to beginning any operations with F Response Enterprise Management Console you must complete the Deployment Options Configure dialog All information inputted will be saved and restored on fut
20. Address and attempts to connect to the computer to perform any of the following actions Install Uninstall Start Stop and Issue Discovery Request Custom Scan Locates Windows and Unix Machines Custom Scan Input a comma separated list of IP addresses and or machine names to be scanned ex MACHINE 1 MACHINE2 192 168 1 2 Custom Scan Dialog Custom Scan presents a dialog that accepts a comma delineated listing of either computer names or IP addresses or both to scan to detect F Response Enterprise installations and or potential targets In addition the Custom Scan dialog will present the last executed scan input on opening Revision 5 0 3 Page 59 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Enterprise Edition Deploying and Managing F Response using the FEMC All Supported Platforms Following a successful scanning enumeration process the F Response Enterprise Management Console can then be used to install start stop and uninstall F Response Enterprise from accessible computers on the network The following is a step by step progression for using the FEMC to install start connect to disconnect from stop and uninstall F Response Enterprise on remote computers ig F Response Enterprise Management Console Lo oy x sa File Scan Deployment Connect Active Clients Help L 192 168 1 210 Deployment Connect Messages Active Clients Machine Name Domain W
21. CRAC 7 Checksum Data digest Header digest CHAP logon information CHAP helps ensure data security by providing authentication between a target and an initiator tring to establish a connection To use it specity the same target CHAP secret that was configured on the target For this initiator Target secret MTritiiiitiiit E Perform mutual authentication To use mutual CHAP specify an initiator secret on the Initiator Settings page and configure that secret on the target Under Advanced Settings check the CHAP logon information check box and input the Username and Password defined on the F Response Field Kit user interface Select Ok to complete iSCSI Initiator Properties E X General Discovery Targets Persistent Targets Bound Volumes Devices Select a target and click Log On to access the storage devices for that target Click details to see information about the sessions connections and devices for that target Targets ign 2008 02 com response charbadis 0 Connected ign 2008 02 com response charmbdis 1 Inactive Details L Refresh OF Cancel Apply Provided the Username and Password information was entered correctly and any necessary firewall modifications have been performed you should see Status Connected At this point the Revision 5 0 3 Page 95 5 29 2014 All Versions E F Response Users Manual 5 0 3 remote Physical Disk is considered a local Ph
22. Damages TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN NO EVENT SHALL AGILE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL INCIDENTAL PUNITIVE INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION FOR BUSINESS INTERRUPTION FOR PERSONAL INJURY FOR LOSS OF PRIVACY FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE FOR NEGLIGENCE AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT EVEN IN THE EVENT OF THE FAULT TORT INCLUDING NEGLIGENCE MISREPRESENTATION STRICT LIABILITY BREACH OF CONTRACT OR BREACH OF WARRANTY OF AGILE OR ANY SUPPLIER AND EVEN IF AGILE OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR TO ANY THIRD PARTY FOR ANY INDIRECT INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES INCLUDING WITHOUT LIMITATION LIABILITIES RELATED TO A LOSS OF USE PROFITS GOODWILL OR SAVINGS OR A LOSS OR DAMAGE TO ANY SYSTEMS RECORDS OR DATA WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT WARRANTY TORT IN
23. Enterprise service is controlled via the Microsoft Management Console for Services By default the service is installed in the Manual position such that it may be started during an investigation and stopped when no longer needed Once installed and configured the service need only be started each time it is to be used The default service name F Response Enterprise Service can be replaced with a user defined service name during installation with the a option Revision 5 0 3 Page 118 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Appendix B Overview of the F Response Enterprise Edition Unix Command Line Interface F Response Consultant Enterprise lt PLATFORM gt Version 3 09 06 Usage h This help page a lt path to devices gt Path to additional devices Comma separated ex dev md0 dev md1 S lt F ResponseLM IP gt IP Address of F Response LM Server P lt F ResponseLM Port gt TCP Port of F Response LM Server optional defaults to 5681 u lt username gt F Response username must be 8 characters p lt password gt F Response password must be 14 characters i lt iSCSI Port gt iSCSI Port optional defaults to 3260 c lt path to fresponse ini gt Optional autoconfigure path if used no other commandline options are required F Response Consultant Enteprise Edition can either be run directly from the commandline using the various arguments indicated above or it can be run
24. Management Console cf eS File Scan Deployment Connect Active Clients Help Deployment Machine Name Domain Workgroup Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Icon badges indicate F Response has been successfully stopped on the target computers Revision 5 0 3 Page 67 5 29 2014 All Versions F Beene or Arsena Users Manual 5 0 3 i oI Custom Scan Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk Connected Local Disk Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 When complete select individual targets or multiple targets and select Uninstall F Response to uninstall the remote F Response Enterprise service gement Co Active Clients Help Connect Active Cients F Response Target Connected Local Disk Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Icons indicate F Response has been successfully uninstalled on the target computers Revision 5 0 3 Page 68 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Enterprise Edition Using F Response Enterprise Edition for Windows Deployment without the FEMC e Stepi o To use the F Response Enterprise Edition insert a valid F Response FOB key in
25. below for further details Solaris OpenSolaris Sun Solaris F Icon indicates a Sun Solaris Computer SunOS Response Not if no badge is present the Solaris Installed computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details Windows Windows F Icon indicates a Windows Computer if Response Not no badge is present the Windows Installed computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details GreyScale All Platforms Machine not A grayscale icon indicates the target Icon s accessible computer is not accessible with the credentials provided Badges appear over icons Badge Name Details er F Response Started This badge indicates F Response has a been started on the target Computer F Response Stopped This badge indicates F Response has f a been stopped on the target Computer Revision 5 0 3 Page 131 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Appendix I Master Software License Agreement AGILE RISK MANAGEMENT LLC MASTER SOFTWARE LICENSE AGREEMENT TERMS AND CONDITIONS 1 Scope of Agreement Definitions This Agreement covers the license and permitted use of the Agile Risk Management LLC Agile F Response Software Unless otherwise defined in this section the capitalized terms used in this Agreement shall be defined in the context in which the
26. iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive H iqn 2008 02 com f response win2k8 dc wol c Inactive Inactive Ei iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 de disk 1 Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 After successful logout the F Response Target Icon will change and the status indicator becomes Inactive Revision 5 0 3 Page 66 5 29 2014 All Versions F etter incre Users Manual i 5 0 3 iet a Aree ent Connect Active Clients Help _ bP Install Start F Response ma Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status ages Active ients Open F Response Flexdisk Caiit Local Disk Z iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive B iqn 2008 02 com f response win2k8 dc wol c Inactive Inactive z iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive H iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 When complete select individual targets or multiple targets and select Stop F Response to stop the remote F Response Enterprise service i gp 4 id F Response Enterprise
27. met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution The name of Intel Corporation may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL INTEL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE Copyright 2006 Alistair Crooks All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain t
28. the name of the F Response Enterprise executable file to anything you like prior to installation e g you may rename f response ent exe to xyz_tester exe You may also place the F Response Enterprise executable file anywhere you like prior to installation e g WINDOWS system32 Revision 5 0 3 Page 117 5 29 2014 All Versions lai F Response Users Manual 5 0 3 e a user defined service name r user defined service name o These options are mutually exclusive They either install a or uninstall r the service on the local computer with a user defined service name Note You can change the name of the F Response Enterprise executable file to anything you like prior to installation e g you may rename f response ent exe to xyz_tester exe You may also place the F Response Enterprise executable file anywhere you like prior to installation e g WINDOWS system32 Configuring F Response Enterprise e s Server IP o Server Port o Since the Enterprise Edition of F Response allows the F Response FOB to be physically remote from the computer to be analyzed the Enterprise Edition software must be configured with parameters identifying the network address Server IP and port number Server Port of the computer to which the F Response FOB is connected and which is running the NetUniKey Server often the IP Address of an Enterprise Investigations Server o Completing a successful configur
29. 014 All Versions lai PResponse Users Manual 5 0 3 Getting started with F Response Enterprise Edition If you possess a license for F Response Enterprise Edition then you may use your F Response FOB with any of the F Response Target code offerings including the Enterprise Edition EE Target Code Consultant Covert Edition CE C Target Code Consultant Edition CE Target code or the Field Kit FK Target code at your discretion Please refer to the respective user Manual sections for instructions on using F Response in the desired mode The Enterprise Edition Installation package installs the following software e F Response License Manager and License Manager Monitor F Response Enterprise Management Console FEMC F Response Cloud Connector FCLDC F Response Accelerator FAR F Response Enterprise COM Object FEMCCTRL F Response Enterprise Target Code All Supported Platforms F Response Consultant Target Code All Supported Platforms F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed Revision 5 0 3 Page 9 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Consultant Covert Edition If you possess a license for F Response Consultant Cover Edition then you may use your F Response FOB with any of the F Response Target code offerings including the Enterprise Edition
30. 3 ws5_Content_ccee4cbfa6c04 Microsoft Sharepoint Microsoft SQL Server Inactive S wss_Content_c4ed960e12af Microsoft Sharepoint Microsoft SQL Server Inactive f E Wet Cantant heeded iftikhde Micrn endt Gharannint Micrnentt Gil Carcar Tnarchies 4 E o HWDass5601020 Expires 7 5 2014 4 0 6 E Logged out of the Database Volume Revision 5 0 3 Page 43 5 29 2014 All Versions lai r nesponse Users Manual 5 0 3 F Response Email Connector Using the F Response Email Connector TAC CE CE C and EE F Response TACTICAL Consultant Enterprise and Consultant Covert edition includes a copy of the F Response Email Connector FEMLC The FEMLC allows an examiner to mount remote IMAP based mail storage as local read only logical volumes or network shares It also allows an examiner to mount remote Office365 Exchange Web Services account data including emails calendars and contacts The end result of the mapping will be a local read only volume containing the IMAP folders and individual email messages as eml files calendar entries and contacts The FEMLC does not require executables or agents be deployed to the remote servers The FEMLC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Response dongle connected via the F Response License Manager at all times a F Response Email Connector 5 File Scan Connect Help Connect
31. 32 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 disclosed orally and is identified as Confidential at the time of disclosure or c the specific terms and conditions of this Agreement 6 2 Exclusions Confidential Information shall not include information which i is or becomes generally known to the public through no fault or breach of this Agreement by the receiving Party ii the receiving Party can demonstrate by written evidence was rightfully in the receiving Party s possession at the time of disclosure without an obligation of confidentiality iii is independently developed by the receiving Party without use of or access to the disclosing Party s Confidential Information or otherwise in breach of this Agreement iv the receiving Party rightfully obtains from a third party not under a duty of confidentiality and without restriction on use or disclosure or v is required to be disclosed pursuant to or by any applicable laws rules regulatory authority court order or other legal process to do so provided that the Receiving Party shall promptly upon learning that such disclosure is required give written notice of such disclosure to the Disclosing Party 6 3 Obligations Each Party shall maintain in confidence all Confidential Information of the disclosing Party that is delivered to the receiving Party and will not use such Confidential Information except as expressly permitted herein Each Party will take a
32. 7 2011 The Active Clients Tab in the F Response Consultant Connector shows clients actively connected to the F Response License Manager Quick Configure Host Configuration Alexdisk Port 3261 TCP Port 3 460 Prior to issuing a Discovery Request or Connecting to an F Response Target you must first inout your username and password information into either the File gt Quick Configure or Create Autoconfigure Dialog these are the same username and password values entered on the Consultant remote target gul Revision 5 0 3 Page 83 5 29 2014 All Versions lai adit sere Users Manual d 5 0 3 Discover F Response Disks Issue Discovery Request Login to F Response Disk oe Logout of F Response Disk Remove F Response Disk Open F Response Flexdisk HWID 155519116 Expires 12 17 2011 Select one or more Active Clients and select Connect gt Issue Discovery Request to perform a discovery request against the remote target File Connect Help Connect Messages Active Clients Seb a a _ _ Connected Local Disk 3 iqn 2008 02 com f response win bst9v6rgoen val c Inactive 3 iqn 2008 02 com f response win bst9v6rgoen dis Inactive ce o HWID 155519116 ines 12 17 2011 4A Following a successful Discovery Request the Connect Tab will contain a listing of valid Targets Physical Disks Logical Volumes and or Physical Memory More on Target naming in Appendix G Revision 5 0 3 Page
33. 8 dc disk 1 Inactive Pya iqn 2008 02 com f response win2k8 dc disk 0 Connected Custom Scan Complete 1 Detected HWID 155519116 Local Disk Inactive Inactive Inactive Inactive PhysicalDrivel Expires 12 17 2011 Once connected the Target icon will change to indicate the disk is now attached to your computer in addition the local mapping information will be provided in the above instance the Windows disk 0 has been mapped to PhysicalDisk1 Revision 5 0 3 Page 65 5 29 2014 All Versions F F Response Users Manual i 5 0 3 7 o pD re eg vai u ha petyeny hy O ep a gt ta F Response Enterprise Management Console gt eS eee CRORE UO File Scan Deployment Connect Active Clients Help F Response Target Connected Local Disk H iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive H iqn 2008 02 com f response win2k8 dc vol c Inactive Inactive H iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive B iqn 2008 02 com f response win2k8 dc disk 1 Inactive Inactive Discover F Response Disks PhysicalDrivel Login to F Response Disk Logout of F Response Disk Remove F Response Disk 155519116 Expires 12 17 2011 To logoff select one or more connected F Response Targets and select the Connect Menu Logout of F Response Disk option E gern Ons oO JSO Wi i E SOWIE nl a loyment Clients Help 3 F Response Target Connected Local Disk H
34. Adjustments to the throttling detection heuristics o Option to attach individual folders or the entire account Updates to the F Response Database Object Connector including o Updates to the SQL Server scanning dialog to improve handling of more complex connection strings o Additional error reporting for database error responses Updates to the Linux 32 and 64bit F Response executable to improve device detection F Response 5 0 1 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Update to the F Response Cloud Connector including o Dropbox Revision 5 0 3 Page 106 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Updates to correct Modified Metadata prior release month values were off by one ie February would be identified as January etc Updates to the F Response Enterprise Management Console to detect remote machines with non standard root Windows System path Updates to the F Response HP_UX 11i executable to include detection of logical volumes Updates to the F Response Flexdisk Technology Linux Windows and OSX o JSON output now contains additional entries for alternate data streams with NTFS o JSON output includes higher resolution time values in addition to Unix timestamp values where possible F Response 5 0 0 contains the following new features and enhancements Changes affecting Enterprise Consultant Cov
35. All Versions Users Manual 5 0 3 F Response All Versions Users Manual Version 5 0 3 Revision 5 0 3 Page 1 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Table of Contents Welcome t F RESPONSE 5 saussstsqnssssesanmacersanwariertanntecesanaisec EE AD AA a EA ADTA 4 MEST MNO OGY EEEE EEA E E EE E E E EE E E E E 4 VOC ES E EET E E E E EE E A E E E 4 a Oa E 4 Supported PIAONMS airariveriiiresennninnnian innri EENAA E a daraa inia 5 Pored O eee nee een E E ere ee nee ee 6 P RESPOl se License FOB codec penccte cece ates cencatarccienaaee aa a 7 Getting started with F RESDONSE ssssss1sasasananenenenenenenononononoananananenanenenenenenenesenesesesnanenenerenenenene 9 PAPEIS E I O eE E E 9 Consultant Covert Edition eercteccctceccnetemuasadeeacscenecutendsaeecenaraseacdecasesespateaccosmeceaenecaceantesase 10 Consultant EdiON ssiri sinia ENA 11 PEKE EION oera E oes 12 Licensing Fis OSD SO creissira a a a a a 13 Using the F Response License Manager Software CE and EE Only ssssssssssssnsnsnsrsnsrsnsrnnnnns 13 Installing and starting the F Response License Manager s sssssssssssssnrnrnrnnnrnrnrnrnrnrnrnenenene 15 F Response Cloud Connector sisi sccdeuccensebsarsmnacesssunaaiesccsavuserssanielsorectwineetiaeueaeieaniaeieeuaeiwian 17 Using the F Response Cloud Connector TAC CE CE C and EE cccscscsscseseseeseteeeeesreesseaeees 17 Configuring Cloud Connector OptiOns ccccccecceceeeeeseeeeeeee
36. CLUDING NEGLIGENCE PRODUCT LIABILITY OR OTHERWISE EVEN IF ADVISED IN ADVANCE OR AWARE OF THE POSSIBILITY OF ANY SUCH LOSS OR DAMAGE Revision 5 0 3 Page 133 5 29 2014 All Versions lai F Response Users Manual 9 0 3 9 Verification Agile has the right to request Customer complete a self audit questionnaire in a form provided by Agile If an audit reveals unlicensed use of the Agile Software Customer agrees to promptly order and pay for licenses to permit all past and ongoing usage 10 Support Services 10 1 Rights and Obligations This Agreement does not obligate Agile to provide any support services or to support any software provided as part of those services If Agile does provide support services to you use of any such support services is governed by the Agile policies and programs described in the user manual in online documentation on Agile s Support webpage or in other Agile provided materials Any software Agile may provide you as part of support services are governed by this Agreement unless separate terms are provided 10 2 Consent to Use of Data You agree that Agile and its affiliates may collect and use technical information gathered as part of the support services provided to you if any related to the Software Agile may use this information solely to improve our products or to provide customized services or technologies to you and will not disclose this information in a form that personally identifies you 11 M
