Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    DFLabs to Release Free Live Forensics Tool at Black Hat

    Written by

    Sean Michael Kerner
    Published August 6, 2018
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      As an incident response analyst, John Moran kept on running into challenges finding the right combination of tools to get the forensic information he needed. 

      To solve this challenge, Moran, who now works as a senior product manager at DFLabs, wrote his own tool called No-Script Automation Tool (NAT), which he will demonstrate on Aug. 8 at the Black Hat USA conference in Las Vegas. Prior to working at DFLabs, Moran was a computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the U.S. Department of Homeland Security. 

      “I’m going to talk a little bit about live forensics as a whole and the do’s and don’ts for forensic analysis,” Moran told eWEEK. “But really the whole purpose of the talk is to show the tool that basically came out of my experiences working in incident response.”

      Part of an incident responder’s job is to perform a forensic analysis of compromised devices to understand how they were exploited. Moran said he often had to use run 30 or more tools to get the information he needed. Getting each tool to run and then export all the information in a repeatable manner is time consuming. In addition, there is often additional complexity in figuring out the right configuration options for different tools.

      “I wanted to build a tool that would be a one-click thing that would enable incident responders to run the right tools and it would just work,” Moran said. “This tool also allows responders to verify the tools they are running, so it has a known good list of accepted, authentic tools.”

      The tool’s No-Script Automation Tool name bears a similarity to the popular No-Script, a JavaScript blocking tool for web browsers. Moran said he doesn’t expect there to be any confusion, since his tool is not about blocking scripts, but rather is about running live forensic tools without the need for individual scripts.

      NAT is a free tool that Moran said he built to make his own life easier and he is hopeful others will find it useful as well. It will become generally available at the time of Moran’s Black Hat talk, which is scheduled for 2:30 p.m. PDT at the Black Hat Arsenal tools area on Aug. 8.

       

      Live Forensics

      The tools that Moran has included in NAT are intended to help incident responders perform live forensics on compromised devices. The old way of doing forensics was to take a hard drive out of a system to a lab and then perform analysis, according to Moran. 

      Modern attacks often involve in-memory exploits and code, which are volatile and will not persist once a system is shut down and a hard drive is removed. As such, Moran said it is important to preserve the running state of a system, such that it can be examined before the evidence disappears. Live forensics tools allow incident responders to gather the volatile information without the need to boot into another operating system or remove hardware.

      “You actually want to run trusted tools in a known repeatable way from the operating system itself, so you can get those artifacts from memory,” Moran said.

      Tools

      NAT supports a long list of tools, some of which are open-source and others Moran said are just freeware. Among the tools are AV, disk imaging, file system, memory, network, process and operating system tools.

      While the NAT project ships with a set of suggested tools, Moran said users can choose to use any tool they want, even if it’s not included in NAT. He added that the goal of NAT is to make it easier for users to run tools in a repeatable, orchestrated way and then generate output that can be used in forensic investigations.

      NAT is intended to run as a USB drive that a user plugs into a system. Moran explained that all the data from the tools that are run is saved onto the USB drive, which can then be removed and consumed in another system for correlation and analysis.

      “Incident responders want to try to avoid using tools that are installed on the operating system because if you’re concerned the operating system or the computer itself might be compromised, there is a good potential that some of those files were compromised as well,” he said. “That’s the idea with having a live response USB drive, letting you run a set of known tools that you can execute all at once in a secure way and then making sure that everything is stored back on that same USB drive.”

      NAT is not intended to be an analysis tool. Rather, it is an acquisition and data recovery tool, Moran said. As such, there is no dashboard within NAT that aggregates all the collected data. Instead, data is simply written to the USB drive for further analysis by other tools. 

      Moran’s day job is at DFLabs, which builds and develops commercial products including the InMan Security Orchestration, Automation and Response (SOAR) platform, which was updated to version 4.4 on Aug. 2.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×