Bashing the competition....FAIL!!
A letter went out recently from someone at Guidance Software that...well...misrepresented some facts about the F-Response product. I understand that this is how some folks believe that business is done, and that's...well...sad. I'm not going to bash Guidance or their products; instead, I think that as someone who greatly appreciates the work that Matt has done, it is important to clear up some of the misrepresentations put forth in that letter, as some are a bit off, while others are just blatantly wrong.
The letter starts off with: F-Response is a utility that simply allows users to acquire the contents of remote computers and devices, but without any type of security framework, data analysis or forensic preservation capabilities.
F-Response is a tool-agnostic means that facilitates acquisition of data...Matt never intended for it to provide acquisition, analysis or forensic preservation capabilities. There are already enough bloated applications out there, why add another one? Why not instead simply provide sound framework that allows you to do what you need to do? And don't get hung up on the term "sound"...if you're not willing to look into it for yourself, please don't argue the point.
Going on this way throughout the rest of the letter, point for point, would be obnoxious and boring. Instead, I'll illustrate some of the other major points brought up in the letter that include (but are not limited to):
Acquisition validation issues: Acquiring data using a new transfer method introduces an unknown into the acquisition that needs to be vetted by the industry and in the courts - How is new a bad thing? Of course things need to be vetted...EnCase needed to be vetted at one point. I'm not entirely sure I see the point to this "issue".
No logging capabilities - Of course F-Response doesn't have logging capabilities...that's not what it was designed for. This is like complaining that the hammer you brought can't be used to tighten or loosen bolts.
No end node processing - Again, F-Response wasn't designed to be yet another version of available tools; rather it was designed to give greater capabilities to those already possessing a number of the available tools; just watch the videos that are freely available.
Limited Volatile Data Collection - F-Response provides full access to physical memory, exposing it as a physical drive on the analyst's system. Mandiant's Memoryze is capable of directly accessing that physical drive. The contents of physical memory can also be acquired in raw (ie, "dd style") format and immediately imported into HBGary's Responder product with no conversion.
No Solaris, Mac, Linux, AIX, Novell: The solution is Windows only - F-Response currently supports Linux and Apple OSX 10.4, 10.5, with more coming. Characterizing F-Response as "Windows only" is blatantly incorrect.
Invasive compared to servlet - What is "invasive"? F-Response Enterprise is only 70k. You're kidding, right?
Agent deployment is manual - F-Response Enterprise Management Console. It's easier for me to deploy F-Response EE to a dozen systems than it is for me to answer an email on my Blackberry.
No Encryption - F-Response can support Microsoft IPSEC, and F-Response can be run over VPNs.
No compression - F-Response end points can be moved closer to the source machine, effectively reducing the need for compression. Also, compression is CPU-intensive, and wait a second, didn't the author of the letter just mention something about invasiveness??
All in all, the letter really goes a long way toward misrepresenting F-Response. Don't get me wrong...neither Matt nor F-Response need defending from me. Both are fully capable of standing on their own without any help from me. But when I see a misrepresentation as blatant as this, I really feel that it would be a disservice for this go on without at least saying something.
Regardless of my opinions in the matter, I'll leave it to anyone reading this to choose for themselves.
Addendum: Looks like this post got picked up here (in Poland) and by Moyix, as well. Moyix raises some excellent points about the FUD surrounding Volatility...
The letter starts off with: F-Response is a utility that simply allows users to acquire the contents of remote computers and devices, but without any type of security framework, data analysis or forensic preservation capabilities.
F-Response is a tool-agnostic means that facilitates acquisition of data...Matt never intended for it to provide acquisition, analysis or forensic preservation capabilities. There are already enough bloated applications out there, why add another one? Why not instead simply provide sound framework that allows you to do what you need to do? And don't get hung up on the term "sound"...if you're not willing to look into it for yourself, please don't argue the point.
Going on this way throughout the rest of the letter, point for point, would be obnoxious and boring. Instead, I'll illustrate some of the other major points brought up in the letter that include (but are not limited to):
Acquisition validation issues: Acquiring data using a new transfer method introduces an unknown into the acquisition that needs to be vetted by the industry and in the courts - How is new a bad thing? Of course things need to be vetted...EnCase needed to be vetted at one point. I'm not entirely sure I see the point to this "issue".
No logging capabilities - Of course F-Response doesn't have logging capabilities...that's not what it was designed for. This is like complaining that the hammer you brought can't be used to tighten or loosen bolts.
No end node processing - Again, F-Response wasn't designed to be yet another version of available tools; rather it was designed to give greater capabilities to those already possessing a number of the available tools; just watch the videos that are freely available.
Limited Volatile Data Collection - F-Response provides full access to physical memory, exposing it as a physical drive on the analyst's system. Mandiant's Memoryze is capable of directly accessing that physical drive. The contents of physical memory can also be acquired in raw (ie, "dd style") format and immediately imported into HBGary's Responder product with no conversion.
No Solaris, Mac, Linux, AIX, Novell: The solution is Windows only - F-Response currently supports Linux and Apple OSX 10.4, 10.5, with more coming. Characterizing F-Response as "Windows only" is blatantly incorrect.
Invasive compared to servlet - What is "invasive"? F-Response Enterprise is only 70k. You're kidding, right?
Agent deployment is manual - F-Response Enterprise Management Console. It's easier for me to deploy F-Response EE to a dozen systems than it is for me to answer an email on my Blackberry.
No Encryption - F-Response can support Microsoft IPSEC, and F-Response can be run over VPNs.
No compression - F-Response end points can be moved closer to the source machine, effectively reducing the need for compression. Also, compression is CPU-intensive, and wait a second, didn't the author of the letter just mention something about invasiveness??
All in all, the letter really goes a long way toward misrepresenting F-Response. Don't get me wrong...neither Matt nor F-Response need defending from me. Both are fully capable of standing on their own without any help from me. But when I see a misrepresentation as blatant as this, I really feel that it would be a disservice for this go on without at least saying something.
Regardless of my opinions in the matter, I'll leave it to anyone reading this to choose for themselves.
Addendum: Looks like this post got picked up here (in Poland) and by Moyix, as well. Moyix raises some excellent points about the FUD surrounding Volatility...