37. Clients tab will also show more information about the remote F Response Enterprise targets currently connected to your license dongle including platform hostname and IP Address Revision 5 0 3 Page 63 5 29 2014 All Versions F F Response Users Manual i 5 0 3 Ep NAR A F ay Je ent Console ii COIE N Active Clients Help i a Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk oTe IKU Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Issue Discovery Request will obtain a complete listing of the available targets from the remote F Response Enterprise computers gt yuste yee eS Casey aopa PA v 1 i YH sponse enterprise if age F Lonsole o E F ntel N ONSOIE Deployment Connect Active Clients Help F Response Target Connected Local Disk H iqn 2008 02 com f response win2k8 dc vol e Inactive Inactive H iqn 2008 02 com f response win2k8 de vol c Inactive Inactive H iqn 2008 02 com f response win2k8 dc pmem Inactive Inactive F iqn 2008 02 com f response win2k8 de disk 1 Inactive Inactive H iqn 2008 02 com f response win2k8 dc disk 0 Inactive Inactive Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 The Connect Tab displays a listing o
38. Consultant Connector FCC F Response Accelerator FAR F Response Consultant COM Object FCCCTRL F Response Consultant Target Code All Supported Platforms F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed Only the F Response Consultant Edition Target Code is executed on the machine to be analyzed and this executable is placed in Program Files gt F Response gt F Response Consultant Edition upon completion of the package installation Revision 5 0 3 Page 11 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Field Kit Edition F Response Field Kit Edition Target code is a stand alone executable exe The Field Kit Edition Installation package installs this software F Response Field Kit Edition Target code a copy of F Response Field Kit Edition Target Code which can be copied to any number of computers to be analyzed The Field Kit Edition Installation package installs the following software e F Response Field Kit Target Code All Supported Platforms e F Response Dongle Updater The default installation is to Program Files gt F Response Do not install this installation package on the machine to be analyzed Only the F Response Field Kit Edition Target Code is executed on the machine to be analyzed and this executable is placed in Program Files gt F Response gt F Response Fiel
39. Manual 9 0 3 F Response Flexdisk F Response Flexdisk Web Viewer Target TAC TICAL PREPPC Internet Protected Mode Off fav 100 F Response Flexdisk Web Viewe What is a F Response Flexdisk The F Response Flexdisk Patented is a web based disk access and representation tool The Flexdisk uses standard web technologies HTTPS REST to provide direct access to the remote target machines Logical and Physical targets in both raw and logical format The Flexdisk can be accessed and used from any modern web browser and also exposes a feature rich and extensible application programming interface API accessible from any system capable of making and interpreting web queries and JSON How do access and use a F Response Flexdisk Using the F Response Flexdisk is as easy as working with a web browser The Flexdisk web viewer interface contains multiple icons as well as a clearly defined legend to cover their usage and meaning A sample of that legend appears below So Download recursive CSV of directory Allocated Directory Allocated File contents FP i E canara CSV of an individual file s Unallocated Directory Unallocated File In addition to using the provided web viewer the F Response Flexdisk provides a rich and capable web services API that can be used to build mobile and web based applications that leverage F Response Flexdisk provided content More informa
40. Messages sponse Email Account Target Local Volume _ 4 0 6 j F Response Email Connector Revision 5 0 3 Page 44 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Configuring Email Connector Options There are a number of options that can be configured when using the F Response Email Connector these options include Configure Email Connector Options Cache Location C Wsers Administrator AppData Local FRe a IMAP Options Present Google Mail All Mail Folder W Consider zero byte messages throttling v Max data downloaded in a 24hr period in gigabytes ex 2 2 F Response Email Connector Configure Options e Cache Location o All Email content is cached locally use this option to specify a location to store cache files e IMAP Options o Present Google Mail All Mail Folder Enabling this option will show the Google All Mail Folder and make its contents accessible o Consider zero byte messages throttling Enabling this option will force the FEMLC to verify that a zero byte message is a valid zero byte length message and not a result of provider throttling Disable this option to improve speed however note that zero byte messages will be accepted as valid o Max data downloaded in a 24hr period in gigabytes ex 2 Many providers restrict the total amount of data that can be downloaded in a 24hr period For instance Google limits the total to 2 5 Gig 24hrs By setting a limit her
41. OTHER WARRANTIES AND CONDITIONS WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING BUT NOT LIMITED TO ANY IF ANY IMPLIED WARRANTIES DUTIES OR CONDITIONS OF MERCHANTABILITY OF FITNESS FOR A PARTICULAR PURPOSE OF RELIABILITY OR AVAILABILITY OF ACCURACY OR COMPLETENESS OF RESPONSES OF RESULTS OF WORKMANLIKE EFFORT OF LACK OF VIRUSES AND OF LACK OF NEGLIGENCE ALL WITH REGARD TO THE SOFTWARE AND THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES INFORMATION SOFTWARE AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE ALSO THERE IS NO WARRANTY OR CONDITION OF TITLE QUIET ENJOYMENT QUIET POSSESSION CORRESPONDENCE TO DESCRIPTION OR NON INFRINGEMENT WITH REGARD TO THE SOFTWARE 8 Limitations and Exclusions 8 1 Limitation of Liability and Remedies NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER INCLUDING WITHOUT LIMITATION ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANY OTHER THEORY IN LAW OR IN EQUITY THE ENTIRE LIABILITY OF AGILE AND ANY OF ITS SUPPLIERS UNDER ANY PROVISION OF THIS AGREEMENT AND YOUR EXCLUSIVE REMEDY HEREUNDER SHALL BE LIMITED TO THE TOTAL AMOUNT PAID BY CUSTOMER FOR THE LICENSE THE FOREGOING LIMITATIONS EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE 8 2 Exclusion of Incidental Consequential and Certain Other
42. Reset All buttons For additional information see the F Response Unix Platform options Appendix Pre Start e This is a shell command that will be run prior to starting F Response on the remote target Post Stop e This is a shell command that will be run directly after stopping F Response on the remote target Additional Targets e This option will allow you to specify additional targets that may not be detected automatically e Export o This button will open a file save dialog box to export the configuration information This is useful when you need to deploy F Response Enterprise via alternate means For more information on this process see Enterprise Edition Using F Response Enterprise Edition for Windows Deployment without the FEMC e Export MSI o This button will open a file save dialog box to export a MSI installer pre configured with the appropriate configuration and settings This MSI installer can be used with any deployment application that support MSI based installations including Windows Active Directory Group Policy Revision 5 0 3 Page 55 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Enterprise Edition Configuring the FEMC Credentials After completing the Deployment Options Config dialog the next step is to configure the F Response target s login credentials via the Credentials Configure dialog All information inputted will not be saved or pre populated for future usages For obviou
43. ally populates Validation Port and IP in Configure Options F Response Enterprise now provides target support for the following new platforms o Android ARM o NetGear NAS SPARC Changes affecting Consultant Edition Added auto IP detection to the F Response Consultant Connector FCC to enable automatic configuration of the F Response License Manager LM IP Address Revision 5 0 3 Page 111 5 29 2014 All Versions lai F Response Users Manual 5 0 3 F Response License Manager Monitor LMM now opens the dialog automatically on first load F Response License Manager now automatically populates Validation Port and IP in Configure Options F Response Consultant now provides target support for the following new platforms o Android ARM o NetGear NAS SPARC F Response 3 09 08 3 09 08 1 contains the following new features and enhancements Changes affecting All Versions F Response All Windows Versions now provides support for accessing physical disks gt 2TB theoretical limit of 8 Zettabytes Corrected an issue with the 32bit Physical Memory access driver that caused stability issues in certain situations nanges affecting Enterprise Edition 3 09 08 1 The F Response Enterprise Scripting Object FEMCCTRL 3 09 08 1 has been updated to include improved error handling and revised methods Contains updated FEMCCTRL COM Object corrected to handle Credential creation issue and modified Configure File path Sample scri
44. as the ability to completely hide the dialog window on the remote machine with a simple key sequence ALT CTRL F12 This sequence will hide the GUI and restore the GUI Changes affecting F Response Enterprise Edition Windows Issue in password generation for command line usage of F Response Enterprise corrected Revision 5 0 3 Page 113 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 F Response Enterprise Management Console now provides a Clear Messages option that removes all text from the Messages Panel The F Response Enterprise installation package now includes a partial implementation of the F Response Enterprise Management Console in a language neutral fully scriptable COM object This object will allow a technical user of F Response Enterprise to script actions typically initiated manually in the FEMC For a sample script see the C Program Files F Response folder F Response 3 09 03 New Features All versions Username and Password length are now more flexible Username must be 1 ANSI characters Password must be 12 16 ANSI characters in keeping in line with specifications New Features Consultant and Enterprise Edition Minor updates to both management consoles reflecting the changed password length criteria Also additional error informational messages in the Messages panel when issuing a Discovery Request Login or Logoff Management Consoles will automatically enable iSCSI services on Vis
45. ate The following appears albeit with the fields empty if a valid license key is found F F Response Remote Forensics Consultant Edition o E File Host Information Status Physical Memory Hostname win bstv rgoen C Disabled Online Host IP Address 192 158 1 218 Enabled All IF Addresses W Flexdisk Flexdik W TCP Port 3261 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 a ehana Username must be 1 or more characters Password MEE a Password must be 12 or more characters Validated and Licensed Stop stat Version 4 00 01 F Response User Interface configured for use See Appendix B for field information detail e Step 3 Revision 5 0 3 Page 76 5 29 2014 All Versions lai F Response Users Manual 9 0 3 o Select an IP Address from the Host IP Address drop down arrow to bind the F Response Target code to a local IP address currently in use by the computer In this case we have chosen 192 168 1 218 o Alternatively you can select All IP Addresses to bind to all available IP addresses e Step 4 o Select the TCP Port In this instance we chose to keep the default 3260 o OPTIONAL Select the Flexdisk Port In this instance we chose to keep the default 3261 e Step 5 o Enter in a username and password value These values will be used later to authenticate the network connection to this computer e Step 6 o Press the Start
46. ation creates a NetUniKey ini file For successful execution of F Response Enterprise both the F Response Enterprise executable f response ent exe by default and the NetUniKey ini file must be located in the same folder on the target computer e u username p password i iSCSI Port f Flexdisk Port o These options set the username password and iSCSI port that will be used for remote connectivity by the iSCSI initiator If the Flexdisk port is not specified it will not be enabled File Action View Help m gt Services Local He t u Services Local F Response Enterprise Service Name Description Status Startup Type Log On As hi Sa F Response Enterprise Service Manual Local System Start the service Sa Google Updater Service Manual Local System Sa Help and Support Enables He Started Automatic Local System SRA HTTP SSL This servic Started Manual Local System 88 Human Interface Device Access Enables ge Disabled Local System Sa IMAPI CD Burning COM Service Manages C Manual Local System Sa Indexing Service Indexes co Manual Local System Sa IPSEC Services Manages IL Started Automatic Local System Sa Logical Disk Manager Detects an Started Automatic Local System Sa Logical Disk Manager Administrative Service Configures Manual Local System Extended 4 Standard F Response Enterprise Edition Service Management Console interface The F Response
47. axes based on Agile s income Customer agrees to pay or to promptly reimburse Agile for all such amounts Unless otherwise indicated in an invoice all Agile invoices are payable thirty 30 days from the date of the invoice Agile reserves the right to charge and Customer agrees to pay Agile for every unauthorized copy or unauthorized year an amount equal to the cost per copy per year per computer or per user whichever is greater as a late payment fee in the event Customer fails to remit payments when due or Customer otherwise violates the payment provisions of this Agreement In addition to any other rights set forth in this Agreement Agile may Suspend performance or withhold fulfilling new Customer orders in the event Customer has failed to timely remit payment for outstanding and past due invoices 6 Confidentiality 6 1 Definition Confidential Information means a any non public technical or business information of a party including without limitation any information relating to a party s techniques algorithms software know how current and future products and services research engineering vulnerabilities designs financial information procurement requirements manufacturing customer lists business forecasts marketing plans and information b any other information of a party that is disclosed in writing and is conspicuously designated as Confidential at the time of disclosure or that is Revision 5 0 3 Page 1
48. ble TCP port if desired o Username The iSCSI protocol requires a username for the remote Initiator computer connection The username selected must be one or more Revision 5 0 3 Page 123 5 29 2014 All Versions F Response Users Manual 5 0 3 characters in length This username will be used on the remote Initiator computer to access the local or Target machine s hard drives o Password The iSCSI protocol requires a password for the remote Initiator computer connection The password selected must be exactly 12 or more characters in length This password will be used on the remote Initiator computer to access the local or Target machine s hard drives e Version O This is the version of F Response Field Kit Edition target code that you are using in this case Version 4 00 01 e License Key HW ID O This is the Hardware ID of your F Response FOB This ID number is required when upgrading or renewing your F Response software license e License Expires O This is the expiration date of the license encoded to your F Response FOB This number will appear in red when your F Response software license is due to expire within 30 days Revision 5 0 3 Page 124 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Appendix E Understanding Unix Credentials F Response uses Unix Credentials and the Secure Shell service SSH SFTP to access remote non Windows based machines In order to utilize this service you l
49. cent Ubuntu releases 12 04 12 10 F Response FreeBSD executable now included for 64bit FreeBSD on Intel Minor performance updates to the F Response Enterprise Management Console and Covert Console to improve speed and platform support F Response Enterprise Management Console and Covert Console now able better able to detect and deploy to legacy Windows computers F Response Enterprise COM Object for x64 Windows is now included with the standard installation on x64 examiner machines F Response Enterprise Management Console Cover Console and F Response Accelerator now remove legacy iSCSI target portals on logout to reduce confusion F Response Enterprise Management Console and Covert Console now able to assign a Service Description to the F Response Enterprise Service Optional Direct Connect option in the both management consoles has been multi threaded resulting in a faster and more robust user experience F Response Cloud Connector Enterprise version only no longer requires local dongle support license manager operation similar to Accelerator Changes affecting Consultant Edition F Response Consultant Connector now removes legacy iSCSI target portals on logout to reduce confusion F Response Consultant COM object for x64 Windows now included in the standard installation on x64 examiner machines F Response FreeBSD executable now included for 64bit FreeBSD on Intel Changes affecting all versions of F Respon
50. complete the connection s and access the local machine s physical drives from remote Steps 7 through 10 below are applicable only if you are using the Autoconfigure feature unique to the Consultant Edition The Autoconfigure feature unique to the F Response Consultant Edition allows you to create a configuration file prior to running F Response target code on any number of machines to be analyzed This can be a valuable time saving feature if numerous machines are to be investigated or if an assistant is going to be starting the tool on a remote machine for the benefit of the examiner E g The examiner can prepare an Autoconfiguration CD ROM When analysis is to be conducted the CD is simply placed in the machine to be analyzed and F Response is run and started from the CD No further setup is required e Step 7 o Execute the F Response CE Target code on a suitable machine in order to create the portable configuration files to be used later on the machine s to be analyzed The following consultant validation box will appear F F Response Consultant Validation o E mtm File Consultant Laptop Workstation IF Address Port 5681 Not Connected Validate Cancel Autoconfigure F Response Consultant Edition Validation User Interface See Appendix A for field information detail o Select Autoconfigure The following box will appear Vd Automatic Configuration Validation Paramete
51. count Targets ccscsececsecseeeseeeeseeeeeeeseeeseeauseeaeseteesetereensreesesenseteneenags 47 Connecting to Email Account Targets i ccsessawadeeevaweteserewiacateendnssiwsvnnanneeastanuwixtousteunceoementcostess 48 Disconnecting from Email Account Targets sessssssnsnsnsnsnsnsnrnrnrnrnenrnennnenenenenenennnennnnnenenne 49 F Response Enterpris Citas snaim a aa 51 Enterprise Edition Overview of the F Response Enterprise Management Console FEMC 51 Enterprise Edition Configuring the FEMC Deployment ODptions ccccceeseeseeeeeeeeeeaeeeeeeees 54 Enterprise Edition Configuring the FEMC Credentials ccccccecsecseeeeeeeeeeeeaesaeeeeeesaeeeeeeeas 56 Enterprise Edition Scanning cccecscseceeceeeeeeeeeeseeeeeeeeeseteeseseeseseeseneteesetareetersesaraesesensesanes 58 Enterprise Edition Deploying and Managing F Response using the FEMC All Supported PON IIS erreien tue vncaeaiee recceten a enced E E E E A 60 Enterprise Edition Using F Response Enterprise Edition for Windows Deployment without the FEMO eaaa EA AEAEE EE E 69 F Response Consultant Covert Edition sssnesessssssssnsnsnrsrsrsrerersrereroronenonnnnnnnnnnnnnnnnnnnnnnne 70 Consultant Covert Edition OvervieW s ssssssasssnsnnsannnnnnnnnnnnnnnnnnnnnnnnnnannnnnnnnnnn nnna 70 F Response Consultant Edition cccececseceeeceeeeceeeeeeeceseeseseesesesseeesaeeeteraeseeaesetetsetersetataeseranees 71 Consultant Editi
52. ctor Scan menu i F Response Email Connector Response Email Account Target E a fresponseag gmail com 7 d o HWD55519993 Expires 2 15 2015 4 0 6 Z Email Connector scan results Revision 5 0 3 Page 47 5 29 2014 All Versions E F Response Users Manual 5 0 3 Connecting to Email Account Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Email Volume The FEMLC will begin processing the remote email and building a local cache This process may be stopped at any time using the Cancel Login to F Response Email Volume option Cancelled processes are restarted on the next Login operation The processing phase can take a considerable amount of time depending on the total number of messages size of the messages available bandwidth and any throttling of performance done by the email provider Once complete the newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer al F Response Email Connector Google Mail GMail Connected Logged in Email Account target assigned the E drive letter Revision 5 0 3 Page 48 5 29 2014 All Versions F Response Users Manual 5 0 3 Disconnecting from Email Account Targets You can disconnect from a storage target by selecting the target right clicking to open the context menu and selecting Logout of F Response Email Volume
