arrow - Fotolia

Kaspersky researcher in Asia develops cyber forensics tool

The open source tool lets cyber forensics investigators access infected machines remotely to collect malware artefacts without compromising system integrity

A Kaspersky researcher in Asia has developed an open source tool that facilitates the collection of evidence and other malware artefacts from infected machines after a cyber attack.

Called BitScout, the free tool – available through GitHub – will enable investigators to remotely collect vital data without contaminating or losing data in forensic investigations of live systems.

Vitaly Kamluk, director of Kaspersky Lab’s global research and analysis team in the Asia-Pacific region, said the tool was created out of the need to analyse security incidents as efficiently and swiftly as possible.

He added that this is increasingly important as adversaries become more advanced and stealthy in covering their tracks.

“But speed at all costs is not the answer either,” he said. “We need to ensure evidence is untainted so that investigations are trusted and results can be qualified for use in court if required. I couldn’t find a tool that allowed us to achieve all of this, freely and easily – so I decided to build one.”

In most cyber attacks, legitimate owners of compromised systems usually agree to cooperate and help security researchers find the infection vector or other details about the attackers.

However, it is a longstanding concern among forensic researchers that the need to travel long distances to collect crucial evidence, such as malware samples from infected computers, can result in expensive and delayed investigations.

Read more about cyber security in APAC

The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. However, Kamluk said alternatives have either involved expensive tools and specialised knowledge. There is also the risk of contaminating or losing evidence as data is moved between computers.

To ensure forensics evidence is not tampered with, BitScout creates a virtual copy of the infected disk that investigators can work on. Investigators can then transfer complex pieces of data to a lab for deeper inspection, as well as scan other network nodes in remote incident response, among other capabilities. 

The owner of an infected system also needs to manually authorise which disk can be accessed by investigators who will not be able to modify or reset access to infected disks, preventing any potential data loss.

The launch of BitScout is expected to ease the work of forensic investigators whom Kamluk said are akin to palaeontologists.

“While palaeontologists dig the remains of dinosaurs and relics from ancient civilisations, and determine which pieces are connected and which are not, Kaspersky Lab experts investigate attacks by gathering samples after samples of malware which are then analysed, compared and shared with other cyber palaeontologists to further uncover and understand a massive cyber attack,” he said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Data breach incident management and recovery

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close