Woburn, MA – July 6, 2017 – To streamline the process of gathering evidence from infected computers after a cyberattack, a Kaspersky Lab expert developed an innovative but simple, free tool that is now available. The new tool, “BitScout,” allows investigators to build a “Swiss army knife” for the forensic investigation of live systems by remotely collecting vital data without risking contamination or loss of information.
In most cyberattacks, victims usually agree to cooperate and help security researchers find the infection vector or other details about the attackers. However, it is a constant concern among forensic researchers that the time needed to physically travel to collect critical evidence, such as malware samples from infected computers, can result in expensive and delayed investigations.
Until now, the only options have been to rely on expensive, third party tools with proprietary code and knowledge needed of how to operate them, or taking the risk of contaminating or losing evidence by moving it between computers.
To address these challenges, Vitaly Kamluk, director of Kaspersky Lab’s Global Research and Analysis Team (GReAT) in Asia Pacific (APAC), created BitScout, a free, open-source tool that experts can use to build their own digital forensics toolbox. With this tool, investigators can remotely collect key forensic materials, acquire full disk images via the network or locally attached storage, or simply remotely assist in malware incident handling. Evidence data can be viewed and analyzed remotely or locally while the source data storage remains intact through reliable container-based isolation.
“The need to analyze security incidents as efficiently and swiftly as possible is increasingly important, as adversaries grow ever more advanced and stealthy,” said Kamluk. “But speed at all costs is not the answer either – we need to ensure evidence is untainted so that investigations are trusted and results can be qualified for use in court if required. I couldn’t find a tool that allowed us to achieve all of this freely and easily, so I decided to build one.”
Kaspersky Lab experts work closely with law enforcement agencies (LEA) across the world to help in the technical analysis of cyber investigations. This gives them a unique insight into the challenges LEA personnel face when fighting modern cybercrime. The cybersecurity landscape is now so complex and sophisticated that investigators need tools that can adapt and scale to the demands of the job.
The capabilities of BitScout includes:
- Disk image acquisition, even with un-trained staff
- Training people on the go (shared view-only terminal session)
- Transferring complex pieces of data to your lab for deeper inspection
- Remote Yara or AV scanning of offline systems (essential against rootkits)
- Search and view registry keys (autoruns, services, plugged USB devices)
- Remote file carving (recovering deleted files)
- Remediation of the remote system if access is authorized by the owner
- Remote scanning of other network nodes (useful for remote incident response)
BitScout is available at the GitHub code repository here: https://github.com/vitaly-kamluk/bitscout
Read more on Securelist.com.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
For the latest in-depth information on security threat issues and trends, please visit:
Follow @Securelist on Twitter
Follow @Threatpost on Twitter