53. d kit Edition upon completion of the package installation Revision 5 0 3 Page 12 5 29 2014 All Versions lai manesponse Users Manual 5 0 3 Licensing F Response Using the F Response License Manager Software CE and EE Only In order to validate your license F Response FOB from remote computers running F Response Enterprise or Consultant Edition target code you must have your FOB physically connected to your analysis machine and the F Response License Manager must be started Execute the F Response License Manager Monitor F F Response Enterprise Management Console m F Response Enterprise Edition Fat F Response License Manager Monitor ha ka Start Menu Folder Contents The first time the F Response License Manager Monitor F Response LM software is executed it will display a System Tray icon indicating the License Manager server is not installed F Response LM Mot Installed Em 1022 AM System Tray Icon indicating the F Response LM server is not installed Revision 5 0 3 Page 13 5 29 2014 All Versions lai F Response Users Manual 5 0 3 iF F Response License Manager Monitor Oo x License Manager Configuration IP Address 192 168 1 14 TCP Port 5681 License Manager Control Install Install F Response LM Service Set to Auto Start Start F Response LM Service Stark Shop Stop F Response LM Service Uninstall Uninstall F Response LM Ser
54. der inspection using F Response What you did do was fool your analysis machine into believing that the file is deleted and thus your analysis machine is no longer presenting the file to you as available 4 Q Ihave a personal firewall running on my computers Do I need to change firewall settings to use F Response A Possibly F Response does create temporary exceptions in the Windows Firewall during execution Furthermore these exceptions are removed when the application exits However if you are using a firewall other than the Microsoft Windows Firewall you may need to set an exception F Response machines must be able to send and receive on port Revision 5 0 3 Page 100 5 29 2014 All Versions F Response Users Manual 5 0 3 3260 this default is changeable and if using the Enterprise or Consultant Edition also port 5681 this default is changeable We recommend disabling the firewall for the duration of the session during ad hoc usage e g temporary consultant use at a third party site and tuning the firewall configurations to allow F Response connectivity for planned enterprise deployment 5 Q Ihave a remote user that accidentally deleted a file Can I use F Response to recover deleted files A F Response will enable you to use your recovery tool of choice to recover the file s to a location other than the target machine You cannot restore the file directly to the target machine via F Response because you do not hav
55. dix provides an explanation of the fields presented by the F Response Field Kit User Interface which is presented upon execution of the F Response Field Kit User Interface Target code on the computer to be analyzed F F Response Remote Forensics Field Kit gt l a E File Host Information Hostname win bst9v rgoen Physical Memory C Disabled f Enabled Host IP Address 197 168 1 718 Remote Configuration TCP Port 3360 TCP Port must be between 1 and 65 554 Username mshannon Username must be 1 or more characters E EEEE Fassword must be 12 or more characters Version 40 01 License Key HW ID 155519116 Start License Expires 12 17 2011 F Response Field Kit Edition User Interface An explanation of the fields presented by the F Response Field Kit Edition Target code is as follows e Host Information o Hostname This is the Machine Name or Host Name of the local machine upon which the F Response Target code has been run o Host IP Address This is a drop down listing of the IP addresses configured on this local Target machine If there are multiple addresses present you should select the one most readily accessible as this will be the address you connect to from your remote analysis machine via the Initiator e Remote Configuration o TCP Port This is the TCP port your remote or Initiator computer will use to connect to the local machine The iSCSI default is 3260 however you may assign another availa
56. dows operating systems and freely available for download from the Microsoft web site Revision 5 0 3 Page 4 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 Supported Platforms The F Response stand alone executable is capable of providing remote forensically sound read only physical hard drive connectivity on the following platforms Platforms supported by all versions of F Response Field Kit Consultant Consultant Covert amp Enterprise e Windows 2000 Professional Server Advanced Server Windows XP Home Professional Professional 64bit Windows 2003 Windows Vista 32 amp 64bit Windows 2008 32 amp 64bit Windows 7 32bit amp 64bit Windows 8 32bit amp 64bit Windows 2012 64bit Linux Glibc 2 3 5 Apple OS X 10 3 10 4 10 5 10 6 10 7 10 8 Intel Only Additional Platforms supported by F Response Consultant Consultant Covert and Enterprise only e Apple OS X 10 3 10 4 10 5 10 6 10 7 10 8 Universal Binary Sun Solaris 8 9 10 on SPARC OpenSolaris Oracle Solaris 11 on Intel IBM AIX 5 1 5 2 5 3 6 1 7 on Power HP_UX11iv2 and HP_UX11iv3 on Itanium FreeBSD 7 8 on Intel i386 x64 SCO OpenServer 6 and Unixware 7 on Intel i386 Google Android ARM Native Code Netgear ReadyNAS SPARC F Response Flexdisk Supported Platforms Consultant Consultant Covert and Enterprise e Windows 2000 Professional Server Advanced Server Windows XP Home Professional Profes
57. e Options e General Options o Record Log Will create a secondary CSV log file with the drive contents for each attached Cloud Storage device e Dropbox Options o For Modified Time Use Dropbox provides two different times that can be used as Modified Time for a given file By default the Cloud Connector uses the Modified time as provided by the Dropbox Servers Alternatively it is now possible to use the Client MTime a non verified time that is assigned to the files when they are modified by a Dropbox Client tool The Client MTime is not verified by Dropbox Revision 5 0 3 Page 18 5 29 2014 All Versions F Response Users Manual 9 0 3 Configuring Cloud Credentials Before you can connect to Cloud Storage services you must first input valid credentials While the credentials necessary vary by cloud storage provider all credentials must be input using one of the Configure Credentials dialog boxes h F Response Cloud Storage Connector Premium Services Amazon 3 Cloud Storage Credentials HP T emia Bees Windows Azure Cloud Storage Credentials File gt Configure Credentials Revision 5 0 3 Page 19 5 29 2014 All Versions lai r Response Users Manual 5 0 3 Amazon S3 Cloud Storage Credentials Amazon S3 Storage Credentials are found on the Amazon AWS Console see aws amazon com The specific credentials required are available under the Security Credentials link under My Account see below
58. e executable and configuration file in the C Windows WINNT System32 SysWow64 folder depending on Windows version Q What port does the F Response EMC management console use to deploy and manage the F Response Service A The F Response EMC uses Microsoft File and Printer Sharing services for remote administration and deployment TCP Port 445 Revision 5 0 3 Page 102 5 29 2014 All Versions E PResponse Users Manual 5 0 3 Support Didn t find what you re looking for in the manual Many of our customers find that our growing selection of brief tutorial videos offers the information to meet their immediate needs https www f response com support videos We take pride in providing prompt attention to your support needs and will support your F Response product for the period of your license term F Response support can be reached via Email support f response com Website Chat Support https www f response com Software and documentation updates will be made available for download to registered users on the F Response web site E mail support is available to licensed software users We typically respond to your queries within 1 business day of receiving your request Revision 5 0 3 Page 103 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Linux License Manager and Accelerator F Response Consultant and above now includes an F Response License Manager and Accelerator for 32 and 64 bit Linux platforms The L
59. e this is complete provided all inputs are valid select the Targets Tab iSCSI Initiator Properties X General Discovery Targets Persistent Targets Bound Volumes Devices Select a target and click Log On to access the storage devices for that target Click details to see information about the sessions connections and devices for that target Targets ign 2008 02 com response charybdis 0 DEMIE ign 2008 02 com response charybdis 1 Inactive Details Log Un Refresh The Targets tab will show a valid target for each physical device on the F Response Field Kit Target computer In the above instance there are two valid physical disks on the remote computer In addition you will note the network name of the computer in this case charybdis which is included in the target name to differentiate multiple targets Select a target to connect to and select Log On Log On to Target E l X Target name Automatically restore this connection when the system boots T Enable multi path A Only select this option if CST multi path software is already installed on your computer Advanced Cancel Now select the Advanced button Revision 5 0 3 Page 94 5 29 2014 All Versions F Response Users Manual 5 0 3 Advanced Settings j 7 x General IPSec Connect by using Local adapter Default Source F Default Target Fortal Default
60. e write capability on that machine but you can recover the file and make it available to the user via email network share etc 6 Q Is the F Response iSCSI connection encrypted A By default no However AES 256 bit Encryption is available in F Response Enterprise edition Alternatively there are native methods to accomplish this if needed E g using Microsoft IPSec policy manager you can create a configuration to enforce an IPSec policy in your enterprise governing ports 3260 or whatever port you have elected to use with F Response This could be used to force F Response to be used over an IPSec tunnel and thus allow you to have the F Response service start automatically with each boot If F Response is being used over the Internet and corporate policy dictates encryption over public networks then the existing corporate VPN capability should satisfy the encryption policy 7 Q Does F Response work as an agent A No It does not collect or store any data on the machine under inspection It does not report to a management server It does not have an inherent analysis or reporting capability 8 Q Can I deploy F Response to Linux or Other Operating Systems OS s A Yes we have support for 7 Non Windows Operating systems See the platforms Supported section of this document for further details 9 Q When I attempt to deploy F Response using the FEMC I cannot even though I have valid credentials A Your target machine is most
61. e you enforce a soft throttle to limit the chances of account lockout By setting this value to zero you enforce no limits and allow the data to be downloaded at the maximum possible speed More on Google Limits can be found at https support google com a answer 1071518 hl en Revision 5 0 3 Page 45 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Configuring Email Credentials Before you can connect to Email service you must first input valid credentials The FEMLC supports Gmail Yahoo Mail most generic IMAP servers and Office 365 native Exchange Web Services Credentials can be tested before they are added using the Test Credential button Once the credential has been validated press the Add button to add them to the list of credentials to be used then press Save to exit the dialog Email credentials are not saved between executions of the FEMLC Sal F Response Email Connector Premium Services eee Configure GMail Email Account Credentials Configure Generic IMAP Account Credentials Configure Office 365 Account Credentials File gt Configure Credentials Configure GMail Credentials Credential Valid Configure Gmail Credentials Dialog Revision 5 0 3 Page 46 5 29 2014 All Versions F Response f Users Manual 5 0 3 Scanning for Email Account Targets Use the Scan menu to enumerate Email servers and accounts W F Response Email Connector Email Conne
62. e58f844 cde0 Microsoft Sharepoint Microsoft SOL Server 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQL Server 43 wss_Content_cceedcbfa c04 Microsoft Sharepoint Microsoft SQL Server 3 wss_Content_c4ed960e12af Microsoft Sharepoint Microsoft SQL Server i We Centent heeded iftikhde Micrn end Gheorannaint Micrnent GO Carcar F F Response Database Object Connector a ioj x 1 16 2013 7 _Registry_ DB 1 16 2013 7 48 PM Database Bdc_Service DB 95f6d5deb0ch437bb2a44ac6f029 187d unknown format not accessible 1 16 2013 7 48 PM Database DefaultPowerPivotServiceApplicationDB unknown format not accessible 1 16 2013 7 48 PM Database FASTContent_CrawlStoreDB_72f6d 5b 76ae3463fbb895f3429420ec 7 unknown format not ac 1 16 2013 7 48 PM Database FASTContent_DB_88d6e0120c95479 18d8e98b9286c4663 unknown format not accessible 1 16 2013 7 48 PM Database FASTContent_PropertyStoreDB_ 463d 1c96d4e44b35abSbfi9baf8aecce unknown format nal 1 16 2015 7 48 PM Database FASTQuery_CrawlStoreDB_7235e9e 124ea49998809449050366fb ib unknown format not act 1 16 2013 7 48 PM Database FASTQuery_DB_ed b2e60d852411fb7897a47e0 137b6e unknown format not accessible 1 16 2013 7 48 PM Database FASTQuery_PropertyStoreDB _ 1Nece821d79246dab04a35b6b9d46d94 unknown format not nan Databases not recognized are listed on the Messages Panel Revision 5 0 3 Page 41 5 29 2014 All Versions F Respo
63. eeaeeeeeeeaeeaeseeaesaeeaeseeaesaeeeeaesaesaeaes 18 Scanning for Cloud Storage Targets ccccccecceeseceeeeeeeeeeeeeeeeaeegeeeeaeeaeeeeseeaeeaesesaesaeseeaesaesanges 36 Connecting to Cloud Storage Targets cccscsseencsecseceececeesnscncaeseecneaeeescusonseesnensaeseseneatsneens 37 Disconnecting from Cloud Storage Targets cccccecceeseceeeeeseeeeeeeeeaeeeeeeaeeaeeeeseeaeeaeeesaeeaesaeas 38 F Response Database Object Connector ccccscssceecsesneencaeceecneancesonecesarsnecneatsnsoneenseesneensatsnees 39 Using the F Response Database Object Connector TAC CE CE C and EE ccscsecseeeseeeeees 39 Configuring Database Server Credentials ccccccccecseceeceeeeeeeeeeeeaeeeeeesesaeeaesesaesaeseeaesaesanaes 40 Scanning for Database Object Targets ccccscssccecseseececaecnseneaeenscneansesonsenseesnscesatsnesneansneens 41 Connecting to Database Object Targets ccccccccecceeseeeeeeeeeeaeeeeeeeaeeaeeeeaesaeeaesesaesaeseeaesaenanges 42 Disconnecting from Database Object Targets cccccscceeceeseseeeeeeeeaeeeeeeaeeaeeaeseeaeeaesesaeeaesaeas 43 F Response Email COnMe ctor cccscccsscssssonsnensscenusecsuenusuensncauscenuscnauseusuensauoussenueceausensucanauensneans 44 Using the F Response Email Connector TAC CE CE C and EE cccceccsceeseeeeeeeereeesreesseeeees 44 Configuring Email Connector Options ccccccccececeeseseeceeeeeaeegeeeeaeeaeeeeesaeeaesesaesaeseeaesaesanaes 45 Scanning for Email Ac
64. eeeseeaeeeseeaeeeeenaes 129 Appendix A 10n Legend isu sveccnassc cee csanencenamaacensacadee O 130 Appendix I Master Software License Agreement cccccscceeceeeeeeeseeeeeeeeesaeeesesaeeeseeaeeaesanaes 132 Appendix J Renewing F Response Dongle License cccceceeceeeeeeeeeeeeeeeeaeeeeesaeesesesaeeeeeaes 136 Updating the F Response Dongle FK CE CE C EE ccccscsccseseeseeeeeeeeeseeeesesaeegeeesaeeaeeeaes 136 PUO E esse cis een cesses pete ere eee ete nese ons eee ne ees aan 136 WNAE YOUNES aes a oats eg gee sng en ses eases ae pe seats Someone na ee bes eeaoeee 136 Appendix K Legal Notices ccccscsscsecsrenececarenecncaecnecneaneescneansescusonsassnscnsarsnsensatsessneatsneens 137 LEGNON OO ap ceeneccusanncccutesnnsosvanntabespsnn A 2 mnateeeedueuoesseieiueer ducers suede 137 WAC IN ea EN EEE 137 AeMC Or RIIN srera O E E EO 137 DEA I eee E E 137 PAE a a E E E E E ced 137 Revision 5 0 3 Page 3 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 Welcome to F Response Thank you for purchasing F Response You have now extended the capabilities of your existing arsenal of tools to enable them to work over an IP network F Response accomplishes this through the use of a patented process US 7 899 882 US 8 171 108 and patents pending a part of which includes leveraging the Internet Small Computer Systems Interface iSCSI protocol standard as defined in RFC 3720 http www ietf org rfc rfc3720 txt
65. ert and Consultant Edition Update to the F Response Cloud Connector including improved handling of non printable characters and support for the following newly added Cloud Storage environments o Google Drive Includes Google Drive and Google Apps for Business Drive access o Dropbox o Microsoft Skydrive Updates to the F Response Email Connector including improved handling of IMAP throttling newly added support for Office 365 using native Microsoft Exchange Web Services a new configure options dialog for selectable options and support for accessing Gmail Calendar exports Updates to the Database Connector including improved handling of potentially corrupt Sharepoint instance data Additional error details for all Connector Suite products as well as additional error details for non standard iSCSI interactions Corrections to the F Response COM Objects to handle Active Clients logic Updates to the F Response COM Object Script samples Updated version of the F Response executable for HPUX corrected potential incorrect drive size report Changes affecting the Enterprise and Consultant Covert version of F Response Updates to the F Response Enterprise Management Console or Covert Console to better handle unix systems with non standard shell interaction This net result should be improved deployment capability for non windows systems F Response 4 0 06 contains the following new features and enhancements Changes affecting Enter
66. erver ip IP address of the F Hesponse LM Server co server port Port of the F Response LM Server default is 5681 m lt i1 H gt Enable Physical Memory access 4 disabled i enabled Examples To install F Response Enterprise f response ent c Ov to install F Response Enterprise as a different service name f response ent a AYA Company Testing Service To uninstall F Response Enterprise f response ent d Or to uninstall F Response Enterprise as a different service name f response ent r AYZ Company Testing Service To configure F Kesponse Enterprise settings f response ent u jsmithi p password1i23456 i 3264 s 192 168 1 1 o 5681 m 1 F Response Enterprise Edition command line interface F Response Enterprise edition is a GUI less Windows Service version of the F Response Target Code It was designed for ease of administration and distribution to remote targets The screen capture above provides the f response ent exe help page including several examples The following help text details the command line options for installing uninstalling and configuring F Response Enterprise on each target machine Installing amp Uninstalling F Response Enterprise e c Create d Delete o These options are mutually exclusive They either install c or uninstall d the service on the local target computer with the default service name F Response Enterprise Service Note You can change
67. erver is on 192 168 1 6 Port 5681 Revision 5 0 3 Page 81 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Make the F Response CE Target code available to the machine to be analyzed via USB network share CD etc Execute the F Response Target code on the machine as Root please see Appendix E Understanding Unix Credentials for more information At the command line on the target platform type response ce e lin S 192 168 1 6 P 5681 u lt FRESUSERNAME gt p lt FRESPASSWORD gt i 3260 Scenario 2 Using the F Response Autconfigure file fresponse ini created using F Response Consultant Connector The F Response target platform is Linux Make the F Response CE Target code and the f response ini created by the Consultant Connector available to the machine to be analyzed via USB network share CD etc Execute the F Response Target code on the machine as Root please see Appendix E Understanding Unix Credentials for more information At the command line on the target platform type response ce e lin c fresponse ini Revision 5 0 3 Page 82 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Consultant Edition Using the F Response Consultant Connector a F F Response Consultant Connector I o mE File Connect Help Connect Messages Active Clients 192 168 1 218 WIN BSTSV6RGOEN Windows 7 HWID 155519116 Expires 12 1
