Notifications
Clear all

osTriage version 2

6 Posts
4 Users
0 Likes
15.1 K Views
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
Topic starter
 

Background

Put very simply, osTriage is a live response and triage tool that I
wrote. It provides more information to investigators in a few minutes
than most full forensic reports include after months of waiting.

It is currently in use by 1000s of people in over 45 countries.

———————-

Over the last several weeks, I have been thinking about what version 2
should look like.

To date I have come to the following conclusions

1. v2 needs to be more flexible in what tabs are shown or hidden
2. v2 needs to be able to be extended by anyone
3. v2 should be able to address every type of investigation out there
that involves a computer

For these reasons I am now in the early stages of redesigning osTriage
as follows

- All of the tabs (with few exceptions) will be plugin based. These
plugins exist as DLLs outside the main osTriage program in separate
directories.

- A standard programming Interface should exist which allow for anyone
with some basic programming knowledge to write their own plugins

- It should be easy to build different "configuration" packages which
correspond to different types of investigations (ie hacking, child
pornography, white collar, APT, etc)

The most powerful concept of osT2 is that it allows (by moving, deleting
or renaming plugins) end users to tailor the program to their exact
needs based on the nature of the case, legal requirements, etc.

In addition to tailoring the program to specific investigative needs,
subject matter experts can also write their own plugins and make them
available to the community in the manner they see fit (free, commercial,
etc)

The main program (osTriage.exe) will serve as a conduit to load and
interact with plugins. The main program will provide a means for plugins
to report their actions as well as a way to inform plugins that files
have been found once a search is started (i.e. the main program will be
responsible for searching a computer's file system(s). the searching
code will most likely be plugin based as well so people can replace it
if they like).

To date I have done the following

- drafted the initial programming Interface that plugins use. I have a
bit more work to do on the Interface but it is close to being done.

- created the main GUI which is responsible for looking for and loading
valid plugins.

- written several test plugins (approx 150 lines of code, so very easy
to do) and they load and present in the GUI as intended.

Project goals

What i envision osTriage 2 to be is an open and extensible platform for
the entire community to build live response and triage packages.

I also will initially provide plugins that correspond to each piece of
functionality as found in the current release of osTriage.

So where do you (potentially) come into this? By answering such
questions such as

- What are the pros and cons of existing LR and triage tools?

- What problems do we as a community have pretty much solved?

- What problems do we need to work on?

In short, I am asking for the community's feedback to ensure that osT2
covers the widest possible number of use cases for as many people as
possible, so if you have any suggestions on what you would like to see
in such a tool, please let me know.

Perhaps the best way to provide feedback is via my forums, but email
works fine as well (saericzimmerman@gmail.com). You can also call any time.

Feel free to forward this email to anyone who may provide feedback on this.

P.S. if there are any .net programmers out there who wish to be
involved, please let me know.

 
Posted : 25/02/2013 9:33 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Eric, I was impressed with your demo of osTriage. It's exciting that you plan to make it available to the entire community, beyond law enforcement. I'm not sure when you're planning to have builds available, but I would love to have my Forensics class use it in hands-on exercises.

If I understand correctly, osTriage is intended to analyze live systems. Can it be used with drive images? Would they have to be started in a VM or can you simply specify a drive image (or mounted image) as the subject of the examination?

 
Posted : 25/02/2013 10:29 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
Topic starter
 

it can be used against anything that has a drive letter in windows, so it does serve as both a live response and dead box searching platform.

ideally plugins will get the same data whether live response or not, but sometimes thats just not possible (like running processes, etc).

 
Posted : 25/02/2013 10:31 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

In short, I am asking for the community's feedback to ensure that osT2
covers the widest possible number of use cases for as many people as
possible, so if you have any suggestions on what you would like to see
in such a tool, please let me know.

Perhaps the best way to provide feedback is via my forums…

Ok, Eric, here's a suggestion. I'd like to see a feature or plugin that identifies candidates to have been copied from a FAT system, by flagging modified times that are even whole seconds. (Does osTriage support NSRL hash tables?) The distinction between whether a file was downloaded, edited on the host computer, or copied from a flash drive has been relevant in several of my cases.

What's the URL for your forums?

 
Posted : 27/02/2013 11:20 am
sirjeimz
(@sirjeimz)
Posts: 15
Active Member
 

Hi Eric,

My name is James and I am a Digital Forensics Officer with the Fiji Police Force; I would like to know as to how we can download your OS Triage

Thanks

James Lave

 
Posted : 28/01/2015 5:00 am
(@saltyone64)
Posts: 9
Active Member
 

Good work will love to contribute to this project. May be you can add the functionality of auditing web browser artifacts too

 
Posted : 19/12/2015 11:30 pm
Share: