" From the first time that Matt talked to me about F-Response, I knew that this product was going to revolutionize incident response! As I\'ve worked with the various versions of F-Response and seen them grow the tool and add pertinent functionality (access to PhysicalMemory, the FEMC, etc.), I\'ve been amazed and astounded by their ability to grasp the necessary requirements so essential for responders. Whether you\'re a consultant or an internal responder to an organization, F-Response EE is the MUST HAVE tool of 2009! The only thing better than F-Response is their tech support responsiveness! "
Harlan Carvey, Terremark, Author of WFA 2/e - windowsir.blogspot.com
Physical Memory 2.04 Beta Now Available PDF Print E-mail
Blog Posts

Quick update, we've put up the newest version of F-Response 2.04 Beta on the Downloads page. Read on for more details...

 

Special thanks goes out to Gordon Mitchell PhD (eSleuth.com), Gordon was instrumental in assisting us with developing a much cleaner GUI presentation of Physical Memory, as well as clearing up some some typical usage scenarios for Windows Vista Home Premium edition. Thanks Gordon, much appreciated!

f-response-fk2.04.jpg

 

 

 

 

 

 

 

 

 

Thanks to Gordon's advice, we've adjusted the Physical Memory UI to indicated "Enabled or Disabled". As you would imagine, selecting Enabled and pressing start will result in Physical Memory being presented. Of course, conversely, selecting Disabled and pressing start will result in Physical Memory not being presented.

Next, let me take a minute to show you what physical memory looks like. 

mmc_snapinsnapshot.jpgSince in the world of F-Response all remote data is presented as a disk, Physical Memory on the remote machine is therefore also presented as a disk. When Physical Memory has been enabled on the F-Response console or command line, the disk representing physical memory will be displayed as the last disk in the series during iSCSI discovery.

In addition, since Windows has no native file system drivers for Physical Memory ( hint: This would be a very interesting complimentary tool!), you will have to open up the newly attached physical disk using any Computer Forensic application. At that point you can perform analysis or acquire an image.

The above screen capture shows what happens when you review the Windows Disk Management Console after attaching to a remote computer's physical memory using F-Response. As you can see, Windows is unable to interpret the file structure of the disk and indicates it is un-initialized and of an Unknown type.

Thanks, and if you are interested in trying out F-Response 2.04 Beta, remember, the newest F-Response 2.04 Physical Memory Betas are available on the Downloads page and are useable by all registered customers (including valid Demo License Dongle holders).

Warmest Regards,

M. Shannon, Founder

F-Response

November 10, 2008

< Prev   Next >
 

Frequently Asked Questions

    -    Powered by F-Response.    -    Site Design by 723Media