arrow - Fotolia

Kaspersky researcher in Asia develops cyber forensics tool

The open source tool lets cyber forensics investigators access infected machines remotely to collect malware artefacts without compromising system integrity

A Kaspersky researcher in Asia has developed an open source tool that facilitates the collection of evidence and other malware artefacts from infected machines after a cyber attack.

Called BitScout, the free tool – available through GitHub – will enable investigators to remotely collect vital data without contaminating or losing data in forensic investigations of live systems.

Vitaly Kamluk, director of Kaspersky Lab’s global research and analysis team in the Asia-Pacific region, said the tool was created out of the need to analyse security incidents as efficiently and swiftly as possible.

He added that this is increasingly important as adversaries become more advanced and stealthy in covering their tracks.

“But speed at all costs is not the answer either,” he said. “We need to ensure evidence is untainted so that investigations are trusted and results can be qualified for use in court if required. I couldn’t find a tool that allowed us to achieve all of this, freely and easily – so I decided to build one.”

In most cyber attacks, legitimate owners of compromised systems usually agree to cooperate and help security researchers find the infection vector or other details about the attackers.

However, it is a longstanding concern among forensic researchers that the need to travel long distances to collect crucial evidence, such as malware samples from infected computers, can result in expensive and delayed investigations.

Read more about cyber security in APAC

  • The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research.
  • Threat intelligence feeds provide valuable information to help identify incidents quickly, but only if they are part of an intelligence-driven security programme.
  • WannaCry’s spread in Asia-Pacific accounted for just 10% of detections worldwide, indicating the ransomware’s limited reach in the region.
  • Singapore and Australia will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security know-how.

The longer it takes for an attack to be understood, the longer it is before users are protected and perpetrators identified. However, Kamluk said alternatives have either involved expensive tools and specialised knowledge. There is also the risk of contaminating or losing evidence as data is moved between computers.

To ensure forensics evidence is not tampered with, BitScout creates a virtual copy of the infected disk that investigators can work on. Investigators can then transfer complex pieces of data to a lab for deeper inspection, as well as scan other network nodes in remote incident response, among other capabilities. 

The owner of an infected system also needs to manually authorise which disk can be accessed by investigators who will not be able to modify or reset access to infected disks, preventing any potential data loss.

The launch of BitScout is expected to ease the work of forensic investigators whom Kamluk said are akin to palaeontologists.

“While palaeontologists dig the remains of dinosaurs and relics from ancient civilisations, and determine which pieces are connected and which are not, Kaspersky Lab experts investigate attacks by gathering samples after samples of malware which are then analysed, compared and shared with other cyber palaeontologists to further uncover and understand a massive cyber attack,” he said.

Read more on Data breach incident management and recovery