Python interface to F-Response WebAPI for incident response
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
LICENSE
README.rst
frhost.py
pyfr-install.py
pyfr-run.py

README.rst

PyFr - A python interface to F-Response

Why?

I needed a way to quickly grab a bunch of files from a system that already has the F-Response agent installed with WebAPI turned on. The web interface it provides is great, but when I need to quickly grab a bunch of files to process with log2timeline or other such tool this saves time.

Use

To install the f-response enterprise client, make sure you have a copy of the exe and ini handy. Also, make sure to edit the constants in the pyfr-install.py and the frhost.py files so they point to the right place. You will also need a copy of psexec.exe in your path.

>>> python pyfr-install.py -a <ip address> -n <target hostname> -u <userid> -p <password>

At this point very simple. You supply an IP, user, and password. This tool and class will then return all files listed in the "Match" list.

>>> python pyfr-run.py -a <ip address> (-p <port>) -u userid -p <password>

PyFr will return the files under a subdirectory of "cases/<ip address>"

Requirements

Python 2.7.3 on Windows is the only tested platform at this point. The most excellent Requests library is also used and can be installed via pip. Pysmb is also used, install via pip.

TODO

  • Download an entire directory (ie Prefetch)
  • Download the CSV file that provides the metadata on the filesystem
  • Reimplement the regex parsing of the previous version, but that requires downloading the entire filesystem list in a csv file. Slooowwww...
  • Code to push and install your customized F-Response MSI (Windows done, unix next)
  • Memory dumping via F-Response's driver
  • Refactoring, since I suck at python