68. esponse LM Service TCP Port e Configures the TCP Port of the F Response LM Service o Host Configuration All IP Addresses e Check to enable automatic binding to all IP Addresses Physical Memory e Check to enable Physical Memory access on the remote F Response Target Supports Windows clients only Flexdisk Port e TCP Port the remote F Response Consultant executable should listen on for Flexdisk HTTPS connections TCP Port e TCP Port the remote F Response Consultant executable should listen on for login and discovery requests Username e The Username the remote F Response Consultant executable should use for login and discovery requests Password e The Password the remote F Response Consultant executable should use for login and discovery requests Revision 5 0 3 Page 74 5 29 2014 All Versions Ea Arens Users Manual 5 0 3 e F Response Consultant Executable Executable e Use the browse button to locate the F Response Enterprise executable to install Typically located in C Program Files F Response F Response Consultant Edition Pressing OK opens the file save dialog allowing you to select a destination for the F Response Consultant executable Memory Driver if necessary and the F Response configuration file Save in Autoconfigure E c Eil ie hy pesca Documents Deskto p hy Documents bg a hy Computer k File name response Nea lave as type Filetype ini
69. f the accessible disks logical volumes and physical memory if available for each F Response Enterprise Target For more information on the naming convention used see Appendix G Revision 5 0 3 Page 64 5 29 2014 lai F Response 7 F Recnoncel PSONN Y a ata Lay gt p sole eel ha a V eed Y CNtEerpris anag J File Scan Deployment Connect Active Clients Help E Va Custom Scan Deployment Connect Messages Active Clients F Response Target Connected Inactive B iqn 2008 02 com f response win2k8 dc vol e B iqn 2008 02 com f response win2k8 dc vol c Inactive H iqn 2008 02 com f response win2k8 dc pmem Inactive iqn 2008 02 com f response win2k8 de disk 1 Inactive All Versions Users Manual 5 0 3 Bof 1n 2008 02 com f respons Discover F Response Disks Login to F Response Disk Logout of F Response Disk Custom Scan Complete 1 Detected Remove F Response Disk Local Disk Inactive Inactive Inactive Inactive Inactive 155519116 Expires 12 17 2011 Select one or more F Response Targets from the Connect Tab and use the Connect Menu Login to F Response Disk to authenticate and login to the remote device Connect F Response Target Connected Inactive E iqn 2008 02 com f response win2k8 dc vol e 4 ign 2008 02 com f response win2k8 de vol c Inactive B iqn 2008 02 com f response win2k8 dc pmem Inactive H iqn 2008 02 com f response win2k
70. figuration Flexdisk Port Cancel TCP Port 3260 Username Password The Quick Configure dialog allows you to quickly configure the port username and password value for the F Response connection e Host Configuration o Flexdisk Port The TCP Port the remote F Response Consultant edition is listening on for incoming Flexdisk HTTPS connections o TCP Port The TCP Port the remote F Response Consultant edition is listening on for incoming F Response connections o Username The Username configured on the remote F Response Consultant edition target o Password The Password configured on the remote F Response Consultant edition target Revision 5 0 3 Page 73 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Consultant Edition Configuring the FCC Console Create AutoConfigure Create AutoConfigure F Response Configuration Validation Configuration Host Configuration All IP Addresses IP Addr 192 168 1 218 Physical Memory TCP Port 5681 Flexdiskk f Port 3251 TCP Port 3260 Username Password F Response Consultant Executable Executable Browse con The Create Autoconfigure dialog allows you to create an Autoconfigure package which when executed on the remote machine will bring up F Response completely pre configured and ready to start e F Response Configuration o Validation Configuration IP Addr e Configures the IP Address of the F R
71. ge credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 29 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Microsoft Skydrive Credentials Microsoft Skydrive uses the web standard OAUTH2 for providing application access to accounts With OAUTH2 the application user in this case the F Response Cloud Connector user does not have knowledge of the Skydrive username or password Therefore in order to connect the Microsoft Skydrive using the Cloud Connector the Skydrive user must expressly approve access The following dialog and details further illustrate this process Microsoft Skydrive Credentials F Response 899b831 SD29442tsd Matt Shannon e3b76 5D21430 Configure Skydrive Credentials The first step is to get the user to Authorize the Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the account holder Sign In Microsoft account What s this komeone example com Password Keep me signed in User must approve access to the F Response Cloud Connector Revision 5 0 3 Page 30 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Regardless of the option selected the acc
72. he F Response Web site www F Response com 2 A copy of the latest F Response Installation Package for the version selected 1 F Response Enterprise Edition 2 F Response Consultant Covert Edition 3 F Response Consultant Edition 4 F Response Field Kit Edition 3 Microsoft iSCSI initiator software included by default with Windows Vista Server 2008 and Windows 7 operating systems and freely available for download from the Microsoft web site Note The Microsoft iSCSI Software Initiator is available as a free download from http www microsoft com downloads for the following operating systems e Microsoft Windows 2000 e Microsoft Windows Server 2003 e Microsoft Windows XP This version should not be installed on the following operating systems e Windows Vista e Windows Server 2008 e Windows 7 The Microsoft iSCSI Software initiator is integrated into Windows Vista Windows Server 2008 and Windows 7 therefore there is no need to install this package on those operating system versions More information on Openstack is available at www openstack org Revision 5 0 3 Page 6 5 29 2014 All Versions lai F Response Users Manual 9 0 3 The Microsoft iSCSI Software initiator configuration utility on Windows Vista and Windows Server 2008 can be accessed from the control panel in classic mode or from administrative tools in Windows Server 2008 Source Microsoft iSCSI Software Initiator 2 x User Guide Nov 2007 The diagram below s
73. he above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 11 7 General This Agreement including its exhibits all of which are incorporated herein are collectively the Parties complete agreement regarding its subject matter superseding any prior oral or written communications Amendments or changes to this Agreement must be in mutually executed writings to be effective The Parties agree that
74. hows a high level architecture for F Response The F Response FOB is located at the analysis machine Consultant Enterprise and the F Response Target code may be running on any number of corporate networked computers Eorna eeeeeeuveeece IF ak m a T LOCO rorensics Anail YS t el F Response Enterprise High Level Architecture F Response License FOB In order to use the F Response application you must have a valid F Response License key FOB F Response FOB such as the one shown below This key must be inserted into the USB port of the computer running the F Response License Manager Server the examiner s analysis machine in the case of Enterprise Consultant Editions or the target machine if using the Field Kit Edition Since the F Response FOB uses the USB Human Interface Device drivers it should be immediately recognized by all supported versions of Microsoft Windows as shown below Revision 5 0 3 Page 7 5 29 2014 All Versions lai F Response Users Manual 9 0 3 i Found New Hardware x USB Human Interface Device Operating System response to insertion of the F Response FOB Once the F Response FOB has been inserted and recognized by your analysis machine you are ready to start the Enterprise Edition of F Response on the remote workstation and establish an F Response network connection such that you may begin analysis using your tool s of choice Revision 5 0 3 Page 8 5 29 2
75. ically reconnected Changes affecting Enterprise Edition The F Response Enterprise Scripting Object FEMCCTRL has been updated to include improved error handling additional objects properties and methods Sample scripts for using the object have been provided for Visual Basic Script Perl Python and C Corrected an issue where the FEMC Unix Deployment options may be incorrectly loaded presented Revision 5 0 3 Page 112 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Added additional platform checking options to handle Linux and Apple OS builds returning non typical chipset types and processor configurations F Response 3 09 06 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise now provides full deployment via the Enterprise Management Console FEMC to all supported platforms FEMC now has both a Credentials and Options Configure panel including platform specific configuration options and Unix based credentials The Messages panel now indicates the presence of new messages with the notation The Custom Scan dialog now presents the last custom scan performed Microsoft iSCSI Initiator issues related to listing targets on 64bit Windows platforms have been resolved The FEMC now determines the License Manager IP Address automatically if it is running and correctly updates the configuration information without user interaction Changes affec
76. icense Manager and Accelerator along with a sample init script for starting the License Manager automatically is included in the installation folder in the directory Linux Tools f response accel lin F Response Accelerator for Linux 32bit only The F Response Accelerator for Linux essentially uses the Linux iSCSI Initiator to assist with connecting to F Response Targets Version 5 0 3 This help page F Response Username configured on the target F Response Password contigured on the target F Response Port Optional default 3260 F Response Target machine IP Address Login to F Response Target based on IQN Logout of F Response Target based on ION 0 Quiet output easier to script d no command options Examples To use F Response Accelerator Linux Edition t response accel lin n lt username gt p lt password gt s 192 168 1 1 f response lIm lin lin64 F Response License Manager for Linux 32 and 64 bit The F Response License Manager for Linux provides F Response License Manager services from the Linux platform 32 and 64 bit It currently does NOT provide the encryption services that are available from the Windows version of the License Manager if that is a requirement in your environment you will have to continue to use the Windows License Manager Use the d option plus a amp to run the License Manager Service Running the command without any options will return a list of the active client
77. ield Kit user interface Once this is complete select the Advanced button Revision 5 0 3 Page 92 5 29 2014 All Versions F Response Users Manual 5 0 3 Advanced Settings r J x General IPSec Connect by using Local adapter Default Source F Default Target Portal CAC Checksum Data digest Header digest IY CHAP logon information CHAP helps ensure data security by providing authentication between a target and an initiator trying to establish a connection To use it specity the same target CHAP secret that was configured on the target for this initiator Target secret SECC ECEEEEEE E Perforn mutual authentication To use mutual CHAP specify an initiator secret on the Initiator Settings page and configure that secret on the target mea n Check the box for CHAP logon information and enter the Username and Password previously entered into the F Response Field Kit user interface Select OK iSCSI Initiator Properties x General Discovery Targets Persistent Targets Bound Volumes Devices Target Portals Address Port Adapter IP Address 192 168 1 3 3260 Default Default Remove Refresh ISNS Servers Hame Remove Refresh coed n Revision 5 0 3 Page 93 5 29 2014 All Versions E F Response Users Manual 5 0 3 The machine running your Target code now appears in the Target Portals listing under the Discovery tab Onc
78. ion in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 27 5 29 2014 All Versions lai ches lapel Users Manual 5 0 3 Google Drive Credentials Google Drive uses the web standard OAUTH2 for providing application access to accounts With OAUTH2 the application user in this case the F Response Cloud Connector user does not have knowledge of the Google Drive username or password Therefore in order to connect the Google Drive using the Cloud Connector the Google Drive user must expressly approve access The following dialog and details further illustrate this process Google Drive Credentials x M Shannon 0836741 GDOCS24681 F Response 1288448 GDOCS21527 Matthew Shannon 1 GDOCS12056 Sean Lynch 0778758 GDOCS5468 Configure Google Drive Credentials The first step is to get the account holder to Authorize the Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the
79. irectly i sell license sublicense lease redistribute or transfer any Agile Software ii modify translate reverse engineer decompile disassemble create derivative works based on or distribute any Agile Software iii rent or lease any rights in any Agile Software in any form to any entity iv remove alter or obscure any proprietary notice labels or marks on any Agile Software Customer is responsible for all use of the Software and for compliance with this Agreement and any applicable third party software license agreement 3 2 Intellectual Property Agile retains all title patent copyright and other intellectual proprietary rights in and ownership of the Agile Software regardless of the type of access or media upon which the original or any copy may be recorded or fixed Unless otherwise expressly stated herein this Agreement does not transfer to Customer any title or other ownership right or interest in any Agile Software Customer does not acquire any rights express or implied other than those expressly granted in this Agreement 4 Ordering amp Fulfillment Pricing is set forth on the F Response website and is subject to change at any time Each order shall be subject to Agile s reasonable acceptance Delivery terms are FOB Agile s shipping point 5 Payments Customer agrees to pay amounts invoiced by Agile for the license granted under this Agreement If any authority imposes a duty tax or similar levy other than t
80. is key must be included with your control panel username in all requests te Signatures please refer to Developer Resources for articles about the web sg Username and API Key The preceding credentials Username and API Key must be entered in the corresponding fields in the Configure Rackspace Cloud Files Credentials dialog The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials In addition an Authentication URL must be selected either US or UK the drop down is available to the right of the Authentication URL text input The region is specific to where the account was created not where the examiner is located at present The default is the US region Revision 5 0 3 Page 22 5 29 2014 All Versions lai oe Users Manual 5 0 3 Configure Rackspace Cloud Files Credentials Configure Rackspace Cloud Files Credentials Use the Test Connection button to test the credentials against Rackspace Cloud Files If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 23 5 29 2014 All Versions E F Resp
81. iscellaneous 11 1 Legal Compliance Restricted Rights Each Party agrees to comply with all applicable Laws Without limiting the foregoing Customer agrees to comply with all U S export Laws and applicable export Laws of its locality if Customer is not located in the United States and Customer agrees not to export any Software or other materials provided by Agile without first obtaining all required authorizations or licenses In the event the Software is provided to the United States government it is provided with only LIMITED RIGHTS and RESTRICTED RIGHTS as defined in FAR 52 227 14 if the commercial terms are deemed not to apply 11 2 Governing Law Severability This Agreement including any addendum or amendment to this Agreement which is included with the Software are the entire agreement between you and Agile relating to the Software and the support services if any and they supersede all prior or contemporaneous oral or written communications proposals and representations with respect to the Software or any other subject matter covered by this Agreement To the extent the terms of any Agile policies or programs for support services conflict with the terms of this Agreement the terms of this Agreement shall control This Agreement shall be governed by the laws of the State of Florida USA without regard to choice of law provisions You and Agile agree to submit to the personal and exclusive jurisdiction of the Florida state cour
82. ked for deletion issue Updated Spanish language text as per user input Changes affecting Consultant Edition F Response Consultant Edition updated to address potential service marked for deletion issue F Response Flexdisk updated with minor API corrections based on user feedback F Response Consultant Edition now includes support for 64bit Linux platforms Changes affecting Field Kit Edition F Response Field Kit Edition updated to address potential service marked for deletion issue F Response 4 0 02 1 contains the following new features and enhancements Changes affecting Enterprise Edition Enterprise Encryption is now updated to properly handle logical volumes and 2TB devices Changes affecting Consultant Edition Revision 5 0 3 Page 109 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Improved handling of gt 2TB disks for non Windows platforms Changes affecting Field Kit Edition Improved handling of gt 2TB disks for non Windows platforms F Response 4 0 02 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise now provides the option to encrypt all read actions directed to remote targets o Encryption is AES using 256 bit keys o Encryption is optional and can be enabled or disabled o Encryption requires Windows Vista or better on the Examiner machine ie the machine running either the FEMC or the F Response Accelerator
83. l want to familiarize yourself with Unix credentials User accounts and Credentials For our purposes there are two different user accounts we can use to gain sufficient access to a target non Windows based machine a general user account and root In the Unix world root is the superuser or Administrator As you can imagine using the superuser or root account can be dangerous therefore most system administrators allow general user account to perform actions requiring root level permission through one of two options su and sudo Assume User su Using su a general user account can assume superuser privileges for a limited period of time The user will require the root or superuser password to gain these privileges and once the su action is complete the user will effectively be able to perform any and all actions as root or superuser It is sometimes easiest to think of this process much like Windows User Account Controls Windows UAC in Microsoft Windows Vista and 7 you are asked to use su as an extra step in an effort to make you cognitive of the powerful capabilities your account now possesses Superuser do sudo Using sudo a general user is allowed to execute a specific command with superuser privileges In this instance the user need only enter their user password when prompted Again much like the Windows UAC process you are asked to use sudo as an extra step in an effort t
84. lect the connected Target and select Connect gt Logout of F Response Disk File Connect Help _ o Connect Messages Active Clients ES iqn 2008 02 com f response win bst9v rgoen vol c Inactive Inactive E3 iqn 2008 02 com f response win bst9v rgoen pm Inactive Inactive E3 iqn 2008 02 com f response win bst9vrgoen dis Inactive Inactive YP preoa y Once logoff operation completes the icon will indicate disconnected and the Local Disk column will indicate Inactive Revision 5 0 3 Page 86 5 29 2014 All Versions lai F Response Users Manual 9 0 3 F Response Accelerator Consultant Consultant Covert and Enterprise Only The F Response Accelerator is a secondary connection utility provided to Consultant and Enterprise license holders Essentially the Accelerator removes the need to navigate the somewhat difficult Microsoft iSCSI Initiator to connect to F Response targets from machines that do not currently have an F Response license dongle inserted in them By using the F Response Accelerator a customer can create connections from many F Response Accelerator machines to many F Response targets F Response Accelerator Validation F Response License Manager IP Address 2 z gt Fort 5681 Not Connected Cancel Upon starting the F Response Accelerator you will be prompted to input the IP and Port of the F Response License Manager in order to validate your license and begin using Accelerat
