[Linux] DRONE expanding to multi-platform solutions

Binalyze DRONE is a remote digital forensics investigation solution that provides you with the capability to quickly understand your network by acquiring and analyzing data across all endpoints in minutes. 

With each release version, we are adding new improvements and enhancements based on our product roadmap as well as some of your great quality feedback. 

Today we are releasing v1.7.0 and here are the release highlights:

  • Linux support
  • Added Regex and Wildcard support on keyword search

Let’s dive into the new feature set.

Linux support

This was a popular request from a large number of our users and customers so we incorporated the feature into our roadmap right away. With this release, it is officially available.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

The following distributions are supported and it will be extended to support more distributions in the upcoming releases.

  • Debian 7+
  • RHEL 7+
  • CentOS 7+
  • Fedora 21+
  • Ubuntu 14.04+
  • Pardus 17+

Below is a  list of analyzers that are supported on Linux:

  • Generic Webshell Analyzer
  • Vulnerability Analyzer
  • YARA Scanner
  • Process Analyzer
  • CronJob Analyzer
  • Package Manager Analyzer
  • Shell History Analyzer

Regex & Wildcard keywords search

With this version, we are further enhancing your analyzing capability by adding regex and wildcard keyword searches that will help you get more detailed investigation results. Below you can find inputs and examples on how to use both of these keyword search methods in DRONE.

Regex Keyword Search

If you input a string that contains regex between forwarding slashes, Drone accepts it as a Regex pattern and searches with the regex engine. 

For example, you want to search for a certain pattern on your MFT, and let’s say you want to find the “exe” or “ps1” files that contain the name of the “danger”. So if you provide a regex pattern like /danger(.*).(exe|ps1)$/gi then you may expect to find all the MFT records like below if they existed in your MFT; 

  • danger-v1.2.3.exe
  • danger-vx.x.x.ps1
  • verydanger.ps1
  • Dangerrrr.exe

As you can see in the above example, regex closure must be in the forward slashes and after the last forward slash, you can also add Regex flags. Supported flags are;

  1. (g) Global: Don’t return after the first match
  2. (m) Multiline: ^ and $ match start/end of line
  3. (i) Insensitive: Case insensitive match
  4. (s) Single line: Dot matches newline
  5. (U) Ungreedy: Make quantifiers lazy

Syntax

The syntax of the regular expressions accepted is the same general syntax used by Perl. You can find more details here https://pkg.go.dev/regexp/syntax

More Examples

Search for unwanted host file entries;

/.*(.|)(facebook|twitter).com/i

Drone reports examples below in case if you have these entries;

  • www.facebook.com
  • www.twitter.com
  • facebook.com
  • twitter.com

Search for event log that contains mimikatz;

/mimi(katz|lib).(exe|dll)/i

Drone reports if you have an event log entry that contains the below keywords;

  • mimikatz.exe
  • mimilib.dll

Wildcard Keyword Search

If you put an asterisk sign or question mark in your keyword search, Drone accepts it as a wildcard search and uses the wildcard engine to search matches.

For example, you want to search for a certain pattern on your MFT, and let’s say you want to find the file name that contains “danger” and ends with a dot and 3 more characters (possibly an extension). So if you provide a wildcard pattern like *danger*.???* then you may expect to find all the MFT records like below if they existed in your MFT;

  • danger-v1.2.3.exe
  • danger-vx.x.x.ps1
  • verydanger.ps1
  • dangerrrr.exe
  • Danger.png
  • DaNgER.txt

Syntax

Compile creates Glob for given pattern and strings (if any present after pattern) as separators.

The pattern syntax is:

`*`         matches any sequence of non-separator characters

`**`        matches any sequence of characters

`?`         matches any single non-separator character

`[` [ `!` ] { character-range } `]`

Character range:

c           matches character c (c != `\\`, `-`, `]`)

`\` c       matches character c

lo `-` hi   matches character c for lo <= c <= hi

More Examples

Search for an unwanted host file entry;

*.twitter.com

Drone reports examples below in case if you have these entries;

  • www.twitter.com
  • mobile.twitter.com

Search for an event log that contains mimikatz;

*mimi*.???*

Drone reports if you have an event log entry that contains the below keywords;

  • mimikatz.exe
  • mimilib.dll

 

About DRONE

DRONE is among the first solutions in the digital forensics software market that is built on a foundation that empowers users with much faster speed and simplified user experience, clearing the way from heavy and time-consuming traditional digital forensics solutions. 

You can use DRONE for: 

  • Fully remote endpoint assessment
  • Ultra-fast Early Case Assessments
  • Automated Compromise Assessments
  • Rapid keyword searching of forensic evidence
  • Anomaly Detection on endpoint forensic data
  • Support for Sigma rules
  • Decreasing preliminary analysis time to minutes
  • Supporting analysts with less experience to make informed decisions

How to get DRONE?

If you would like to try the DRONE, please visit www.binalyze.com/drone.

Leave a Comment

Latest Videos

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification 

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_VKk-mhlae1c

Becoming An Amped FIVE Certified Examiner (AFCE)

Forensic Focus 1st December 2023 4:25 pm

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data. 

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data.

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_4z-EgH54KZk

The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Forensic Focus 30th November 2023 2:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles