Blog Series: Using F-Response In Enterprise Investigations
This month, Jamie McQuaid, a Forensics Consultant at Magnet Forensics, looked at how F-Response and Magnet AXIOM can be used together to recover data remotely in enterprise investigations.
In this three-part series, Jamie discusses how to establish a read-only, secure connection to a remote host allowing examiners to acquire or analyze physical disks and volatile data. The series uses Magnet AXIOM as an example of a tools that can be used to recover and examine the data, but as F-Response is tool-agnostic, any tool could conceivably be used.
In the first post, Jamie walks through set up and acquisition methods using F-Response Enterprise to connect to a remote machine and analyze the contents. (Read the full post here: Using F-Response and Magnet AXIOM to Conduct Enterprise Investigations.)
In the second post, Using F-Response and Magnet AXIOM: Use Case 1 – Targeted Acquisition, Jamie discusses a specific use case. He says the bottleneck for a proper investigation on a remote host is the network – especially to retrieve a full physical disk image. Luckily, that’s not usually necessary – a targeted acquisition will help save time in acquisition and analysis.
In the third blog post, Jamie walks through another option for recovery and analysis that can save examiners time – previewing without retrieving artifacts. This method has minimal impact to the system or the user and can be facilitated using F-Response and AXIOM together. Read more here: Using F-Response and Magnet AXIOM: Use Case 2 – Preview No Artifacts.