Now with Bulk Extractor, Loki, and RegRipper
IT security specialists forced to work from home in coming weeks owing to coronavirus (many companies are now mandating it) can get ready to do some of their work on a new release of an open source tool designed for remote digital forensics, called Bitscout.
A customisable live OS constructor tool designed to help users create remote forensics bootable disk images, Bitscout was first open sourced by Russia’s Kaspersky Lab two years ago but appears to have seen limited traction.
In a fresh push, Kasperky emphasised its free and fully open source nature: users are free to reverse-engineer and modify any part of it.
Bitscout allows users like malware researchers, digital forensics experts and incident responders to analyse digital evidence. (Kaspersky Lab’s Vitaly Kamluk says the tool was born while he was working at the Digital Forensics Lab at INTERPOL).
Bitscout 20.04: What’s New?
A new release, 20.04, comes packed with handy new open source tools. Now baked in:
RegRipper, an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
Bulk Extractor, a programme that extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files
Loki, a scanner for simple indicators of compromise (IoCs) that lets Blue Team or other users check file name IoCs (regex match on full file path/name), and conduct Yara rule checks, hash checks and C2 back connect checks.
See also – Introducing Frida: Because – Like it Or Not – Hooking Into Proprietary Software is Useful
Its developers have also “moved away from LXD container management which used to be an overhead in the past versions. The new container is based on systemd-nspawn feature which is already part of OS anyway”, Kamluk said.
Those wanting to give it a spin can use Ubuntu 18.04 – 20.04.
Also new is the optional logging of bash commands to a remote syslog server. This is particularly useful for environments where a Bitscout instance may be unexpectedly powered off or disconnected for a long time due to a network failure. It is also a great way to remember which commands you have run to find the clues.
Bitscout now also has its own website. Have a play here.
See also: NSA’s Ghidra Open Sourced: Here’s the Cheat Sheet