Stealth deployment of f-response Enterprise

In the last couple of days I have taken a few moments to familiarise myself with F-Response. The tool has been getting a lot of buzz lately amongst the forensic community, as it allows read-only raw access to the drives of remote computers, using one’s regular forensic toolset. Think encase enterprise at a lower price tag and open tool access.

For the more technical reader, it does this by setting up an iSCSI target on the remote (target, or suspects) computer.

The field kit and consultant edition of this tool require you to run a GUI agent on the target computer, which is not stealthy. The enterprise version of this tool however allows the agent to be run as a service.

Stealth Deployment
The supplied manual shows you how to install the enterprise agent using a combination of command line and GUI, but dosen’t go so far as to instruct how to do this remotely, via only the command line. This post is to document how I achieved this.

I note here that these instructions apply to a Windows Domain based setup, with firewall rules on workstations set to enable remote administration and file sharing from the investigation computer.

1. Open two windows command prompts. One is to be for work on the target machine and one on the investigation machine.

2. On the target machine command prompt, we first want to get a shell on the target computer, by using psexec, xcmd or other. I am logging in here as a user with Administrator priveleges:

C:Documents and Settingsbschatz>”c:Documents and SettingsbschatzDesktoptoolspsexec.exe” -u VINCENTSbschatz_admin \192.168.20.195 cmd

PsExec v1.94 – Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals – www.sysinternals.com

Password:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>mkdir f-response

3. Then in the same window, we make a directory to put the f-response agent and configuration file in.

C:WINDOWSsystem32>cd f-response

C:WINDOWSsystem32f-response>

4. On the investigator machine command prompt, we now want to copy the f-response agent and configuration file (f-response-ent.exe and NetUniKey.ini) over to the target machine, and into the directory we just created. Look out for escaping of quotes here:

C:WINDOWSsystem32>runas /user:VINCENTSbschatz_admin “xcopy “c:Program Files (x86)F-ResponseF-Response Enterprise Edition”* \192.168.20.195c$windowssystem32f-response /e /s /v /y /i”

5. Back in the target machine command prompt, we (in order of commands below) first install the f-response agent as a service, start the service, and finally, assuming that your clients firewall rules prevent connection to the f-response iSCSI target, open the windows firewall on that port:

C:WINDOWSsystem32f-response>f-response-ent -c

C:WINDOWSsystem32f-response>net start “F-Response Enterprise Service”
The F-Response Enterprise Service service is starting.
The F-Response Enterprise Service service was started successfully.

C:WINDOWSsystem32f-response>netsh firewall set portopening protocol=TCP port=3260 name=iSCSI mode=ENABLE profile=DOMAIN
Ok.

6. At this point the regular connection to f-response may be performed.

When you are done
How to undo the above?

C:WINDOWSsystem32f-response>netsh firewall delete portopening protocol=TCP port=3260
Ok.

C:WINDOWSsystem32f-response>net stop “F-Response Enterprise Service”
The F-Response Enterprise Service service is stopping.
The F-Response Enterprise Service service was stopped successfully.

C:WINDOWSsystem32f-response>f-response-ent -d

C:WINDOWSsystem32f-response>del *.*

C:WINDOWSsystem32f-response>cd ..

C:WINDOWSsystem32>rmdir f-response