License Lookup Chat Offline - Leave Message

Don't get locked out! Locked files and remote cyber forensics with F-Response

Aug 12, 2025

We sometimes hear from people trying to collect remote data using traditional file sharing tools and they typically have the same problem. They can use something like SMB/Windows File and Printer Sharing to access the remote machine over the network, but when they try to copy out the files that matter to them, they find they can't.

Windows on the remote machine says 'no.'

Why?

Most of the interesting files (Registry files, Event Logs, etc) are locked by the operating system. To put it simply, Windows is maintaining those files and has zero interest in allowing you to read from them. They are owned and being actively managed by a system level process and, as such, off limits.

That's not ideal. Typically, these files contain exactly the type of data you need to crack that case open or get a much better handle on what has happened. We'll leave the details of exactly how to investigate them to the people who specialize in that. Harlan Carvey has reams of information on the secrets hidden away in registry keys, and I suggest you check out his software, Regripper, and his documentation for all that arcane lore.

We're just here to help you get to those files.

If you move away from something like SMB and traditional file sharing to pretty much any version of F-Response, you'll find you can access (copy, collect, analyze) all of those previously locked files.

Why?

F-Response serves up the disk/volume to you at a lower level than traditional file sharing. Once attached to an F-Response presented remote disk, an investigator can use just about any forensic tool they want to pull previously locked files off and work with them. Even better, this does not impact the remote machine at all. F-Response does not change the state of those files, or the operating system's protections on them.

It really is the best of both worlds. You get the data you need; the remote machine gets to keep running happily along without any issues.

Don't get locked out when doing a remote cyber forensics collection. Get F-Response and get the data.

Thanks!

Warmest Regards,

M Shannon