±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 26234
Visitors: 57

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

osTriage version 2

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

osTriage version 2

Post Posted: Mon Feb 25, 2013 11:33 am

Background

Put very simply, osTriage is a live response and triage tool that I
wrote. It provides more information to investigators in a few minutes
than most full forensic reports include after months of waiting.

It is currently in use by 1000s of people in over 45 countries.



----------------------

Over the last several weeks, I have been thinking about what version 2
should look like.

To date I have come to the following conclusions:

1. v2 needs to be more flexible in what tabs are shown or hidden
2. v2 needs to be able to be extended by anyone
3. v2 should be able to address every type of investigation out there
that involves a computer


For these reasons I am now in the early stages of redesigning osTriage
as follows:

- All of the tabs (with few exceptions) will be plugin based. These
plugins exist as DLLs outside the main osTriage program in separate
directories.

- A standard programming Interface should exist which allow for anyone
with some basic programming knowledge to write their own plugins

- It should be easy to build different "configuration" packages which
correspond to different types of investigations (ie hacking, child
pornography, white collar, APT, etc)


The most powerful concept of osT2 is that it allows (by moving, deleting
or renaming plugins) end users to tailor the program to their exact
needs based on the nature of the case, legal requirements, etc.

In addition to tailoring the program to specific investigative needs,
subject matter experts can also write their own plugins and make them
available to the community in the manner they see fit (free, commercial,
etc)


The main program (osTriage.exe) will serve as a conduit to load and
interact with plugins. The main program will provide a means for plugins
to report their actions as well as a way to inform plugins that files
have been found once a search is started (i.e. the main program will be
responsible for searching a computer's file system(s). the searching
code will most likely be plugin based as well so people can replace it
if they like).



To date I have done the following:

- drafted the initial programming Interface that plugins use. I have a
bit more work to do on the Interface but it is close to being done.

- created the main GUI which is responsible for looking for and loading
valid plugins.

- written several test plugins (approx 150 lines of code, so very easy
to do) and they load and present in the GUI as intended.


Project goals

What i envision osTriage 2 to be is an open and extensible platform for
the entire community to build live response and triage packages.

I also will initially provide plugins that correspond to each piece of
functionality as found in the current release of osTriage.



So where do you (potentially) come into this? By answering such
questions such as:

- What are the pros and cons of existing LR and triage tools?

- What problems do we as a community have pretty much solved?

- What problems do we need to work on?



In short, I am asking for the community's feedback to ensure that osT2
covers the widest possible number of use cases for as many people as
possible, so if you have any suggestions on what you would like to see
in such a tool, please let me know.


Perhaps the best way to provide feedback is via my forums, but email
works fine as well (saericzimmerman@gmail.com). You can also call any time.


Feel free to forward this email to anyone who may provide feedback on this.


P.S. if there are any .net programmers out there who wish to be
involved, please let me know.  

EricZimmerman
Senior Member
 
 
  

Re: osTriage version 2

Post Posted: Mon Feb 25, 2013 12:29 pm

Eric, I was impressed with your demo of osTriage. It's exciting that you plan to make it available to the entire community, beyond law enforcement. I'm not sure when you're planning to have builds available, but I would love to have my Forensics class use it in hands-on exercises.

If I understand correctly, osTriage is intended to analyze live systems. Can it be used with drive images? Would they have to be started in a VM or can you simply specify a drive image (or mounted image) as the subject of the examination?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
  

Re: osTriage version 2

Post Posted: Mon Feb 25, 2013 12:31 pm

it can be used against anything that has a drive letter in windows, so it does serve as both a live response and dead box searching platform.

ideally plugins will get the same data whether live response or not, but sometimes thats just not possible (like running processes, etc).  

EricZimmerman
Senior Member
 
 
  

Re: osTriage version 2

Post Posted: Wed Feb 27, 2013 1:20 am

- EricZimmerman
In short, I am asking for the community's feedback to ensure that osT2
covers the widest possible number of use cases for as many people as
possible, so if you have any suggestions on what you would like to see
in such a tool, please let me know.

Perhaps the best way to provide feedback is via my forums...


Ok, Eric, here's a suggestion. I'd like to see a feature or plugin that identifies candidates to have been copied from a FAT system, by flagging modified times that are even whole seconds. (Does osTriage support NSRL hash tables?) The distinction between whether a file was downloaded, edited on the host computer, or copied from a flash drive has been relevant in several of my cases.

What's the URL for your forums?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1