Kaspersky Lab Researcher Creates Free Software Tool for Collecting Remote Evidence After Cyber-Attacks

Jul 7, 2017:

To overcome the need for investigators to travel far and wide to gather evidence from infected computers after a cyberattack, a Kaspersky Lab expert has developed a simple tool that can remotely collect vital data without risk of its contamination or loss. Named BitScout, the tool can build a swiss-army knife for the remote forensic investigation of live systems and has been made freely available for all investigators to use.



Vitaly Kamluk, Director of Kaspersky Lab’s Global Research and Analysis Team in Asia Pacific (APAC) has created an open-source digital tool that can remotely collect key forensic materials, acquire full disk images via the network or locally attached storage, or simply remotely assist in malware incident handling. Evidence data can be viewed and analyzed remotely or locally while the source data storage remains intact through reliable container-based isolation.

The list of BitScout features includes:
  • Disk image acquisition even with un-trained staff
  • Training people on the go (shared view-only terminal session)
  • Transferring complex pieces of data to your lab for deeper inspection
  • Remote Yara or AV scanning of offline systems (essential against rootkits)
  • Search and view registry keys (autoruns, services, plugged USB devices)
  • Remote file carving (recovering deleted files)
  • Remediation of the remote system if access is authorized by the owner
  • Remote scanning of other network nodes (useful for remote incident response)
The tool is freely available at the GitHub code repository: https://github.com/vitaly-kamluk/bitscout

Comments