F-Response TACTICAL is one of the offerings from a company that is making it much easier to examine multiple platforms. With TACTICAL, the philosophy seems to be an extremely light footprint to a live, running “subject” with maximum capabilities. Each of the tools offered by F-Response deliver their value over a network connection. Specifically, TACTICAL allows an examiner machine to establish a secure connection to a subject machine and then have full access to the physical media connected to it. Let’s take a closer look at how easy this is to make happen, and how powerful the feature set is for any examiner. There is a 24 page PDF manual with the software. I couldn’t find a need for it throughout. It simply works.
First, the F-Response TACTICAL kit comes with two USB flash drives. One is labeled “Subject” and one is labeled “Examiner”. The “subject” USB flash drive contains the following important files:
F-Response TACTICAL “Subject”
With the “Subject” USB flash drive, plug it in to the computer/server to be examined and launch the appropriate executable. This is the only time an analyst needs to tread on the local machine to be examined (with the exception of gathering network information if “Auto-Connect” does not function). Once the executable has launched, the analyst can step away and now conduct everything else from the examination workstation.
At the “Examiner” workstation, the USB flash drive is inserted into a Windows based computer. The Examiner executable is launched and a screen is presented with Auto or Manual connect options. I chose to manual connect to my Macintosh. I entered the IP address and the connection was established as seen here.
F-Response TACTICAL Examiner connected to a Macintosh
On the Macintosh that is my subject, I have the following physical disks:
- disk0 - boot drive
- disk1 - MobileMe locally synced
- disk2 - F-Response TACTICAL Subject USB Flash drive
This was great information! I could actually take a look at the MobileMe disk of this Mac, something normally found “in the cloud”. This is available because of the option I had turned on in my System Preferences on my Mac to sync the MobileMe disk. I next chose to connect to “disk0”. The screen capture below is what Windows presented to me immediately upon connection:
Windows 7 message after connecting to a Mac HFS+ volume
Don’t be alarmed, even if you clicked on “Format disk” by accident. All F-Response products are Read-Only. They do simulate Read-Write however, so be aware of that as you work! I clicked cancel and moved on. In order to take a look at Macintosh HFS+ data, I needed a tool that would understand this file system. Access Data provides us with a full line of products with their Ultimate Toolkit v3. I used FTK Imager for this task. Once FTK Imager was launched, this is what I saw:
FTK Imager looking at Macintosh HFS+ physical drive over an F-Response TACTICAL Connection
As seen above, this is the entire physical layout of my boot drive. Because I was connected over gigabit ethernet, speed of browsing this Mac was extremely fast. Also, I have the ability to begin an acquisition of this drive or copy individual files, just as if this were connected locally with any other write blocking methods. I tested this same connection over 802.11g and it worked just as well. I did not test imaging, but I would certainly expect speeds to be 1/4 to 1/3 as fast.
After looking at the above scenario, other thoughts came to mind for uses of F-Response TACTICAL.
- This tool is an excellent way to gather data from a Subject that has encryption enabled! While the BitLocker is open or the FileVault is decrypted because a user is logged in, an analyst can take advantage of this and acquire data in a forensically sound method with their usual laboratory tools.
- With the Subject USB Flash drive in a hidden place, and the “Subject” executable running under a renamed, more stealthy name, this tool could easily be used for a prolonged period of time for live forensics on a target. Also, it is possible to place the subject executable directly on the target itself
with no need for the USB flash device at all. (Update - The USB Flash device does need to remain connected to the Subject. However, you can be very clever about how you make this connection to remain stealthy) With documented procedures and acceptable techniques, this tool can easily become a low cost mechanism for multi-platform live forensics. - Internet vs. Intranet - can it be done? The short answer is yes. This tool works with TCP/IP as the connection mechanism. Certainly you will have the easiest connection/configuration on a local network. If, however, you dare try the internet connection route, you will need “a way in” on the Subject side. Firewalls, routers, tunnels, forwarders, etc., can all be your foe when attempting this method. Once you get everything into place and you can make a connection to exactly the Subject machine you want, all will work, with one caveat: The internet is slow. You should expect to browse a Subject and copy a few files/folders at best. This is not the desirable imaging method. Can it be done? Certainly! With much patience and a solid connection on both ends, it will complete.
In summary, F-Response TACTICAL is a straight forward, easy to use tool that will extend your ability to look at subject computers or servers in a forensically sound manner. You will be able to acquire data that may have been otherwise unavailable. Lastly, this tool makes about the lightest possible “footprint” on the Subject which is the most desirable in any investigation.