bitscout: Remote forensics meta tool

Bitscout is customizable live OS constructor tool written purely in bash. It’s main purpose is to help you quickly create own remote forensics bootable disk image.

This project was created by security researchers for security researchers. In addition, it shall be useful to Law Enforcement and private companies which assist LE. The project allows anyone who is running Debian-based OS such as Ubuntu to build own LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice).

Bitscout Features:

1. Transparent
   1.  You build your own Live disk instead of using someone else’s. The build process is straightforward and verbose. There is no place for mistrust, given that the OS repositories are trusted.
   2. A live disk image is built using bash scripts only and standard Ubuntu tools
      and packages, making it both transparent and customizable for all.
   3. The owner can monitor what is going on in expert’s container. It’s possible to
      attach and monitor changes in the expert’s container as root.
2. Forensically sound
   1. We have tested that Bitscout doesn’t modify hard drive data or other storage media attached to the system. This is an essential base for forensic operations.
   2. Bitscout contains most popular tools to acquire and analyze harddrive disk images on site.
   3. The owner of the system has to manually authorize which disk devices to be accessible by the expert in read-only (or read-write) mode.
   4. While running as root the expert cannot modify or reset access to the provided devices, which prevents potential data loss from the source disk.
3. Customizable
   1. The set of tools available on Bitscout can be easily customized by editing respective text files in the script directory before building. You can add standard packages or your own tools to it. Make it available to expert, system owner or both.
   2. Both system owner and expert can install additional software packages on already running system. All changes will be done indepently (expert can’t change owner’s environment) and only in memory.
   3. If certain operations require more memory or large disk which is not available on the system, the owner may attach writable external storage device (such as fast USB flash memory) to be used for storage or swap.
4. Compact
   1. Bitscout project is designed to be a minimal yet universal tool to access remote storage device. It contains the minimal set of packages, libraries and tools to start the system and provide the most common forensic tools to the expert immediately. Certain optimizations yet to be added to reduce the size even further. All suggestions and contributions are welcome!
   2. The system uses no graphical interface on purpose. This reduces disk image size and used RAM.
   3. The expert’s environment runs as an unprivileged LXC container, which saves from the overhead of full virtualization. The container relies on the same kernel as the host system.
   4. The container spawns from overlayed source rootfs. This allows to avoid duplication of system binaries and configuration.
      Yet, mapped with copy-on-write access it provides almost unlimited modification of the whole OS. The real limit is just the size of available memory and swap.

As a matter of fact, fully running OS with a child OS inside the container used less than 200Mb of RAM in our tests.

User Roles:

Bitscout relies on at least three participants in the process of remote forensics:

1. The Owner
   The owner is a user who has physical access to the target system and owns it. The owner’s role is to download, verify and burn Live ISO image file to a removable storage. After that, the target system must be started from this bootable media. In the case of LAN DHCP network configuration, everything shall work automatically. In case of other setup, the owner has to configure network access using management utility that is available on the Live system (starts automatically on the TTY on boot).
2. The Expert
   The expert is a remote user who connects to the target system over SSH using VPN link through the expert’s server. Bitscout shall be built with VPN server certificates, configuration and SSH keys placed on the disk image. This can be changed at any time. Feel free to run some last build stages manually if you don’t want to start from scratch.
3. Expert’s Server
   The expert’s server shall be located on the internet and is used to run a VPN server as well as chat server for communication. Suggested server configuration files can be found in the respective “exports” subdirectory.

Download

Demo

Copyright (C) 2018 vitaly-kamluk