A Share is not a Drive, Why F-response doesn't see your Home Drive.

Apr 18, 2016

A question we frequently get is why F-Response doesn't present the "H" or "U" or whatever the user's "Home Drive" is.

Let's go over that briefly.

The "Home Drive" in a typical Windows network environment isn't a drive at all, it's actually a share. On Microsoft Windows these Resource or File shares are displayed in Windows Explorer with a drive icon, however technically speaking, they are not drives in the classical sense of the word.

When started, F-Response (All Versions) is actively inspecting each physical disk and logical partition to determine whether or not they can be displayed as a potential target to the examiner. What is F-Response looking for? Simply put F-Response is determining the size of the drive sectors and the number of sectors. This information is critically important in order to render an identically sized drive on the examiner machine.

Now that we know a little more about what is going on let's go back to the share for a moment. The share isn't actually a physical device, therefore it has no sectors, and as such no sector size.

F-Response therefore simply must move on to other physical devices on the Subject computer and cannot present to you the user's "Home Drive" or any share on the user's machine.

How do you collect that data?

Why, simply run F-Response on the server providing the network share directly. With F-Response there is often more than one way to solve the task at hand.

Good Luck!

Warmest Regards,

M. Shannon, Principal
F-Response