85. led badge is present the Apple computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details FreeBSD FreeBSD F Icon indicates a FreeBSD Computer if Response Not no badge is present the FreeBSD Installed computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details HPUX HP Unix F Icon indicates a HP Unix Computer if Response Not no badge is present the HP Unix Installed computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details AIX IBM AIX F Icon indicates a IBM AIX Computer if Response Not no badge is present the AIX computer Installed is available and does not have F Response Installed If a badge is present check the badge legend below for further details Linux Linux F Response Icon indicates a Linux Computer if no Not Installed badge is present the Linux computer is available and does not have F Response Installed If a badge is present check the badge legend below for further details SCO SCO Unix F Icon indicates a SCO Unix Computer if Response Not no badge is present the SCO computer Installed is available and does not have F Response Installed If a badge is Revision 5 0 3 Page 130 5 29 2014 All Versions lai F Response Users Manual 9 0 3 present check the badge legend
86. lementer this may be a simple textual value or may be a generated alphanumeric code e API Key o Provided by the implementer this is most likely to be a generated alphanumeric code e Authentication URL o Provided by the implementer this URL is necessary to authenticate to the Openstack based cloud storage environment OpenStack Storage Credentials OpenStack Storage Credentials Description _ _ menaa Add e Authentication URL S Remove Configure Openstack Cloud Credentials Use the Test Connection button to test the credentials against Openstack based cloud storage environment If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 33 5 29 2014 3 All Versions lai F Response Users Manual 5 0 3 Windows Azure Blob Storage Windows Azure Blob Storage Credentials are found on the Windows Azure Console see www windowsazure com Portal The specific credentials are available under Storage then the Manage Keys option at the bottom of the page see below Windows Azure amp gt CLOUD SERVICES DB SOL DATABASES Windows Azure Management Console Main Menu
87. likely a Windows XP machine not running in Classic mode for credential authentication This is typically the case when attempting to connect to XP machines not part of a Windows Domain To switch the target machine to Classic you must open the Local Security Policy Administration Tool under Control Panel Administrative Tools You will then select Local Policies gt Security Options and change the value of Network Access Sharing and Security Model for Local Accounts to Classic Local Users authenticate as themselves This is only necessary in when using the FEMC to deploy F Response to XP or greater computers not part of a Windows Domain Revision 5 0 3 Page 101 5 29 2014 All Versions lai F Response Users Manual 10 11 12 13 9 0 3 A ne Network access ares that can De accessed anonymous rk ac hi i ic er aL no Network k e log ne Network security LAN Manager authentication level Send LM amp NTLM responses res no Network security LDAP client signing requirements Negotiate signing ae Network security Minimum session security for NTLM SSP based including secu No minimum If the target machine is a Windows 7 Vista or newer Windows OS and not joined to a Domain ie Workgroup Member then a key will need to be added to the registry of the target machine You can manually create and add this key to the registry by following these steps To create your registr
88. ll reasonable measures to maintain the confidentiality of such Confidential Information but in no event less than the measures it uses to protect its own Confidential Information Each Party will limit the disclosure of such Confidential Information to those of its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement provided that all such employees are bound by a written non disclosure agreement that contains restrictions at least as protective as those set forth herein 6 4 Injunctive Relief Each Party understands and agrees that the other Party will suffer irreparable harm in the event that the receiving Party of Confidential Information breaches any of its obligations under this section and that monetary damages will be inadequate to compensate the non breaching Party In the event of a breach or threatened breach of any of the provisions of this section the non breaching Party in addition to and not in limitation of any other rights remedies or damages available to it at law or in equity shall be entitled to a temporary restraining order preliminary injunction and or permanent injunction in order to prevent or to restrain any such breach by the other Party 7 DISCLAIMER OF WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AGILE AND ITS SUPPLIERS PROVIDE THE SOFTWARE AND SUPPORT SERVICES IF ANY AS IS AND WITH ALL FAULTS AND HEREBY DISCLAIM ALL
89. mation or error messages currently in the Messages Panel o Exit Close and exit the F Response CC console e Connect o Discovery F Response Disks Opens a dialog providing iSCSI Discovery request capability by IP Address o Login to F Response Disk Initiates a iSCSI login on the selected F Response Consultant Target Revision 5 0 3 Page 71 5 29 2014 All Versions F Response Users Manual 5 0 3 o Logout of F Response Disk Initiates a iSCSI logout on the selected F Response Consultant Target o Remove F Response Disk Deletes all F Response Disks for the selected target from the Connect Tab o Open F Response Flexdisk Opens the default configured web browser pre populated to connect to the Flexdisk target e Help o About Presents a splash screen indicating the version information of the F Response Consultant Connector Console FCC Tab Controls e Connect o Displays a listing of the F Response Target s after a successful Discovery Request e Messages o Displays informational Messages during operation if errors occur they will be noted here e Active Clients o Queries the F Response License Manager Service to obtain active clients for the F Response LM dongle This list includes IP Address Network Name and Platform Revision 5 0 3 Page 72 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Consultant Edition Configuring the FCC Console Quick Configure Quick Configure Host Con
90. mpliance a F Response distributes software libraries developed by The Sleuth Kit TSK The license information and source code for TSK can be found at http www sleuthkit org If any changes have been made by Agile to the TSK libraries distributed with the F Response software those changes can be found online at http www f response com TSkKinfo b A portion of the F Response Software was derived using source code provided by Intel and Alistair Crooks NetBSD which requires the following notice be posted herein and which applies only to the source code F Response code is distributed only in binary or object code form F Response source code and any revised Intel and NetBSD code contained within the F Response source code is not available for distribution The name of Intel Corporation and NetBSD are not being used to endorse or promote this product nor is the name of the author being used to endorse or promote this product This information is presented solely to comply with the required Intel and NetBSD license agreements which require reproduction of the following copyright notice list of conditions and disclaimer Revision 5 0 3 Page 134 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Intel License Agreement Copyright c 2000 Intel Corporation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are
91. n Support for Linux glibc 2 3 5 and Apple OS X 10 4 10 5 Intel only F Response 1 18 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Improved handling of foreign language versions of Windows Added support for non standard Windows Computer Names Improved on load drive probing Official support for the Open iSCSI Linux Initiator Un Official support for the GlobalSAN iSCSI Initiator for Apple OSX Improved thread management performance Updated Version information to 1 18 Changes affecting F Response Field Kit Edition Graphical user interface now includes the F Response license expiration date Changes affecting F Response Consultant Edition Graphical user interface now includes the F Response license expiration date Autoconfigure option for F Response Consultant edition added allows F Response Consultant Edition to be run from CD or to be provided to IT staff with no repeated configuration needed F Response 1 17 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Modified disk capacity return value in accordance with SCSI parameters Corrected issue relating to STOP ERROR for Microsoft iSCSI Initiator in select circumstances Updated Version information to 1 17 Changes affecting F Response Field Kit Edition Modified License controls to allow more leeway when dealing wi
92. nes running Microsoft Windows Vista or above if not supported option will be grayed out Revision 5 0 3 Page 54 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 e The TCP Port the remote F Response Enterprise executable Should listen on for Flexdisk HTTPS requests TCP Port e The TCP Port the remote F Response Enterprise executable Should listen on for login and discovery requests Username e The Username the remote F Response Enterprise executable should use for login and discovery requests Password e The Password the remote F Response Enterprise executable Should use for login and discovery requests e F Response Windows Service Install Configuration Service Name e This is the name the F Response Enterprise service will be installed as on the remote computer s This name is completely user selectable Service Description e Description value that will be assigned to the F Response Enterprise service when installed on the remote computer s This description is completely optional Executable e Use the browse button to locate the F Response Enterprise executable to install Typically located in C Program Files F Response F Response Enterprise Edition f response ent exe e Unix Platform Specific Options ADVANCED o A platform based set of options that will be executed on the remote computer any changes made to the options are saved Optionally they can be reset using the Reset Current or
93. ng the target right clicking to open the context menu and selecting Logout of F Response Cloud Storage Volume The volume will be disconnected and the assigned drive letter will now be removed F F Response Cloud Storage Connector Sean s 3 Amazon 53 ERs Kong kong Bucket Sean s 53 Amazon 53 Ez Gorillas_ Bananas Sean s 53 Amazon 53 Inactive 3 corilla Scripts Sean s 53 Amazon 53 Inactive ee Generalstuft Sean s 53 Amazon 53 Inactive HWID 155519963 Expires 4 27 2013 4 0 4 b Logged in Cloud Storage target assigned the E drive letter Revision 5 0 3 Page 38 5 29 2014 All Versions lai F Response Users Manual 9 0 3 F Response Database Object Connector Using the F Response Database Object Connector TAC CE CE C and EE F Response TACTICAL Consultant Enterprise and Consultant Covert edition includes a copy of the F Response Database Object Connector FDBC The FDBC allows an examiner to mount remote Microsoft SQL Server Database Objects Embedded Files BLOBS etc as local read only logical volumes or network shares The F Response Database Object Connector supports Microsoft Sharepoint only at present The FDBC does not require executables or agents be deployed to the remote Microsoft SQL Server s The FDBC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Response dongle connected via the F Response License Manager a
94. nnon f response fk lin h F Response Field Kit Linux Version 5 0 0 Usage h This help page u lt username gt Username must be eight 8 characters p lt password gt Password must be fourteen 14 characters i lt port gt iSCSI port optional default is 3260 a lt path to device gt Assign additional devices comma separated ex a dev md0 Examples To use F Response Field Kit Linux Edition f response fk lin u jsmith01 p password123456 The F Response Field Kit Edition for Apple OS X and Linux is installed and available in the C Program Files F Response F Response Field Kit Edition folder The executable name will indicate which version is appropriate for your target platform F Response Field Kit Edition for Linux f response fk lin F Response Field Kit Edition for Apple OSX 10 4 10 5 10 6 Intel f response fk osx Example Usage Scenario 1 F Response License Manager Server on 192 168 1 6 Port 5681 sudo f response fk lin u mshannon p mshannon123456 i 3260 Revision 5 0 3 Page 90 5 29 2014 All Versions lai r nesponse Users Manual 5 0 3 F Response Field Kit Edition Connecting to an F Response Target iSCSI Initiator Properties i x General Discover Targets Persistent Targets Bound Volumes Devices The SCS protocol uses the following information to uniquely z identity this initiator and authenticate targets Initiator Node Hame j mithi To
95. now running and waiting for licensing requests The License Manager automatically creates Windows Firewall exceptions for the service application however if you are using other firewall products you many need to add exceptions as necessary Revision 5 0 3 Page 16 5 29 2014 All Versions F Response Users Manual 5 0 3 F Response Cloud Connector Using the F Response Cloud Connector TAC CE CE C and EE F Response TACTICAL Consultant Enterprise and Consultant Covert edition includes a copy of the F Response Cloud Connector FCLDC The FCLDC allows an examiner to mount remote Cloud based Storage containers as local read only logical volumes or network shares The FCLDC does not require executables or agents be deployed to Cloud Storage providers The FCLDC does require a locally attached F Response licensed dongle TACTICAL Consultant or Consultant Covert or a remote Enterprise F Response dongle connected via the F Response License Manager at all times h F Response Cloud Storage Connector 5 0 0 j F Response Cloud Connector Revision 5 0 3 Page 17 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Configuring Cloud Connector Options There are a number of options that can be configured when using the F Response Cloud Connector these options include Configure Options IY Recordlog temp Dropbox Options For Modified Time use Modified Recomme F Response Cloud Connector Configur
96. ns Unix Credentials User Account lf User Password eveccces l Root Password CO M SSH Key File Browse Using a general user account sudo and a user password for sudo permissions plus an SSH Key for access m User mshannon r Kaot Unix Credentials User Account MW User SU mshannon Password wf User Password ewecenes M Root Password eeeeeeee m zl Riot Revision 5 0 3 Page 126 5 29 2014 All Versions F Response Users Manual 5 0 3 Using a general user account su and a user password for access plus the root password for su permissions User Password TITTTTIT IV SSH Key File M Root Password oeeeenee 7 3 0 Management Consoles Using a general user account su and a SSH key for access plus the root password for su permissions Revision 5 0 3 Page 127 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Appendix F Software Requirements on the Target Computer The following outlines what software services and credentials are required to connect to a remote target computer via the F Response Enterprise Management Console FEMC e Windows All Versions o Software No additional o Services File and Printer Sharing Microsoft Services TCP Port 445 o Credentials Administrator or like permission sufficient to create a LocalSystem level service e Unix All Versions o Software No additional o Services
97. nse LM Service Uninstall Uninstall F Response LM Service F Response License Manager Monitor console Main Window Install the F Response License Manager service by pressing the Install button After the service is installed it will allow you to change the bound IP Address and TCP Port the service will install in the stopped position Fi F Response License Manager Monitor iol x License Manager Configuration IP Address 197 165 1 14 TEP Port 568l License Manager Control eea Install F Response LM Service Set to Gute Start Fi Start Start F Response LM Service Stop Stop F Response LM Service Uninstall Uninstall F Response LM Service F Response License Manager Monitor Stopped Position Start the F Response License Manager service by pressing the Start button Your F Response FOB must be inserted prior to starting the License Manager server Revision 5 0 3 Page 15 5 29 2014 All Versions E oe Users Manual 5 0 3 F F Response License Manager Monitor Oo x License Manager Configuration IP Address Ganes ima TCP Port 5681 License Manager Control Install Install F Response LM Service D Setta uto Stark E F Start Start F Response LM Service gi Stop Stop F Response LM Service Uninstall Uninstall F Response LM Service F Response License Manager running and waiting for licensing requests The F Response License Manager is
98. nse TarGet cccsccseseeeeeeeeeees 97 F Response Flexdisk seats Ponecan atone smestetels AEA TELA EEn 99 What is a F Response Flexdisk snsnnnnnnnsnnnnnnnnnnnnnnnnnnnnnrnrnrnrnrnrnrnnnrnnnrnrnnnnnnnnennnnnenenennnnnn 99 How do I access and use a F Response Flexdisk sssssssssnsnsnsnsnsnensnsnnrennnenrnenrnnnennnrnnnnnne 99 Frequently Asked QuestionS sssssnsnsnsnsnsnersrrnrrrrrnnnrnrnnnrnrnnnrnrnrnrnrnrnrnrnrnrnnnnnnnnnnnnenenenenennnn 100 ODO METE E AE E E E A E E E E E 103 Linux License Manager and Accelerator s sssssssssrsrsrsrnnnrrnrnrnrnrnrnrnrnrnrnrnrnrnrnrnnnnnnenenenenenennnn 104 MSONGO OE r E E E E A E S 105 Sol Ware Revision HISTOFY ssncisiriiermia rni aA a 106 Appendix A Overview of the F Response Enterprise Edition Windows Command Line Interface AE E E A T TE T A T A E ET E 117 Appendix B Overview of the F Response Enterprise Edition Unix Command Line Interface 119 Appendix C Overview of the F Response Consultant User Interface s sssssssssrsrsrsrnrsrsrenn 121 Appendix D Overview of the F Response Field Kit User Interface s sssssssssnsnsnnrnnnrnnrnrnenns 123 Appendix E Understanding Unix Credentials ccccscscsecseseceeeeeeeceeeeeeseeaeseeseeesaesesseeeneeaeees 125 Appendix F Software Requirements on the Target Computer sssssssssrsrsrsrsnsrsnsrerrnnrrnrnenns 128 Appendix G F Response Target Naming Convention cccccccecceeseeeeceeeeeae
99. nse Users Manual 5 0 3 Connecting to Database Object Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Database Volume The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer F F Response Database Object Connector ws Microsoft Sharepoint Microsoft SOL Server Connected Ve 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQL Server Inactive E3 ws5_Content_ccee4cbfa6c04 Microsoft Sharepoint Microsoft SQL Server Inactive 5 wss_Content_c4ed960e12af Microsoft Sharepoint Microsoft SQL Server Inactive Ji Wiel Cantant amp hoeea diftikhde icrn endt Gheorannint Micrnent GO Carcar Tnarchies 4 E pw 155601020 Expires 7 5 2014 4 0 6 E Logged in Database Storage target assigned the E drive letter Revision 5 0 3 Page 42 5 29 2014 All Versions F Response Users Manual 5 0 3 Disconnecting from Database Object Targets You can disconnect from a storage target by selecting the target right clicking to open the context menu and selecting Logout of F Response Database Volume The volume will be disconnected and the assigned drive letter will now be removed F F Response Database Object Connector ws Microsoft Sharepoint Microsoft SOL Server Inactive 3 wss_Content_cfbd5f6ff98b4 Microsoft Sharepoint Microsoft SQL Server Inactive E
100. nse Users Manual 9 0 3 e Step 10 o Press the Start button to start listening for incoming connections o At this time the F Response Consultant Edition client has been successfully validated and the F Response Consultant Connector Active Clients Tab shows the remote client s IP address Machine name and Platform as shown in the following figure exa F F Response Consultant Connector om me File Connect Help Connect Messages Active Clients 192 168 1 218 WIN BSTSV6RGOEN Windows 7 HWID 155519116 Expires 12 17 2011 F Response Consultant Connector Active Clients Tab shows F Response Consultant Edition remote client or target computer Repeat steps 9 amp 10 to make additional machines available for analysis Each will appear in the F Response Consultant Connector Active Clients Tab Revision 5 0 3 Page 80 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 Consultant Edition Using F Response Consultant Edition for Unix based Targets F Response command line help on analyst machine F Response Consultant Enterprise lt PLATFORM gt Version 4 00 03 Usage h This help page a lt path to devices gt Path to additional devices Comma separated ex dev md0 dev md1 S lt F ResponseLM IP gt IP Address of F Response LM Server P lt F ResponseLM Port gt TCP Port of F Response LM Server optional defaults to 5681 u lt username gt F Response username must be 8 cha
