At the end of his Palaeontology of Cyberattack keynote, the Kaspersky APAC Director of GReAT, Vitaly Kamluk, announced the public availability of his cyber forensics tool – BitScout. This is a free and open-source tool that can be used for the remote forensic investigation or collection of data from a compromised system, without risk of contamination or loss of data.
Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!
The BitScout Cyber Forensics Tool
BitScout was “created independently of the Kaspersky Lab product line” and is “outside [the] scope of [the] company’s business operation“. Vitaly intended for the BitScout tool to be used by cybersecurity researchers, high-tech crime units of law enforcement agencies (LEA), as well as educational institutions.
Legitimate owners of compromised systems may cooperate and help security researchers find the infection vector or other details about the attackers. However, it is a longstanding concern the need for security researchers to travel long distances to collect crucial evidence (e.g. malware samples) from infected computers can result in expensive and delayed investigations.
The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. However, the alternatives have either involved expensive tools and a knowledge of how to operate them, or the risk of contaminating or losing evidence by moving it between computers.
To solve the problem, security researchers can now use BitScout to remotely collect key forensic materials, acquire full disk images via the network or locally attached storage, or simply remotely assist in malware incident handling. Evidence data can be viewed and analyzed remotely or locally while the source data storage remains intact through reliable container-based isolation.
The BitScout Advantage
Kaspersky Lab experts work closely with law enforcement agencies across the world to help in the technical analysis of cyber investigations. This gives them a unique insight into the challenges LEA personnel face when fighting modern cybercrime.
The cybersecurity landscape is now so complex and sophisticated that investigators need tools that can adapt and scale to the demands of the job. BitScout is a good example of this. It can be adjusted to the particular needs of an investigator, and improved and upgraded with additional features and custom software.
Most importantly it comes free of charge, based on open-source solutions and is fully transparent: instead of relying on third party tools with proprietary code, experts can use the Bitscout open-source code to build their own swiss-army knife for digital forensics. The list of BitScout features includes:[adrotate group=”2″]
- Disk image acquisition even with un-trained staff
- Training people on the go (shared view-only terminal session)
- Transferring complex pieces of data to your lab for deeper inspection
- Remote Yara or AV scanning of offline systems (essential against rootkits)
- Search and view registry keys (autoruns, services, plugged USB devices)
- Remote file carving (recovering deleted files)
- Remediation of the remote system if access is authorized by the owner
- Remote scanning of other network nodes (useful for remote incident response)
BitScout is freely available at Vitaly Kamluk’s GitHub code repository here.
Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!
Go Back To > Articles | Home
Support Tech ARP!
If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!