PyFr - A python interface to F-Response
I needed a way to quickly grab a bunch of files from a system that already has the F-Response agent installed with WebAPI turned on. The web interface it provides is great, but when I need to quickly grab a bunch of files to process with log2timeline or other such tool this saves time.
To install the f-response enterprise client, make sure you have a copy of the exe and ini handy. Also, make sure to edit the constants in the pyfr-install.py and the frhost.py files so they point to the right place. You will also need a copy of psexec.exe in your path.
>>> python pyfr-install.py -a <ip address> -n <target hostname> -u <userid> -p <password>
At this point very simple. You supply an IP, user, and password. This tool and class will then return all files listed in the "Match" list.
>>> python pyfr-run.py -a <ip address> (-p <port>) -u userid -p <password>
PyFr will return the files under a subdirectory of "cases/<ip address>"
Python 2.7.3 on Windows is the only tested platform at this point. The most excellent Requests library is also used and can be installed via pip. Pysmb is also used, install via pip.
- Download an entire directory (ie Prefetch)
- Download the CSV file that provides the metadata on the filesystem
- Reimplement the regex parsing of the previous version, but that requires downloading the entire filesystem list in a csv file. Slooowwww...
- Code to push and install your customized F-Response MSI (Windows done, unix next)
- Memory dumping via F-Response's driver
- Refactoring, since I suck at python