101. nterprise Windows Linux and OSX Apple targets Added the new F Response Accelerator to allow many to many connectivity for F Response Enterprise and Consultant customers Changes affecting Consultant Edition Modified the F Response Consultant Connector FCC to improve responsiveness Added the new patent pending F Response Flexdisk capabilities to F Response Consultant Windows Linux and OSX Apple targets Added the new F Response Accelerator to allow many to many connectivity for F Response Enterprise and Consultant customers F Response 3 09 09 contains the following new features and enhancements Changes affecting All Versions F Response All Versions now provides support for accessing physical disks gt 2TB theoretical limit of 8 Zettabytes Modifications to correct authentication login logout issues when connecting from Linux Open iscsi Changes affecting Enterprise Edition Adjustments to the F Response Enterprise Management Console FEMC to support different IP Address configurations Added logic to handle F Response Deployment to remote target machines using a non standard root drive F Response License Manager Monitor LMM now opens the dialog automatically on first load Addressed an issue with correctly handling alternate port selection from the command line or via configure options Icon display corrected for FEMC Direct Connect for Windows targets F Response License Manager now automatic
102. o make you aware of the actions your account is temporarily capable of SSH Keys Many system administrators prefer to allow remote connections only when they are attempted using a special cryptographic key file the SSH Key File F Response allows you to specify a key file for access however unless your account is the root or superuser account you will need to provide the appropriate password for su or sudo F Response supports both OpenSSH and Putty SSH Key files F Response allows you to access the remote machine with any combination of user account and credential however let s go through a few common scenarios below Revision 5 0 3 Page 125 5 29 2014 All Versions F Response Users Manual 5 0 3 Unix Credentials User Account Assume Root User F m W Root Fassword User Password 4 I Root Password senceees SSH Key File Browse Using the root or superuser account with a password Unix Credentials User Account E User W Root User Password as Root Password ts IW SSH Key File Browse Using the root or superuser account with an SSH Key OpenSSH or Putty Unix Credentials User Account Assume Root W User sudo mshannon B Rogat Fassword r User Password eseseses Root Password SSH Key File Browse Using a general user account sudo and a user password for access and sudo permissio
103. on Overview of the F Response Consultant CONNECtOT ccceccseseeeeeeeeeeees 71 Consultant Edition Configuring the FCC Console Quick CONFIQUIE cceeeeeeeeeeeeeeeeeeeeeaes 73 Consultant Edition Configuring the FCC Console Create AUtoConfigure cccscsseeseeeeeeees 74 Consultant Edition Using F Response Consultant Edition for WiINGOWS ccsscecseteeeeeereetens 76 Revision 5 0 3 Page 2 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Consultant Edition Using F Response Consultant Edition for Unix based Targets 060 81 F Response command line help on analyst machine ccceceececeeseeeeseceeeeeeeeeeeeeeseeeeseesesetaees 81 Consultant Edition Using the F Response Consultant Connector cccceeseeeeseseeeeeeeeeeeeeenans 83 F Response Accelerator Consultant Consultant Covert and Enterprise Only cccsceeseeeeees 87 Field Kit Edition cacsasoeaemsitvepetnceatneantasneasonese piawtuiaaeanmiunsereedasedennsaeuiansiasberesndoandensiecniestiaansnaatenars 88 F Response Field Kit Edition Using F Response Field Kit Edition for WindOWS 0c0000 88 F Response Field Kit Edition Using F Response Field Kit Edition for Unix Linux Apple OS X ee ee eee eer E ee ee eee A re ee E ee 90 F Response Field Kit Edition Connecting to an F Response TarGet cccsccsesseeeeeeeeseeeeeeeees 91 F Response Field Kit Edition Disconnecting from an F Respo
104. onfigured Google Drive Read Only access domain wide for a specific service account More details on creating that account and delegation are available at the following url https developers google com drive delegation Service account Use service accounts to call Google APIs on behalf of your application instead of an end user Learn more Client ID I 222 2 Goog1eusezcontent com Public key fingerprints ae 6b264 Delete Google Drive Service Account Credentials Google Drive Service Account Credentials Description Service Email Address Target Email Address PO Private Key File PO E Google Drive Service Account Credentials Dialog Google Drive Apps Service Account based cloud storage environments require the following credentials in order to successfully connect and authenticate e Service Email Address o Service account email address as defined by Google e Target Email Address o Individual account email address used to identify the target Google Drive repository e Private Key File o Private key file provided by Google for the Service account Revision 5 0 3 Page 32 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Openstack Based Cloud Storage Openstack is an open source cloud storage platform based on the Rackspace API and model Openstack based cloud storage environments require the following credentials in order to successfully connect and authenticate e Username o Provided by the imp
105. ons E F Response Users Manual 9 0 3 F Response Enterprise Enterprise Edition Overview of the F Response Enterprise Management Console FEMC At the core of F Response Enterprise Edition is the F Response Enterprise Management Console FEMC Below is a guideline of the features and functions of the FEMC Fi F Response Enterprise Management Console File Scan Deployment Connect Active Clients Help b Deployment Connect Messages Active Clients Machine Name Domain Workgroup HWID 155519116 Expires 12 17 2011 F Response Enterprise Management Console Menu Options e File o Configure Configure F Response EMC for deploying and managing Remote F Response Target code o Clear Messages Clears any information or error messages currently in the Messages Panel o Exit Close and exit the F Response EMC o Scan by Domain Opens a dialog for Windows Domain Workgroup scanning to detect F Response Enterprise installations and or potential targets o Scan by IP Address Opens a dialog for IP Address range scanning to detect F Response Enterprise installations and or potential targets o Direct Connect Revision 5 0 3 Page 51 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Opens a dialog for direct connect options for directly connecting to a remote computer via IP address or Network Name to detect F Response Enterprise installations and or potential targets o Cus
106. onse Users Manual 9 0 3 HP Public Cloud Credentials HP Public Cloud Credentials are found on the HP Public Cloud Console see console hpcloud com The specific credentials required are available under the Account menu item under Your API Keys see below 7 Cloud Products Documentations Community Blog Console Dashboard Compute storage Account Overview Contact Information Edit name address email time zone Your API Keys View API Keys for your services amp C A U A HP Public Cloud Management Console Main Page Locate the Service Endpoints section and record copy paste the Tenant ID Service Endpoints Tenant Tenant ID 1237651235461 Service Endpoints Tenant ID The preceding credential Tenant ID must be entered along with the login email for the Cloud Console in the corresponding field in the Configure HP Public Cloud Credentials dialog for example 1237651235461 test test com The Password field requires the password used to login to the HP Public Cloud Web Console The Description field is optional and can be used to provide a secondary human readable identifier for the credential set Ex Client X Credentials Revision 5 0 3 Page 24 5 29 2014 All Versions lai r Response Users Manual 5 0 3 HP Cloud Storage Credentials Authentication URL https region a geo 1identity hpcdouds Configure HP Public Cloud Credentials Use the Test Connection button
107. or i F Response Accelerator a File Connect Help F Response Target Local Disk Validated Licensed and Active The F Response Accelerator main window Configure Host Configuration OK TCP Port 3260 o canel Username mshannon Password Beneam Start by selecting File gt Configure to input your F Response username password and tcp port F Response Disk Discovery Era IP Address 192 168 1 22 Add x cea To locate F Response Targets and connect to them start by using the Connect gt Find F Response Disks this will open a dialog where you can input the target machine IP addresses Revision 5 0 3 Page 87 5 29 2014 All Versions E F Response Users Manual 9 0 3 Field Kit Edition F Response Field Kit Edition Using F Response Field Kit Edition for Windows e Stepi o To use the F Response Field Kit insert a valid F Response FOB key into a USB port of the computer to be analyzed Make the F Response FK Target code available to the local machine via USB network share CD et al and execute the F Response FK Target code The below user interface will appear F F Response Remote Forensics Field Kit al a mE File Host Information Hostname win bst9vrgoen Physical Memory f Disabled f Enabled Host IP Address 197 168 1 218 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 Username mshannon Username must be 1 or m
108. ore characters Fassword ERER R REEERE Fassword must be 12 or more characters Version License Key HW ID 155519116 Start License Expires 12 17 2011 F Response User Interface configured for use See Appendix A for field information detail e Step 2 o Select an IP Address from the Host IP Address drop down arrow to bind the F Response Target code to a local IP address currently in use by the computer In this case we have chosen 192 168 1 6 e Step 3 o Select the TCP Port in this instance we chose to keep the default 3260 e Step 4 o Enter in a username and password value These values will be used later to authenticate the network connection to this computer e Step 5 o Press the Start button to start listening for incoming connections Revision 5 0 3 Page 88 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 This completes F Response preparation for this machine Remember you will need the four entries selected in the User Interface above in order to establish the connection to access this computer s drives over the network Refer to the next section on using the Microsoft iSCSI Initiator to complete the connection and access the local machine s physical drives from remote Revision 5 0 3 Page 89 5 29 2014 All Versions lai F Response Users Manual 5 0 3 F Response Field Kit Edition Using F Response Field Kit Edition for Unix Linux Apple OS X root nsx msha
109. orkgroup Status 192 168 1 210 Custom Scan F Response Not Installed Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 Completed Custom Scan operation results show one accessible computer Please see Appendix H for the complete icon legend defining the different platforms Revision 5 0 3 Page 60 5 29 2014 All Versions lai Beatie arara Users Manual a 5 0 3 aiani a File Scan Deployment Connect Active Clients E ir Custom Scan Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Installation of F Response can be performed by right clicking on a valid target icon p d S E ee E s Y ee ea a pajas wl ee ed mig Asarpsme2 HI seemic j RESDOTMS all At TH i _ a Lt el a File Scan Connect Active Clients Help Install Start F Response Stop Remove F Response Install F Response Uninstall F Response Start F Response Stop F Response Issue Discovery Request Refresh Status Open F Response Flexdisk 192 168 1 210 Custom Scan Complete 1 Detected Expires 12 17 2011 Installation can also be performed on multiple targets by selecting them in the Deployment panel Revision 5 0 3 Page 61 5 29 2014 All Versions f F Response Users Manual 5 0 3 la Fa oe i 7 4 FRESE SES CNTETPrise ivianagement _onsoie j mog FRES PONSES CMEpPASE Management Console i
110. other delivery mechanism using the three files shown above i e 1 f response ce exe 2 fresponse ini 3 Mnemosyne sys if Physical Memory is enabled 4 flexdmgr dll if Flexdisk is enabled e Step 9 o When analysis is to be conducted these three files are simply placed in on the machine to be analyzed Run f response ce exe and the following appears if a valid license key is found F F Response Remote Forensics Consultant Edition o a E File Host Information Status Physical Memory Hostname win bstv rgoen f Disabled Online Host IP Address 197 168 1 2718 f Enabled All IP Addresses w Flexdisk Flexdisk W TCP Port 3261 Remote Configuration TCP Port 3260 TCP Port must be between 1 and 65 554 TOEREN eer See Username must be 1 or more characters Password ssssssseees Password must be 12 or more characters Validated and Licensed Stop stat Version F Response User Interface configured for use See Appendix B for field information detail o All of the fields are pre populated since the configuration has already been auto configured In some cases the examiner may have an option to select a different IP Address from the Host IP Address drop down arrow to bind the F Response Target code to one of multiple local IP addresses in use by the computer In this case we have chosen to use the default 192 168 1 218 Revision 5 0 3 Page 79 5 29 2014 All Versions lai F Respo
111. ount holder must approve access to their Skydrive account upon approval the web browser will be redirect to a page at F Response com with the Authorization Code F Response OAuth v2 Helper Authorization Code ANAUbIHSUQbOT_qcnev9dk3Dtigp OhsjG Please copy the Authorization code above and input it into the Connector dialog where indicated If you are not the end user please copy the code and email them to the F Response product end user F Response com OAuth Helper Page The Authorization Code as displayed on that page must be inputted into the Skydrive Credentials dialog in the Authorization Code box After this is complete press Validate Access Validate Access will confirm the account holder s account details and present that information in the Name box If this is the correct username and account press Add to add the credential to the encrypted credential store and Save to save the newly added credential It is important to note that all Cloud Storage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 31 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Google Apps for Business Credentials In addition to consumer class Google Drive access the F Response Cloud Connector also includes support for Google Drive Service Account access Consultant and above only In this model a Google Apps account administrator has c
112. ported Cloud environments o Updates to Rackspace container detection now detects containers outside of the home container region Updates to the F Response Email Connector including o Updates to improve handling of non standard separator characters in IMAP mailstores o Numerous improvements for Office365 including Enhanced speed and stability Detection of MeetingRequestResponse entries Updates to the F Response Database Object Connector including o Updates to handle OLEDB connectivity and stability issues present on certain workstation configurations Changes affecting all versions of F Response Update to the F Response Physical Memory Driver for improved stability F Response 5 0 2 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Update to the F Response Cloud Connector including o Addition of CSV style log output for connected drive device content o Addition of options for alternate Modified Time values in Dropbox o Modifications to handle API changes and encodings for Dropbox Google Drive o Updates to include Dropbox revision history items Updates to the F Response Email Connector including o Additional options on the Configure Options dialog to allow for more user directed decisions regarding throttling o Modifications to better handle UTF 8 and UTF 16 character encodings in folder names and paths o
113. prise Consultant Covert and Consultant Edition New F Response Database Object Connector providing access to embedded file database objects Supports Microsoft Sharepoint Databases on Microsoft SQL Server New F Response Email Connector providing access to remote IMAP email as a local read only volume Includes support for Gmail Yahoo Mail and any generic IMAP based SSL or Non SSL email server Windows 8 Support for all F Response Connector series products F Response License Update check now occurs silently when dongle is within ten days of expiration Corrected the License Manager Monitor to better handle rare timeout issues when starting the License Manager Service Changes affecting the Consultant version of F Response Revision 5 0 3 Page 107 5 29 2014 All Versions Fi F Response Users Manual 9 0 3 General usability updates for the F Response Consultant Connector context menu corrections etc Changes affecting all versions of F Response Updates to all versions of F Response to better support target machines with a large number of disk devices F Response 4 0 05 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition F Response Cloud Connector has been updated to use a new caching model which greatly improves speed and performance F Response Enterprise COM Object has been improved to better detect and deploy to newer versions of Linux including re
114. pts for using the object have been provided for Visual Basic Script Perl Python and C F Response Enterprise now provides explicit audit logs for Login Logout Failed Login Start Stop operations on remote targets Audit logs are found in the Application Event Logs of the F Response License Manager F Response Enterprise is now fully Terminal Services Remote Desktop aware allowing multiple users on a single machine to run the F Response Enterprise Management Console FEMC simultaneously F Response Enterprise now provides target support for OpenSolaris Changes affecting Consultant Edition The F Response Consultant Connector Scripting Object FCCCTRL has been released with methods and properties to automate connecting to deployed F Response Consultant Edition Targets Sample scripts for using the object have been provided for Visual Basic Script Perl and Python F Response Consultant now provides target support for OpenSolaris F Response 3 09 07 contains the following new features and enhancements Changes affecting All Versions F Response All Versions now provides support for physical memory access under both 32bit and 64bit Windows environments Added a F Response Linux lt 60 Meg Boot CDROM that provides access to F Response FK CE EE and TACTICAL Boot CDROM is available to all licensed customers Corrected an issue where disk read errors on the target side could cause an iSCSI disconnect that was not automat
115. racters p lt password gt F Response password must be 14 characters i lt iSCSI Port gt iSCSI Port optional defaults to 3260 c lt path to fresponse ini gt Optional autoconfigure path if used no other commandline options are required f lt Flexdisk Port gt Optional Flexdisk port if not provided Flexdisk services will not be enabled F Response Consultant Enteprise Edition can either be run directly from the commandline using the various arguments indicated above or it can be run with the c lt path to fresponse ini gt option provided the path points to a valid fresponse ini file See the F Response Consultant Connector autoconfigure option to generate a valid fresponse ini The F Response Consultant Edition target code for non Windows platforms is installed and available in the C Program Files F Response F Response Consultant Edition folder The executable name will indicate which version is appropriate for your target platform Platform F Response Target Code Linux glibc 2 3 5 Intel i386 Linux glibc 2 3 5 x64 response ce e lin 64 Universal Binary f i i f F f 3 a l SCO Unix Open Server 6 Unixware 7 response ce e sco Intel i386 Google Android ARM f response ce e android arm NetGear ReadyNAS SPARC f response ce e readynas sparc FreeBSD 7 8 x64 Intel response ce e fbsd 64 Example Usage Scenario 1 The F Response target platform is Linux and the F Response License Manager S
116. rename the initiator node click Change To authenticate targets using CHAF click Secret to c specify a CHAP secret aectel To configure PSec Tunnel Mode addresses click T Tunnel D OF Cancel Apply This is the Microsoft iSCSI Initiator console First select Change to rename your initiator node Initiator Node Name Change X You can change the name of this initiator node Changes may affect access to iSCSI targets Initiator node name Reset Cancel Set this value to whatever value was inputted in the F Response Field Kit user interface username field Select OK Revision 5 0 3 Page 91 5 29 2014 All Versions lap Response Users Manual 5 0 3 iSCSI Initiator Properties x General Discovery Targets Persistent Targets Bound Volumes Devices Target Portals Address Pot Adapter IP Address sa ee a ISNS Servers Mame Remove Refresh OF Cancel Apply Now you must add the Target Portal Select the Add button on the Discovery tab Add Target Portal i x Type the IP address or DNS name and socket number of the portal you wank to add Click Adwanced to select specific settings For the discovery session to the portal IP address or DNS name Port 192 168 1 3 3260 Advanced coca Input the IP Address and TCP port of the remote F Response Field Kit computer These values must match the ones entered in the F Response F
117. rmation on the Flexdisk API is available in the API document on the Downloads page of the F Response website F Response Flexdisk for Linux now autodetects more mount points and logical volumes Updates to the F Response Enterprise COM Scripting object to support Flexdisk configuration options Improved handling of gt 2TB disks for non Windows platforms F Response Enterprise for AIX and SCO now more accurately locates and presents physical devices F Response 4 0 01 contains the following new features and enhancements Changes affecting Enterprise Edition F Response Enterprise Management Console FEMC now provides rapid deployments options which condense the standard deployment steps Revision 5 0 3 Page 110 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 o Install Start F Response Will install start and issue discovery against a remote F Response target o Stop Remove F Response Will stop and remove F Response from a remote target Added an Active Clients menu to allow for the selective enabling or disabling of the standard continuous polling mechanism used to update active clients Added an Export option to the Deployment Options dialog to make the manual deployment process easier Export button will allow the user to save off a copy of the ini file and selected executable prepared for manual deployment Added the new patent pending F Response Flexdisk capabilities to F Response E
118. rs IP Address 192 168 1 Port 5681 F Response Configuration All IP Addresses v Physical Memory IV Flexdisk V Flexdisk 3261 TCP Port 3260 Username mshannon st Password ee eS A Check box to enable F Response Consultant Edition Automatic Configuration Option Revision 5 0 3 Page 78 5 29 2014 All Versions lai F Response Users Manual 9 0 3 o Inthe Validation Parameters section enter the IP address and Port of the computer running the F Response License Manager service in this case our F Response LM server is listening on port 5681 at address 192 168 1 6 o Inthe F Response Configuration section enter the iSCSI TCP Port in this instance we chose to keep the default 3260 OPTIONAL enter the Flexdisk TCP Port in this instance we chose to keep the default 3261 username one or more characters and password value a minimum of 12 characters These values will be used later to authenticate the iSCSI Flexdisk network connection to this computer e Step 8 o Press the Save button to create the automatic Configuration files that will be used on any number of machines to be analyzed o Three files are created fresponse ini flexdmgr dll if Flexdisk is enabled and Mnemosyne sys if Physical Memory is Enabled o At this time the F Response Consultant Edition Automatic Configuration is complete o The examiner can prepare an Autoconfiguration CD ROM thumb drive or
119. rties Target Portal Group 1 Status Connected Connection Count 1 cot y WARNING If the disk is still in use i e Folders open software reviewing the disk etc Windows will not release the disk and will provide the following warning message Log Off from Session 5 X e The session cannot be logged out since a device on that session is currently being used Be sure to close all open disk access before selecting Log off If the Initiator still does not permit the session to be logged off you can force the session to close by selecting the stubborn Target under the Discovery tab and selecting Remove Revision 5 0 3 Page 97 5 29 2014 All Versions F Response Users Manual 5 0 3 Target Properties l x Sessions Devices Properties This target has the Following sessions Identifier Session Properties Target Portal Group Status Connection Count Session Conmections To configure how the connections within this session are load balanced click Connections Connections OK Cancel pply Once successfully logged off the Session Identifier should be removed You can continue working adding and deleting sessions as needed or if you are finished working you may now close the Microsoft iSCSI initiator and stop F Response Field Kit on the Target computer Revision 5 0 3 Page 98 5 29 2014 All Versions E F Response Users
120. rved This document is protected by copyright with all rights reserved Trademarks F Response is a trademark of Agile Risk Management LLC All other product names or logos mentioned herein are used for identification purposes only and are the trademarks of their respective owners Statement of Rights Agile Risk Management LLC products incorporate technology that is protected by U S patent and other intellectual property IP rights owned by Agile Risk Management LLC and other rights owners Use of these products constitutes your legal agreement to honor Agile Risk Management LLC s IP rights as protected by applicable laws Reverse engineering de compiling or disassembly of Agile Risk Management LLC products is strictly prohibited Disclaimer While Agile Risk Management LLC has committed its best efforts to providing accurate information in this document we assume no responsibility for any inaccuracies that may be contained herein and we reserve the right to make changes to this document without notice Patents F Response is covered by United States Patent Numbers 8 171 108 7 899 882 and other Patents Pending Revision 5 0 3 Page 137 5 29 2014
121. s ee This help page 0 lt port gt F Response LM Port optional default is 5681 c Run License Manager server send to background using amp fresponselm Init Script Sample In addition to the above binaries you will also find a sample init initialization script that could be used to configure the License Manager to run at boot Please refer to the specific Linux server and distribution for more details on setting up init scripts etc Revision 5 0 3 Page 104 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Mission Guides What are Mission Guides F Response Mission Guides were designed to simplify the process of using F Response software in new and unfamiliar scenarios Mission guides offer a possible solution to your task working with you each step of the way through instruction that is direct and to the point Much smaller than a manual Mission Guides give you the exact information you need to get you connected and underway as fast as possible Mission Guides are simple straight forward 4 6 page PDF documents that cover all the steps necessary to accomplish a specific Mission with F Response All Mission Guides are available at https www f response com support missionguides under the Support link at the top of every page A selection of the Mission Guides available at the time this document was developed is available below e F Response Enterprise Edition o Connect to a remote Linux targe
122. s behalf or use the Copy to Clipboard option to generate a URL suitable for sending to the account holder Revision 5 0 3 Page 26 5 29 2014 All Versions lai r nesponse Users Manual 5 0 3 us The app F Response Cloud Connector would like to connect with your Dropbox This app will have access to your entire Dropbox Please make sure you trust this app before proceeding You re currently signed in as If you meant to User must approve access to the F Response Cloud Connector connect from another account you can sign out Regardless of the option selected the account holder must approve access to their Dropbox account upon approval the web browser will be redirect to a page at F Response com with the Request Token and optional Verifier F Response OAuth Helper Request Token CjBuhw isle Please copy and paste the Request Token and Verifer above and input it into the Connector dialog where indicated If you are not the end user please copy and paste these values and email them to the F Response product end user F Response com OAuth Helper Page The Request Token value and any optional Verifier as displayed on that page must be inputted into the Dropbox Credentials dialog in the Request Token box After this is complete press Validate Access to validate the newly acquired Request Token Validate Access will confirm the account holder s account details and present that informat
123. s reasons credentials are not stored when the application is exited The Credentials Configure window is divided into two areas to provide credential information for F Response targets Windows Domain Network Credentials and Unix Credentials Please refer to the guidelines below for configuring the FEMC target Credentials Credentials Configure Windows Domain Network Credentials Username Domain Optional Password Add Username Domain Optional Remove Use Current User Credentials Unix Credentials User Account Assume Root Password User User Password FI A SSH Key File Browse Username AcctType AuthType Assume Root F Response Enterprise Management Console Configuration Panel e Windows Domain Network Credentials o Use the Add Remove buttons to add and or remove both Domain and Local machine credentials These credentials will be used to manage the remote F Response Target computer including Install Start Stop and Uninstall operations o Use Current User Credentials This option removes the inputted credentials in favor of using the locally logged in user s credentials e Unix Credentials User Account e Provides options for entering user account name and or type Assume Root e Allows for selecting a manner with which to assume root privileges further details on Unix Credentials is available in the Appendix E Understanding Unix Credentials Revision 5 0 3 Page 56 5 29
124. se New F Response Dongle Updater has been added to Enterprise Consultant Covert Consultant and Field Kit This new updater uses a new upt2 file format and removes the requirement to download a separate dongle updater from the F Response website when renewing or upgrading your license Windows 8 Support for all F Response Examiner products FEMC FCC etc has been added F Response target executable for Windows now better able to handle physical memory on Windows 2000 systems F Response 4 0 04 1 contains the following new features and enhancements Changes affecting Enterprise Edition and Consultant Covert Edition F Response Cloud Connector now supports Windows Azure Blob Storage Changes affecting all versions of F Response Improved handling of non standard mount points in Linux Revision 5 0 3 Page 108 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Improved Physical Memory access stability based on further input from the Volatility Project F Response 4 0 04 contains the following new features and enhancements Changes affecting Enterprise and Consultant Covert Edition New F Response Cloud Connector providing direct read only access to Cloud Storage Environments including Amazon S3 Rackspace Cloud Files HP Public Cloud and any vi Openstack implementation F Response Enterprise Management Console now correctly detects Apple OSX 10 8 target computers and deploys the appropriate software
125. sional 64bit Windows 2003 Windows Vista 32 amp 64bit Windows 2008 32 amp 64bit Windows 7 32bit amp 64bit Windows 8 32bit amp 64bit Windows 2012 64bit Linux Glibc 2 3 5 32bit and 64bit Apple OS X 10 3 10 4 10 5 10 6 10 7 10 8 Universal Binary Cloud Storage Environments supported by the F Response Cloud Connector e Amazon Web Services Simple Storage Service S3 e Windows Azure Blob Storage l Linux glibc 2 3 5 includes Redhat Suse Ubuntu Fedora and many other distributions of Linux released during or after 2003 2 Intel only for Field Kit all others are Universal Binary 3 Platform support is further restricted to supported filesystems ext2 ext3 ntfs fat hfs hfs Revision 5 0 3 Page 5 5 29 2014 All Versions F Response Users Manual 5 0 3 Rackspace Cloud Files US and UK HP Public Cloud Any Openstack based Cloud Storage v1 series Google Drive Google Apps for Business Google Drive Dropbox Microsoft Skydrive Email Servers supported by the F Response Email Connector e Gmail Google Apps and Gmail e Yahoo Mail e Most IMAP based Email providers e Office 365 Exchange Web Services Database platforms and structures supported by the F Response Database Object Connector e Microsoft Sharepoint Microsoft SQL Server Prerequisites In order to use F Response you will require the following 1 A valid F Response License key FOB F Response FOB which can be purchased from t
126. t located in Tampa Florida and the United States District Court for the Middle District of Florida If any provision of this Agreement is held to be illegal or unenforceable for any reason then such provision shall be deemed to be restated so as to be enforceable to the maximum extent permissible under law and the remainder of this Agreement shall remain in full force and effect Customer and Agile agree that this Agreement shall not be governed by the U N Convention on Contracts for the International Sale of Goods 11 3 Notices Any notices under this Agreement will be personally delivered or sent by certified or registered mail return receipt requested or by nationally recognized overnight express courier to the address specified herein or such other address as a Party may specify in writing Such notices will be effective upon receipt which may be shown by confirmation of delivery 11 4 Assignment Customer may not assign or otherwise transfer this Agreement without the Agile s prior written consent which consent shall not be unreasonably withheld conditioned or delayed This Agreement shall be binding upon and inure to the benefit of the Parties successors and permitted assigns if any 11 5 Force Majeure Neither Party shall be liable for any delay or failure due to a force majeure event and other causes beyond its reasonable control This provision shall not apply to any of Customer s payment obligations 11 6 Redistribution Co
127. t all times F F Response Database Object Connector fn IWWID 155519963 Expir es 4 27 2013 4 0 6 FA F Response Database Object Connector Revision 5 0 3 Page 39 5 29 2014 All Versions lai r nesponse Users Manual 5 0 3 Configuring Database Server Credentials Before you can connect to Database Server you must first input valid credentials The current version of the FDBC supports Microsoft SQL Server only however future versions will allow you to connect to other SQL based servers including Oracle etc The Database Credentials dialog will allow you to enter one or more Database credentials either Database Native Credentials SQL Native or Windows Domain Credentials Database Credentials are not saved between executions of the FDBC F Response Database Object Connector Password Database Credential dialog Credentials can be either native credentials Microsoft SQL Server Native Accounts or Windows Credentials Revision 5 0 3 Page 40 5 29 2014 All Versions F Response f Users Manual 5 0 3 Scanning for Database Object Targets Use the Scan menu to enumerate Microsoft SQL Servers and Databases The scanning process will use the local plugins xml file to test database format and table structure Periodically new plugins xml files will be placed on the F Response Website to add support for new Database formats and models F F Response Database Object Connector Gav WSS_Content_
128. t s disk using F Response Enterprise Edition o Connect to a remote Apple target s disk using F Response Enterprise Edition o Connect to a remote Windows target s disk using F Response Enterprise Edition o Connect to the F Response Boot CDROM using F Response Enterprise Edition e F Response Consultant Edition o Connect to a remote Linux target s disk using F Response Consultant Edition o Connect to a remote Apple target s disk using F Response Consultant Edition o Connect to a remote Windows target s disk using F Response Consultant Edition o Connect to the F Response Boot CDROM using F Response Consultant Edition e F Response Field Kit Edition o Connect to the F Response Boot CDROM using F Response Field Kit Edition e F Response TACTICAL o Connect to the F Response Boot CDROM using F Response TACTICAL Revision 5 0 3 Page 105 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Software Revision History The following list identifies changes made to the F Response software F Response 5 0 3 contains the following new features and enhancements Changes affecting Enterprise Consultant Covert Consultant Edition and TACTICAL Addition of a Linux F Response Accelerator and F Response License Manager x86 and x64 Update to the F Response Cloud Connector including o Updates and enhancements to better address case sensitivity in cloud presented volumes Change includes adding unique identifiers to presented file names on all sup
129. ta operating systems when started if they are not already on F Response 3 09 02 New Features All versions All F Response software Windows has been translated into German Spanish and Simplified Chinese Username and Password length are now more flexible Username must be 1 ANSI characters Password must be 12 ANSI characters All Windows based F Response software now includes UAC support for proper prompting under Vista 2008 and Windows 7 New Features Consultant and Enterprise Edition Minor updates to the F Response License Manager including better dongle stability improved error codes additional support for the Windows Event Log Support for Sun Solaris 8 9 10 on SPARC Support for IBM AIX 5 3 on Power5 and Power6 F Response 3 09 1 New Features Consultant and Enterprise Editions only New Features Consultant Edition New F Response License Manager small faster easier to work with replaces the NetUniKey Updated F Response Consultant Connector Right click context menus throughout Support for removing Connect Tab target entries New Features Enterprise Edition New F Response License Manager small faster easier to work with Updated F Response Enterprise Management Console Right click context menus throughout Support for removing Connect Tab target entries Additional Custom Scan option for scanning by comma separated list of machine names or IP addresses Direct Connect dialog user interac
130. th inaccurate system clocks Changes affecting F Response Consultant Edition Improved performance of IP validation look up process Revision 5 0 3 Page 115 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Changes affecting F Response Enterprise Edition Modified iSCSI Target IP selection based on IP target for Discovery Added command line options a r to add and remove F Response Enterprise Service using user defined name Revision 5 0 3 Page 116 5 29 2014 All Versions Users Manual 5 0 3 Appendix A Overview of the F Response Enterprise Edition Windows Command Line Interface This appendix provides details regarding the command line options for installing uninstalling and configuring F Response Enterprise on each target machine The help text is shown in the following screen capture fe Administrator C Windows system3z cmd exe This help page CreatesInstall the service with default servic Deletes Uninstall the service with default sery ice name service name CCreate s Install the service with a user defined service name cerpuice name Deletes Uninstall the service with a user defined service name Username gt Username must be 1 or more characters p password gt Password must be 12 or more characters i lt port gt iSCSI port default is 3268 f lt port gt Flexdisk port LOPTIOMAL Providing a port will enable the Flexdisk s
131. the latest F Response Updater executable file which is freely available from the F Response Web site or installed as part of your F Response installation Step 1 Insert the FOB into an available USB port on a Windows machine Step 2 Execute there is no installation process the F Response Updater executable file The following screen appears JF F Response Updater a ioj x c Download and apply license update insert dongle first Internet required Apply license update from upt file Please select an F Response Upt File UPT2 File PO ani F Response Updater Step 3a If you have Internet connectivity you can attempt to download your license file directly select the first option and press Update Step 3b If you wish to use a local upt2 file press the second option and type in or use the button to Browse to the location of the upt2 file you received from Customer Support for this FOB Note If you try to update the FOB for which this upt file was not intended you II do no harm but the process will fail Select Update When the process completes in a few seconds your license FOB has been updated and the process is complete Congratulations Your FOB has now been programmed for use with your most current license Revision 5 0 3 Page 136 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Appendix K Legal Notices Legal Notice Copyright 2013 Agile Risk Management LLC All rights rese
