Author: Vitaly Kamluk // bitscout[at]kaspersky.com
Bitscout is customizable live OS constructor tool written purely in bash. It'smain purpose is to help you quickly create own remote forensics bootable disk image.This project was created by security researchers for security researchers and incident handlers. Do not expect user-friendly interface and if you are notfamiliar with Linux commandline, it's wise idea to learn that first. Thisconstructor can be customised to include your tools, however one of the core ideas was to remotely assist Law Enforcement investigations as well as incident responders, which is why Bitscout by default includes a number of forensic packages and settings.
Bitscout Features: 1. Transparency a. You build your own live disk instead of using someone else's. The build process is rather straightforward and detailed. One of the core principles of Bitscout is to not use proprietary binary executables during build process. Project Bitscout is a plaintext OS constructor. b. You may choose what packages you put on Bitscout ISO. This lets you decide which binaries you trust. b.The owner can monitor what is going on in expert's container live or via recorded session, which can be replayed. This is useful for training or understanding of forensic process in the court. 2. Forensics a. Bitscout is designed to not modify hard drive data or other storage media attached to the system. This is essential for forensic analysis. b. Bitscout contains most popular tools to acquire and analyze storage drives. c. The owner of the system controls which disk devices are accessible to the expert in read-only (or read-write) mode. d. Even running as root the expert cannot modify or reset access to the provided storage devices, which prevents potential data loss from the source disk. This is achieved via layers of virtualization. 3. Customisation a. The set of tools available on Bitscout can be customized by editing respective scripts before running the build. You can add standard packages or your own tools. Make it available to expert, system owner or both. b. Both system owner and expert can install additional software packages on already running (booted) system. All changes will be done indepently (expert cannot change owner's environment). All installed software will exist only in RAM and will be gone when system is restarted. c. If certain operations require more memory or large disk which is not available on the system, the owner may attach writable external storage device (such as fast USB flash memory) to be used for storage or swap by the expert. 4. Compact a. Bitscout project is designed to be minimal yet universal tool to access remote systems. It contains minimal set of packages, libraries and tools to start the system and provide most common forensic tools to the expert immediately. Certain optimizations yet to be added to reduce size even further. All suggestions and contributions are welcome! b. The system uses no graphical interface on purpose. This reduces disk image size and RAM consumption. c. The expert's runs inside unprivileged LXC container, which saves from overhead of full virtualization. The container relies on the same kernel as the host system, but doesn't allow kernel module manipulation. d. The container root filesystems is overlayed from the live CD rootfs. This enables to reuse the system binaries and configuration and avoid data duplication. Yet, mapped with copy-on-write access it provides almost unlimited modification of the whole OS. The real limit is just the size of available memory and swap. As a matter of fact fully running OS with a child OS inside the container used less than 200Mb of RAM in some of our tests in the past.
Credits: Kaspersky Lab INTERPOL Global Complex For Innovation (IGCI) IGCI Digital Forensics Lab Thanks to Linux kernel developers Canonical Ltd All open-source software developers LXC developers All those awesome authors of Linux forensics tools