Vitaly Kamluk (Kaspersky Lab researcher) has been published on Github by named “Bitscout” , it’s a compact and customizable tool created for remote digital forensics operations.
The project was initially developed as a hobby project. The first variant depended on full trust to the remote user, who was provided with root access to the live system. Bitscout includes a minimal collection of packages, libraries and tools to start the system and give most popular forensic tools to the expert immediately.
This project is created by security researchers for security researchers. In addition, it can be useful to Law Enforcement and private companies that assist them. The project allows anyone who is running Ubuntu OS to build own LiveCD/LiveUSB image to be used for remote digital forensics (or other tasks of your own choice).
Basic usage: Run ./automake.sh on your Ubuntu system. Hint: if you haven’t got one, you can try running it from LiveCD. When the process is done you shall find a new ISO file in current directory.
Note: this script may ask for super-user permission. This is essential for some operations. All changes shall affect only current directory and subdirectories, unless your system is missing some essential packages to build the ISO (in this case they will be installed to your system).
User roles: Bitscout relies on 3 roles in the process of remote forensics:
- The Owner: The owner is a user who has physical access to the target system and owns it. The owner’s role is to download, verify and burn Live ISO image file to a removable storage. After that the target system must be started from this bootable media. In case of LAN DHCP network configuration everything shall work automatically. In case of other setup, the owner has to configure network access using management utility that is available on the Live system (starts automatically on the TTY1 on boot).
- The Expert: The expert is a remote user that connects to the target system over SSH using VPN link through the expert’s server. Bitscout shall be built with VPN server certificates, configuration and SSH keys placed on the disk image.
- Expert’s Server: The expert’s server shall be located in the internet and is used to run a VPN server as well as chat server for communication.
a. You build your own Live disk instead of using someone else’s. The build process is straightforward and verbose. There is no place for mistrust, given that the OS repositories are trusted.
b. Live disk image is built using bash scripts only and standard Ubuntu tools and packages, making it both transparent and customizable for all.
c. Owner can monitor what is going on in expert’s container. It’s possible to attach and monitor changes in the expert’s container as root.
2. Forensically sound
a. We have tested that Bitscout doesn’t modify hard drive data or other storage media attached to the system. This is essential base for forensic operations.
b. Bitscout contains most popular tools to acquire and analyze harddrive disk images on site.
c. The owner of the system has to manually authorize which disk devices to be accessible by the expert in read-only (or read-write) mode.
d. While running as root the expert cannot modify or reset access to the provided devices, which prevents potential data loss from the source disk.
a. The set of tools available on Bitscout can be easily customized by editing respective text files in the script directory before building. You can add standard packages or your own tools to it. Make it available to expert, system
owner or both.
b. Both system owner and expert can install additional software packages on already running system. All changes will be done indepently (expert can’t change owner’s environment) and only in memory.
c. If certain operations require more memory or large disk which is not available on the system, the owner may attach writable external storage device (such as fast USB flash memory) to be used for storage or swap.
a. Bitscout project is designed to be minimal yet universal tool to access remote storage device. It contains minimal set of packages, libraries and tools to start the system and provide most common forensic tools to the expert immediately. Certain optimizations yet to be added to reduce size even further. All suggestions and contributions are welcome!
b. The system uses no graphical interface on purpose. This reduces disk image size and used RAM.
c. The expert’s environment runs as unprivileged LXC container, which saves from overhead of full virtualization. The container relies on the same kernel as the host system.
d. The container spawns from overlayed source rootfs. This allows to avoid duplication of system binaries and configuration. Yet, mapped with copy-on-write access it provides almost unlimited modification of the whole OS. The real limit is just the size of available memory and swap.
As a matter of fact fully running OS with a child OS inside the container used less than 32Mb of RAM in our tests.