[Linux] DRONE expanding to multi-platform solutions

Binalyze DRONE is a remote digital forensics investigation solution that provides you with the capability to quickly understand your network by acquiring and analyzing data across all endpoints in minutes. 

With each release version, we are adding new improvements and enhancements based on our product roadmap as well as some of your great quality feedback. 

Today we are releasing v1.7.0 and here are the release highlights:

  • Linux support
  • Added Regex and Wildcard support on keyword search

Let’s dive into the new feature set.

Linux support

This was a popular request from a large number of our users and customers so we incorporated the feature into our roadmap right away. With this release, it is officially available.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The following distributions are supported and it will be extended to support more distributions in the upcoming releases.

  • Debian 7+
  • RHEL 7+
  • CentOS 7+
  • Fedora 21+
  • Ubuntu 14.04+
  • Pardus 17+

Below is a  list of analyzers that are supported on Linux:

  • Generic Webshell Analyzer
  • Vulnerability Analyzer
  • YARA Scanner
  • Process Analyzer
  • CronJob Analyzer
  • Package Manager Analyzer
  • Shell History Analyzer

Regex & Wildcard keywords search

With this version, we are further enhancing your analyzing capability by adding regex and wildcard keyword searches that will help you get more detailed investigation results. Below you can find inputs and examples on how to use both of these keyword search methods in DRONE.

Regex Keyword Search

If you input a string that contains regex between forwarding slashes, Drone accepts it as a Regex pattern and searches with the regex engine. 

For example, you want to search for a certain pattern on your MFT, and let’s say you want to find the “exe” or “ps1” files that contain the name of the “danger”. So if you provide a regex pattern like /danger(.*).(exe|ps1)$/gi then you may expect to find all the MFT records like below if they existed in your MFT; 

  • danger-v1.2.3.exe
  • danger-vx.x.x.ps1
  • verydanger.ps1
  • Dangerrrr.exe

As you can see in the above example, regex closure must be in the forward slashes and after the last forward slash, you can also add Regex flags. Supported flags are;

  1. (g) Global: Don’t return after the first match
  2. (m) Multiline: ^ and $ match start/end of line
  3. (i) Insensitive: Case insensitive match
  4. (s) Single line: Dot matches newline
  5. (U) Ungreedy: Make quantifiers lazy

Syntax

The syntax of the regular expressions accepted is the same general syntax used by Perl. You can find more details here https://pkg.go.dev/regexp/syntax

More Examples

Search for unwanted host file entries;

/.*(.|)(facebook|twitter).com/i

Drone reports examples below in case if you have these entries;

  • www.facebook.com
  • www.twitter.com
  • facebook.com
  • twitter.com

Search for event log that contains mimikatz;

/mimi(katz|lib).(exe|dll)/i

Drone reports if you have an event log entry that contains the below keywords;

  • mimikatz.exe
  • mimilib.dll

Wildcard Keyword Search

If you put an asterisk sign or question mark in your keyword search, Drone accepts it as a wildcard search and uses the wildcard engine to search matches.

For example, you want to search for a certain pattern on your MFT, and let’s say you want to find the file name that contains “danger” and ends with a dot and 3 more characters (possibly an extension). So if you provide a wildcard pattern like *danger*.???* then you may expect to find all the MFT records like below if they existed in your MFT;

  • danger-v1.2.3.exe
  • danger-vx.x.x.ps1
  • verydanger.ps1
  • dangerrrr.exe
  • Danger.png
  • DaNgER.txt

Syntax

Compile creates Glob for given pattern and strings (if any present after pattern) as separators.

The pattern syntax is:

`*`         matches any sequence of non-separator characters

`**`        matches any sequence of characters

`?`         matches any single non-separator character

`[` [ `!` ] { character-range } `]`

Character range:

c           matches character c (c != `\\`, `-`, `]`)

`\` c       matches character c

lo `-` hi   matches character c for lo <= c <= hi

More Examples

Search for an unwanted host file entry;

*.twitter.com

Drone reports examples below in case if you have these entries;

  • www.twitter.com
  • mobile.twitter.com

Search for an event log that contains mimikatz;

*mimi*.???*

Drone reports if you have an event log entry that contains the below keywords;

  • mimikatz.exe
  • mimilib.dll

 

About DRONE

DRONE is among the first solutions in the digital forensics software market that is built on a foundation that empowers users with much faster speed and simplified user experience, clearing the way from heavy and time-consuming traditional digital forensics solutions. 

You can use DRONE for: 

  • Fully remote endpoint assessment
  • Ultra-fast Early Case Assessments
  • Automated Compromise Assessments
  • Rapid keyword searching of forensic evidence
  • Anomaly Detection on endpoint forensic data
  • Support for Sigma rules
  • Decreasing preliminary analysis time to minutes
  • Supporting analysts with less experience to make informed decisions

How to get DRONE?

If you would like to try the DRONE, please visit www.binalyze.com/drone.

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...