132. ting Consultant Edition F Response Consultant now offers the option for configuring to bind to all IP addresses both in autoconfigure generation and on the CE client GUI The Messages panel now indicates the presence of new messages with the notation Microsoft iSCSI Initiator issues related to listing targets on 64bit Windows platforms have been resolved F Response 3 09 05 contains the following new features and enhancements to the Consultant and Enterprise Edition F Response is now a Microsoft Winqual validated and approved Windows 7 Compatible Application F Response provides additional support for the following platforms HP Unix HP_UX11iv2 HP_UX11iv3 on Itanium FreeBSD 7 on Intel i386 F Response now addresses the Unable to logoff of disk issue in Windows Vista 2008 and Windows 7 both 32 and 64bit F Response 3 09 04 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Passive Hibernation Suspend prevention F Response FK CE EE when running under Windows will prevent the passive hibernation suspend of the MUI Active suspend hibernation actions such as closing the laptop screen etc will still be performed Changes affecting F Response Consultant Edition Windows F Response Consultant Connector now provides a Clear Messages option that removes all text from the Messages Panel F Response Consultant Edition f response ce exe now h
133. tion of using the Flexdisk API is available in the Flexdisk API document available on the Downloads page of the F Response Website REST or Representational State Transfer is a web services development model that uses simple HTTP verbs such as GET and POST 8 JSON or Javascript Object Notation is a data formatting style considered smaller and easier to manipulate when compared to XML Revision 5 0 3 Page 99 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Frequently Asked Questions 1 Can multiple initiators connect to a single F Response target machine 2 Do I change any data on the target computer by using F Response 3 I am connected via F Response I navigated to a file on the remote computer hit delete and it appears to be gone Did I really delete the file 4 I have a personal firewall running on my computers Do I need to change firewall settings to use F Response 5 I have a remote user that accidentally deleted a file Can I use F Response to recover deleted files Q Is the F Response iSCSI connection encrypted Q Does F Response work as an agent Q Can I deploy F Response to Linux or Other Operating Systems OS s Q When I attempt to deploy F Response using the FEMC I cannot even though I have valid credentials 10 Q I established an F Response connection tried to view the remote Documents and Settings folder and received a message that I don t have permission to vie
134. tion streamlined F Response 3 09 contains multiple enhancements and bug fixes for all versions of F Response including Changes affecting all versions Revision 5 0 3 Page 114 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 Logical Volume and Physical Memory 32bit Windows Only support now F Response locates and provides access to physical disks logical volumes and physical memory Automatic Firewall exceptions Windows Firewall Only F Response now creates and removes firewall exceptions automatically New platform support Linux glibc gt 2 3 5 and Apple OSX 10 4 10 5 changes affecting F Response Consultant Edition Newly released F Response Consultant Connector streamlines the process of connecting and disconnecting from remote F Response Consultant Edition clients Newly released F Response License Manager Monitor Service replaces the NetUniKey server Provides a more streamlined interface and improved platform support options Changes affecting F Response Enterprise Edition Newly released F Response Enterprise Management Console streamlines the complete lifecycle of F Response Enterprise deploy connect disconnect and remove F Response Enterprise clients from a single interface Newly released F Response License Manager Monitor Service replaces the NetUnikey server Provides a more streamlined interface and improved platform support options Changes affecting F Response Field Kit Editio
135. to a USB port of the computer on which you will be running the F Response License Manager Service and then execute the F Response LM Server on this computer e Step 2 o Start the remote F Response Enterprise Service which has been nsta led and configured on the Target computer See Appendix A for details regarding the command line options for installing uninstalling and configuring F Response Enterprise on each target machine o Once an F Response Enterprise Edition target has been successfully validated the F Response Enterprise Management Console Active Clients Tab will show the remote client s IP address Machine name and Platform as shown below Clients listed under the Active Clients tab are available for F Response connections using the F Response FEMC Accelerator or iSCSI Initiator E F Response Enterprise Management Console File Scan Deployment Connect Active Clients Help Mi Custom Scan ee 192 168 1 210 TE Connect Messages Active Clients IP Address Hostname Platform 192 168 1 210 WINZ2K8 DC Windows 2008 Vista Custom Scan Complete 1 Detected HWID 155519116 Expires 12 17 2011 F Response Enterprise Management Console Active Clients Tab To examine multiple targets simply start the remote F Response Enterprise Service on each Target To see the available targets on the remote computer select the IP address in the Active Clients panel and use the context menu option Issue Discovery Request
136. to test the credentials against HP Public Cloud Files If the credentials are valid you can then use the Add button to Add the credentials to your stack of available credentials lastly press Save to store the credentials on the examiner machine in an encrypted repository Revision 5 0 3 Page 25 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Dropbox Credentials Dropbox uses the web standard OAUTH for providing application access to accounts With OAUTH the application user in this case the F Response Cloud Connector user does not have knowledge of the Dropbox username or password Therefore in order to connect the Dropbox using the Cloud Connector the Dropbox user must expressly approve access The following dialog and details further illustrate this process Dropbox Credentials Request Token Validate Access z verifier Optional FResponseAG 5 2 testacct Matt Shannon 76691 DB11178 Configure Dropbox Credentials The first step is to generate a token for requesting credentialed access An examiner may accomplish this by pressing on the Generate button Upon indication of a successful Token generation the examiner must now get the user to Authorize the newly generated Token This can be accomplished in one of two ways Either open the url directly using Open URL in this case the examiner will need the username and password as they will be approving access on the account holder
137. tom Scan Opens a dialog for inputting a comma delineated listing of either computer names or IP addresses or both to scan to detect F Response Enterprise installations and or potential targets e Deployment o _ Install Start F Response Installs and then automatically starts F Response Enterprise on the selected computer s Stop Remove F Response Stops then removes F Response Enterprise from the selected computer s o Install F Response Installs F Response Enterprise on the selected computer s o Uninstall F Response Uninstalls F Response Enterprise from the selected computer s o Start F Response Starts F Response Enterprise on the selected computer s o Stop F Response Stops F Response Enterprise on the selected computer s o Issue Discovery Request Issues an iSCSI Discovery request against the selected computer s or Active Client s o Open F Response Flexdisk Opens the default web browser to connect to the selected computer on the Flexdisk configured port HTTPS O e Connect o Discovery F Response Disks Opens a dialog providing iSCSI Discovery request capability by IP Address o Login to F Response Disk Initiates an iSCSI login on the selected F Response Enterprise Target o Logout of F Response Disk Initiates an iSCSI logout on the selected F Response Enterprise Target o Remove F Response Disk Deletes F Response Target entries for the selected machine from the Connect Tab e
138. torage credentials are saved unlike the F Response Enterprise Management Console deployment credentials Revision 5 0 3 Page 35 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Scanning for Cloud Storage Targets Use the Scan menu to enumerate cloud storage containers buckets by service JF F Response Cloud Storage Connector File Scan Connect Help Scan All Scan Amazon 3 Cloud Storage Lc LR oe Sean s 53 Amazon 53 Sean s 53 Amazon 53 Sean s 3 Amazon 53 Sean s 3 Amazon 53 Es Generalstuff Sean s 53 Amazon 53 ID 155519963 Expir ires 4 27 2013 4 0 4 a Cloud Connector scan results Revision 5 0 3 Page 36 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Connecting to Cloud Storage Targets You can connect to a storage target by selecting the target right clicking to open the context menu and selecting Login to F Response Cloud Storage Volume The newly attached volume will be assigned a drive letter and is now accessible via Windows Explorer JF F Response Cloud Storage Connector fs gorilla Sean s 53 Sean s 53 Sean s 53 Sean s 53 TF Generalstuff Sean s 53 pW 155519963 Expires 4 27 2013 4 0 4 E Logged in Cloud Storage target assigned the E drive letter Revision 5 0 3 Page 37 5 29 2014 All Versions lai F Response Users Manual 5 0 3 Disconnecting from Cloud Storage Targets You can disconnect from a storage target by selecti
139. un o Host IP Address This is a drop down listing of the IP addresses configured on this local Target machine If there are multiple addresses present you should select the one most readily accessible as this will be the address you connect to from your remote analysis machine via the Initiator e Remote Configuration o TCP Port This is the TCP port your remote or Initiator computer will use to connect to the local machine The iSCSI default is 3260 however you may assign another available TCP port if desired o Username The iSCSI protocol requires a username for the remote Initiator computer connection The username selected must be one or more characters in length This username will be used on the remote Initiator computer to access the local or Target machine s hard drives Revision 5 0 3 Page 121 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 o Password The iSCSI protocol requires a password for the remote Initiator computer connection The password selected must be 12 or more characters in length This password will be used on the remote Initiator computer to access the local or Target machine s hard drives e Version O This is the version of F Response Consultant Edition target code that you are using in this case Version 4 00 01 Revision 5 0 3 Page 122 5 29 2014 All Versions lai F Response Users Manual 9 0 3 Appendix D Overview of the F Response Field Kit User Interface This appen
140. ure usages In many cases you may only need to enter this information once Please refer to the guidelines below for configuring the FEMC Deployment Options Deployment Options Configure X F Response Configuration Host Configuration Encryption E Physical Memory W Flexdisk Port 3261 License Manager Configuration IP addr 192 168 1 183 TCP Pork 5681 TEF Port 3260 Username mshannon Password F Response Windows Service Install Configuration Service Mame F Response Enterprise Service Description Remote Live Forensics Service Executable Enterprise Editionif response enk exe Browse Unix Platform Specific Deployment Options Platform Reset Current Reset All Pre and Post Exec Optional Pre Start Fost Skop Additional Targets Export Export MSI Cancel F Response Enterprise Management Console Deployment Options Configuration Panel e F Response Configuration o Validation Configuration IP Addr e Configures the IP Address of the F Response LM Service TCP Port e Configures the TCP Port of the F Response LM Service o Host Configuration Encryption e Check to enable AES 256bit Encryption for the F Response Disk connection Physical Memory e Check to enable Physical Memory access on the remote F Response Target Supports Windows clients only Flexdisk Port Checkbox 6 Only supported on analyst machi
141. vice F Response License Manager Monitor console Main Window The representation above shows a running F Response License Manager Monitor Details of the information in the Network tab fields are as follows e License Manager Configuration o IP Address Local machine IP address currently listening for incoming F Response Enterprise Consultant Edition License Validation requests o TCP Port Local machine TCP port currently listening for incoming F Response Enterprise Consultant Edition License Validation requests e Operation o Install Installs the License Manager Service executable o Start Starts the License Manager Server o Stop Stops the License Manager Server o Uninstall Uninstalls the License Manager Service executable Revision 5 0 3 Page 14 5 29 2014 All Versions E F Response Users Manual 5 0 3 Installing and starting the F Response License Manager Before you can begin using F Response Enterprise and Consultant Edition you must install and start the F Response License Manager service Double click on the F Response License Manager Monitor icon in the System Tray to bring up the License Manager console F F Response License Manager Monitor ioj x License Manager Configuration IP Address a gt 16a Ma TCP Port Beil License Manager Control Install Install F Response LM Service T Set to Auto Start will Start Start F Response LM Service ii Stop Stop F Respo
142. w that folder Why don t I have access 11 Q What port does the F Response EMC management console use to deploy and manage the F Response Service 12 Where does the F Response EMC management console install or place the F Response Enterprise executable and configuration file 13 Q What port does the F Response EMC management console use to deploy and manage the F Response Service eS 1 Q Can multiple initiators connect to a single F Response target machine A While the F Response target code is running any iSCSI initiator with access to the listening port can connect to the machine provided of course that the proper authentication credentials are provided 2 Q Do I change any data on the target computer by using F Response A Once the F Response Target code is executed and the network connection is established the practitioner conducting the analysis cannot edit or alter data on the machine under inspection via the F Response connection Executing or starting the F Response service does of course effect some change to the target computer but the changes are about as minimal as they can be for analysis that is being conducted on a live machine 3 Q Iam connected via F Response I navigated to a file on the remote computer hit delete and it appears to be gone Did I really delete the file A No you didn t delete the file You cannot delete files alter Meta data or effect any other changes on the machine un
143. with the c lt path to fresponse ini gt option provided the path points to a valid fresponse ini file See the F Response Consultant Connector autoconfigure option to generate a valid fresponse ini The F Response Enterprise Edition for Linux Apple OS X HP_UX AIX Sun Solaris and FreeBSD is installed and available in the C Program Files F Response F Response Enterprise Edition folder The executable name will indicate which version is appropriate for your target platform e F Response Enterprise Edition for Linux f response ce e lin e F Response Enterprise Edition for Apple OSX 10 3 10 4 10 5 Intel amp PPC f response ce e OSX e F Response Enterprise Edition for Sun Solaris f response ce e sun e F Response Enterprise Edition for IBM AIX Power f response ce e aix p5 e F Response Enterprise Edition for HP Unix f response ce e hpux e F Response Enterprise Edition for FreeBSD f response ce e fbsd e F Response Enterprise Edition for SCO Unix f response ce e sco Example Usage Scenario 1 F Response License Manager Server on 192 168 1 6 Port 5681 sudo f response ce e lin S 192 168 1 6 P 5681 u mshannon p mshannon123456 i 3260 Scenario 2 F Response Autconfigure file fresponse ini created using F Response Consultant Connector Revision 5 0 3 Page 119 5 29 2014 All Versions lai PResponse Users Manual 5 0 3 sudo f response ce e lin c fresponse ini Scenario
144. y are used The following terms shall have the following meanings 1 1 Agile Software or Software means any and all versions of Agile s F Response software 1 2 Customer means the person or entity identified on the invoice and only such person or entity Customer shall not mean any assigns heirs or related persons or entities or claimed third party beneficiaries of the Customer 1 3 Documentation means Agile release notes or other similar instructions in hard copy or machine readable form supplied by Agile to Customer that describes the functionality of the Agile Software 1 4 License Term means the term of the applicable license as specified on an invoice or as set forth in this Agreement 2 Grant of Software License 2 1 Enterprise License Subject to the terms and conditions of this Agreement only Agile grants Customer a non exclusive non transferable license to install the Agile Software and to use the Agile Software during the License Term in object code form only 2 2 Third Party Software Customer acknowledges that the Agile Software may include or require the use of software programs created by third parties and the Customer acknowledges that its use of such third party software programs shall be governed exclusively by the third party s applicable license agreement 3 Software License Restrictions 3 1 No Reverse Engineering Other Restrictions Customer shall not directly or ind
145. y key copy the following information into Notepad HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System LocalAccountTokenFilterPolicy dword 00000001 Save this file as LocalAccountTokenFilterPolicy reg and then copy it to your target machine Double click this file on the target machine to populate the registry with this key To remove follow the same steps as above this time with the following information HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Policies System LocalAccountTokenFilterPolicy dword 00000000 Q I established an F Response connection tried to view the remote Documents and Settings folder and received a message that I don t have permission to view that folder Why don t I have access A You have the access with the right tools You probably used Windows Explorer or an equivalent tool that is subject to the file permission settings for those folders If you use a forensics tool that can take advantage of your raw drive access then you won t have this issue Q What port does the F Response EMC management console use to deploy and manage the F Response Service A The F Response EMC uses Microsoft File and Printer Sharing services for remote administration and deployment TCP Port 445 Q Where does the F Response EMC management console install or place the F Response Enterprise executable and configuration file A The F Response EMC places th
146. ysical Disk on your analysis workstation You can connect to additional targets if desired using the same process Local Disk H3 Properties ajx General Tools Hardware Sharing Security Quota Type Local Disk File system NTFS Used space By 495 6417 792 bytes be GE J Free space 6 612 671 488 bytes 802GB Capacity 6 108 513 280 bytes 70 8 GB i Drive H Disk Cleanup Compress drive to save disk space M Allow Indexing Service to index this disk for fast file searching As noted earlier the remote Physical Disk has been attached by the iSCSI Initiator and operating system which in this instance is presented as Local Disk H This drive is also accessible as a raw Physical Disk using any Computer Forensics or eDiscovery application You can use Device Manager to verify that the remote devices appear as local physical disks Revision 5 0 3 Page 96 5 29 2014 All Versions E F Response Users Manual 5 0 3 F Response Field Kit Edition Disconnecting from an F Response Target When you are finished reviewing the disk close all open disk access programs e g Folders open software reviewing the disk etc Select the connected target from the iSCSI Initiator console and select Details Check the box for Identifier and select Log off Target Properties x Sessions Devices Properties This target has the Following sessions Identifier Session Prope
Download Pdf Manuals
Related Search
Related Contents
Silicon Power 4GB Compact Flash 200X 4764 PCI-X Cryptographic Coprocessor Installation Manual Samsung GT-S5330 manual de utilizador numéro 25 fini - SGEP-SNEC-CFTC Respiratory Pressure Meter Service Manual annuaire_maj01_15-2 Manhattan 325752 SATA cable Samsung L700 Felhasználói kézikönyv IL FAIT BIO EN BRETAGNE - Initiative Bio Bretagne MANUAL,OWNER`S- https://telegra.ph/Calculate-Length-from-Voltage-Drop-acebd13b-11-16
- https://telegra.ph/Calculat-Wire-Area-From-Voltage-Drop-07166d23-11-16
- https://telegra.ph/Calculate-Length-from-Voltage-Drop-b979a470-11-16
- https://telegra.ph/Concrete-Block-Calculator-80183f6c-11-16
- https://telegra.ph/Round-Slab-Concrete-Volume-Calculator-3515330f-11-17
- https://telegra.ph/Round-Slab-Concrete-Volume-Calculator-9c56c358-11-13
- https://telegra.ph/round-bar-weight-calculator-716d4a51-11-07
- https://telegra.ph/Calculate-Wire-Resistor-from-Voltage-Drop-1af6f5a9-11-18
- https://telegra.ph/AC-Three-phase-Voltage-Drop-Calculator-4e71e5a6-11-18
- https://telegra.ph/AC-Single-phase-Voltage-Drop-Calculator-a4754bc5-11-18