You never forget your first time. Using F-Response before it was F-Response

Jul 09, 2024

This year has been quite a trip down memory lane. I've had an opportunity to explore some of the ancient hardware I'd worked so hard to get F-Response on, and reminisce about what it was like to disrupt the world of remote forensics in the early 2000s.

What I haven't talked about was the very first time I used F-Response, or rather, what would become F-Response, in a client engagement.

It was nothing short of unforgettable.

Photo by Scott Rodgerson on Unsplash

As those who have worked in the field long enough can attest, there's nothing quite like an information security incident at a client site. The air is electric. Heads are on fire. Everything screams panic. It's nothing short of harrowing to get dropped into a situation like that and go piece together what happened, what might still be happening, and what the hell to do about it.

This was long before cloud servers and virtual machines. This was back when small firms had on-site server rooms, not everyone could get their hands on rackmounted computers, and functionally artistic ethernet wiring was yet to be conceived.

This was wires, tower computers, RAID arrays, and insanity.

I remember grabbing my laptop and setting up in the corner of the server room, pushing some boxes together and creating a makeshift command center, then looking at the overall challenge.

At the time, we knew the client had a server that might have been compromised. What we didn't know was how, the extent, whether other machines were infected, etc. What's worse, the client expressed no interest in downing the machine for me to get access to those hard drives.

This may not sound like a big deal in 2024, but back then, computer forensics (with the exception of a couple of very expensive enterprise products not accessible to consultants) was offline. We used hardware write blockers and attached disks. In this case, I'd have had to start reassembling a physical RAID array, or reboot the machine with a boot CD.

As luck would have it, the machine had a CDROM, but there was no tolerance for rebooting.

So, what did I do?

I tried something new, something I'd been working on in between client projects.

I tried what would become F-Response.

It didn't really have a name at the time, and didn't remotely resemble the polished products we offer today, but the soul of our remote forensics solution was there.

It took me a little finagling to get the commandline software running on the potentially infected server, then a little more elbow grease to get my laptop connected to it.

Still, while I'd done this with plenty of single disk machines in a test lab, it was nothing short of amazing to see my software work under fire and give me a fully defined, live, read-only disk on my local laptop.

I'll admit. I was speechless.

Okay, so there weren't any people to high five in the server room, but I can promise you there was a goodly bit of fist pumping energy, and a lot of investigative work with all my favorite forensic tools.

Before long, I was able to get all the client's servers connected to my laptop and start running comparisons and extracting artifacts.

It was a wildly successful first use and would form the basis for many efforts to come.

That was the day my pet project and passion took its first steps into a brave new world and F-Response started in earnest.

It's funny now to look back on it, and to think about all the different consultants and investigators we've helped along the way.

Thank you for believing in us, and in one man's far out idea.

Happy Forensicating!

Matt