The Cyber Triage Malware Scanner Module for Autopsy allows digital forensic examiners to identify malware and backdoors on a disk image or other data source. This helps determine who had access to the suspect system.
Know Who Had Device Access
The goal of many digital investigations is to tie activity back to a person who can be held responsible. It’s relatively easy to identify who had physical access and computer accounts.
But, identifying covert access is much harder. Defendants may try to assert that the digital evidence was placed there by an attacker, the so-called “Some Other Dude Did It” (SODDI) defense.
The best way to refute that claim is to know if there was covert access backdoor software. Scanning a suspect’s or victim’s system for malware can help you to know what access methods existed.
Scan with 40+ Malware Engines
The Cyber Triage Malware Scanning module uses 40+ malware scanning engines to make a decision on if an executable is malicious. This gives you much broader coverage than relying on a single tool, which may incorrectly miss a backdoor.
Don’t Introduce Malware Into Your Lab
Many labs will scan for malware on disk images by mounting the image and using a single, local malware scanner. In addition to the risk of relying only on a single engine, this also introduces the risk that you could launch the malware while it is mounted. This would infect your system and the lab.
The Cyber Triage Malware Scanning module does not write the files to your computer. It uses hash values and uploads files directly to an online analysis service.
How It Works
The Cyber Triage Malware Scanning module is an Autopsy ingest module you can enable when parsing a data source.
Technically, the Malware Scanner Module will:
- Ignore any file that is not a Windows executable (exe or dll)
- Ignore any file that was found in the NIST NSRL (if you enabled that)
- Query an online API with the file’s hash value to see if the file was already analyzed and has results.
- Optionally, upload the full file if the file has not been analyzed before
- Any file that is identified as malware will get scored accordingly.
You can use this module only if you are connected to the Internet. It cannot currently be used in air-gapped environments (though the full Cyber Triage application can).
We understand that investigators get nervous about uploading files because they do not want to broadcast to the world that a file has been found. The Cyber Triage Malware Scanning module for Autopsy will:
- Only upload files if you choose to.
- Only upload executable files (no Office or PDF files)
- Only make results available to other Cyber Triage users who also have the hash. The results are not advertised to the public.
The Cyber Triage Malware Scanning module is licensed based on the number of computers using it and the number of hosts being analyzed
- You can use a license only on one examiner system.
- The license includes a maximum number of hash lookups that can be performed either daily or weekly.
- The license includes a maximum number of file uploads that can be performed either daily or weekly.
How To Get It
The module ships with Autopsy. To use it:
If you want to evaluate the module, you can get a one-time, short-term license by entering your information here.
How It Compares to Cyber Triage
This Autopsy module contains only the malware scanning features from Cyber Triage. It does not include:
- Triage collection tool
- Scoring and parsing of intrusion-related artifacts
- Recommendation engine
- Integrations with other security tools
If you are interested in an end-to-end intrusion investigation tool, then Cyber Triage may be a better fit for your needs.