legal contact rss
 

/bitscout

https://github.com/vitaly-kamluk/bitscout.git

Project Bitscout
Author: Vitaly Kamluk // bitscout[at]kaspersky.com

Bitscout is customizable live OS constructor tool written purely in bash. It'smain purpose is to help you quickly create own remote forensics bootable disk image.This project was created by security researchers for security researchers and incident handlers. Do not expect user-friendly interface and if you are notfamiliar with Linux commandline, it's wise idea to learn that first. Thisconstructor can be customised to include your tools, however one of the core ideas was to remotely assist Law Enforcement investigations as well as incident responders, which is why Bitscout by default includes a number of forensic packages and settings.

Bitscout Features:
1. Transparency
  a. You build your own live disk instead of using someone else's. The build
  process is rather straightforward and detailed. One of the core principles of
  Bitscout is to not use proprietary binary executables during build process.
  Project Bitscout is a plaintext OS constructor.
  b. You may choose what packages you put on Bitscout ISO. This lets you
  decide which binaries you trust.
  b.The owner can monitor what is going on in expert's container live or via
  recorded session, which can be replayed. This is useful for training or
  understanding of forensic process in the court. 

2. Forensics
  a. Bitscout is designed to not modify hard drive data or other
  storage media attached to the system. This is essential for forensic
  analysis.
  b. Bitscout contains most popular tools to acquire and analyze storage drives.
  c. The owner of the system controls which disk devices are accessible to the
  expert in read-only (or read-write) mode.
  d. Even running as root the expert cannot modify or reset access to the
  provided storage devices, which prevents potential data loss from the source
  disk. This is achieved via layers of virtualization.

3. Customisation
  a. The set of tools available on Bitscout can be customized by editing
  respective scripts before running the build. You can add standard packages 
  or your own tools. Make it available to expert, system owner or both.
  b. Both system owner and expert can install additional software packages on
  already running (booted) system. All changes will be done indepently 
  (expert cannot change owner's environment). All installed software will exist
  only in RAM and will be gone when system is restarted.
  c. If certain operations require more memory or large disk which is not
  available on the system, the owner may attach writable external storage device
  (such as fast USB flash memory) to be used for storage or swap by the expert.

4. Compact
  a. Bitscout project is designed to be minimal yet universal tool to access
  remote systems. It contains minimal set of packages, libraries and
  tools to start the system and provide most common forensic tools to the expert
  immediately. Certain optimizations yet to be added to reduce size even
  further. All suggestions and contributions are welcome!
  b. The system uses no graphical interface on purpose. This reduces disk image
  size and RAM consumption.
  c. The expert's runs inside unprivileged LXC container, which saves from 
  overhead of full virtualization. The container relies on the same kernel as 
  the host system, but doesn't allow kernel module manipulation.
  d. The container root filesystems is overlayed from the live CD rootfs. 
  This enables to reuse the system binaries and configuration and avoid data
  duplication. Yet, mapped with copy-on-write access it provides almost unlimited
  modification of the whole OS. The real limit is just the size of available
  memory and swap.

  As a matter of fact fully running OS with a child OS inside the container used
  less than 200Mb of RAM in some of our tests in the past.
Credits:
  Kaspersky Lab
  INTERPOL Global Complex For Innovation (IGCI)
  IGCI Digital Forensics Lab

Thanks to
  Linux kernel developers
  Canonical Ltd
  All open-source software developers
  LXC developers
  All those awesome authors of Linux forensics tools