F-Response Enterprise Edition v188.8.131.52.06
Strengths: Very compatible, stable and fast tool for remote forensics
Weaknesses: Interface could be more intuitive
Verdict: A powerful program that allows you to map drives over networks for forensic analysis
F-Response Enterprise Edition is a live forensics tool that is used to map storage devices (hard drives, memory, etc) for easy access by other forensics products.
We tested the Windows version but numerous other operating systems are supported, including Mac OS X and many distributions of Linux. Support for Solaris, FreeBSD and some other *nix-based operating systems is available in the Consultant and Enterprise editions.
This tool works by installing an agent on the target machine to allow access to it. It requires a password to be set for the agent in order to prevent misuse. The interface has a stripped down look to it and is not as intuitive as it could be, but it gets the job done.
There are not many steps you have to go through to map the network drive, although you may need to adjust some things on the subject machine, depending on its operating system and network settings. We tested the product across a number of machines and had some trouble connecting to those running Windows XP and newer, but the friendly and professional support team helped us solve the problem so that we were up and running in no time.
F-Response has a slight learning curve to it, but it becomes very simple to use once you become used to it. Once connected, we found the mapped drives to behave as if they were directly connected to the local machine, with the added benefit of write blocking.
F-Response creates an ideal environment for the investigator to use with other forensics solution, such as data recovery, imaging or eDiscovery tools.
We had no problems mapping a drive with F-Response then running one of our general purpose computer forensics tools to explore it and take an image of it. What impressed us the most was the speed at which we were able to transfer and access files. It felt more like a local drive than one mapped over the network.
This is a very straightforward product that can turn a normal forensics tool into a live forensic one.