We've been getting a few emails lately asking us for more information about F- Response.

Let me give you a great example of how we used F-Response in responding to a recent client incident.

We got a call that one of our client's eCommerce servers appeared to have been compromised. As is typical in these cases it's difficult to determine exactly what the issue is and the extent of the compromise without getting a good look at the hard drive contents.

Of course, the client was unwilling to shutdown the server. In addition, we needed to look at three (3) other servers on the same subnet, all of which must stay online. To top it off, they weren't keen on having consultants sitting in their data center installing or copying files to their servers.

So we handed the client's support engineers a copy of F-Response Consultant Edition , told them what information to insert into the GUI, and made sure our laptop had the F-Response License Key FOB and NetUniKey server running. Within a few minutes we were able to confirm each server was running F-Response via the NetUniKey Monitor.

After authenticating to each physical disk we were able to begin analysis.

Given an hour or two of timeline views, log investigation, and deleted content analysis we were able to determine which servers needed to come down and be "restored" and which ones were deemed to be malware free.

The client was pleased, we were pleased, and F-Response made it possible for us to fulfill the mission quickly and with minimal disruption to the client .

-M Shannon

Founder – F-Response

Friday, April 18, 2008