F-Response Enterprise Edition v220.127.116.11.06
Strengths: A very compatible, stable and fast tool for remote forensics.
Weaknesses: Interface could be more intuitive.
Verdict: A powerful program that allows admins to map drives over networks for forensic analysis.
F-Response Enterprise Edition is a tool that you can use to help with some of those frustrating problems you may come across in the field. This is a live forensics tool that is used to map storage devices (hard drives, memory, and more) for easy access by other forensics tools. We tested the Windows version, but numerous other operating systems are supported, including Mac OS X and many distributions of Linux. Support for Solaris, FreeBSD and some other *nix-based operating systems is available in the consultant and enterprise editions.
This tool works by installing an agent on the target machine and thus allowing access. To prevent misuse, a password is needed for the agent. The interface has a stripped-down look. It's not as intuitive as it could be, but it gets the job done.
There are not many steps admins need to walk through to map the network drive, although users may need to adjust some things on the subject machine depending on its operating system and network settings. We tested the tool across a number of machines and had some trouble connecting to those running Windows XP and newer systems, but the friendly and professional support helped solve the problem so that we were up and running in no time.
F-Response has a slight learning curve to it, but once you're acclimated to the tool, it becomes very simple to use. We connected and found the mapped drives to behave as if they were directly connected to the local machine, with the added benefit of write blocking. F-Response creates an ideal environment for the investigator to use with other forensics tools, such as data recovery, imaging or e-discovery tools.
We had no problems mapping a drive with F-Response and then running one of our general purpose computer forensics tools to explore and take an image of it. What impressed us most was the speed at which we were able to transfer and access files. It felt more like a local drive than one mapped over the network.
This is a very straightforward product which can turn a normal forensics tool into a live forensic tool.