Kaspersky Lab researcher Vitaly Kamluk has released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations. In most cyber attacks, legitimate owners of compromised systems usually agree to cooperate and help security researchers find the infection vector or other details about the attackers.However, it is a longstanding concern among forensic researchers that the need to travel long distances to collect crucial evidence, such as malware samples from infected computers, can result in expensive and delayed investigations. The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. There is also the risk of contaminating or losing evidence as data is moved between computers.

Bitscout enables forensic investigators to remotely analyze a system, while allowing the system’s owner to monitor the expert’s activities and ensure that their access is limited to the targeted disks. The tool can be useful to researchers, law enforcement cybercrime units, and educational institutions.

The owner of the system on which forensic analysis will be conducted is provided an image file that they must burn onto a removable storage drive. The system is then booted from this drive and the investigator connects remotely to Bitscout over SSH using a VPN. The investigator is only provided root privileges inside a virtual container, and the owner can specify which disks can be analyzed to prevent unauthorized access. The researcher can install additional software and make changes to the system from this container, but only in the volatile memory to ensure that everything is restored to its initial state after the device is shut down.

The features of bitscout are:

• Disk image acquisition, even with un-trained staff
• Training people on the go (shared view-only terminal session)
• Transferring complex pieces of data to your lab for deeper inspection
• Remote Yara or AV scanning of offline systems (essential against rootkits)
• Search and view registry keys (autoruns, services, plugged USB devices)
• Remote file carving (recovering deleted files)
• Remediation of the remote system if access is authorized by the owner
• Remote scanning of other network nodes (useful for remote incident response)

The cybersecurity landscape is now so complex and sophisticated that investigators need tools that can adapt and scale to the demands of the job. BitScout is a good example of this. It can be adjusted to the particular needs of an investigator, and improved and upgraded with additional features and custom software. Most importantly it comes free of charge, based on open-source solutions and is fully transparent: instead of relying on third party tools with proprietary code, experts can use the Bitscout open-source code to build their own swiss-army knife for digital forensics.

Kaspersky bitscout can be downloaded freely from https://github.com/vitaly-kamluk/bitscout