In most cyberattacks, legitimate
owners of compromised systems fall victim to unidentified perpetrators. Victims
usually agree to cooperate and help security researchers find the infection
vector or other details about the attackers. However, it is a longstanding
concern among forensic researchers that the need to travel long distances to
collect crucial evidence such as malware samples from infected computers can result
in expensive and delayed investigations. The longer it takes for an attack to
be understood, the longer it is before users are protected and perpetrators
identified. However, the alternatives have either involved expensive tools and a
knowledge of how to operate them, or the risk of contaminating or losing
evidence by moving it between computers.

To solve the problem, Vitaly Kamluk, Director of Kaspersky
Lab’s Global Research and Analysis Team in Asia Pacific (APAC) has created an
open-source digital tool that can remotely collect key forensic materials, acquire
full disk images via the network or locally attached storage, or simply
remotely assist in malware incident handling. Evidence data can be viewed and
analyzed remotely or locally while the source data storage remains intact
through reliable container-based isolation.

“The need to analyze security incidents as
efficiently and swiftly as possible is increasingly important, as adversaries grow
ever more advanced and stealthy. But
speed at all costs is not the answer either – we need to ensure evidence is
untainted so that investigations are trusted and results can be qualified for
use in court if required. I couldn’t find a tool that allowed us to achieve all
of this, freely and easily – so I decided to build one,” said Vitaly Kamluk.

Kaspersky Lab experts work
closely with law enforcement agencies across the world to help in the technical
analysis of cyber investigations. This gives them a unique insight into the
challenges LEA personnel face when fighting modern cybercrime. The
cybersecurity landscape is now so complex and sophisticated that investigators need
tools that can adapt and scale to the demands of the job. BitScout is a good
example of this. It can be adjusted to the particular needs of an investigator,
and improved and upgraded with additional features and custom software. Most
importantly it comes free of charge, based on open-source solutions and is
fully transparent: instead of relying on third party tools with proprietary
code, experts can use the Bitscout open-source code to build their own
swiss-army knife for digital forensics.

The list of BitScout features includes:

·
Disk image
acquisition even with un-trained staff

·
Training people on
the go (shared view-only terminal session)

·
Transferring complex
pieces of data to your lab for deeper inspection

·
Remote Yara or AV
scanning of offline systems (essential against rootkits)

·
Search and view registry
keys (autoruns, services, plugged USB devices)

·
Remote file carving
(recovering deleted files)

·
Remediation of the
remote system if access is authorized by the owner

·
Remote scanning of
other network nodes (useful for remote incident response)

The tool is freely available at the GitHub code repository: https://github.com/vitaly-kamluk/bitscout

Read more on Securelist