Security boffins within the Defence Signals Directorate have released an open source forensics tool that improves the process of “carving out” target data stored within other file formats.
The so-called Pronghorn tool is said to be exceptionally resilient to external and internal process failure, compared to existing options. It allows each layer of nesting to be analysed by different software.
DSD authors told SC that Pronghorn allowed experimentation with a number of novel techniques.
“The key strength of the Pronghorn framework is resilience to external and internal process failure,” the authors said, requesting anonymity.
“Pronghorn ties together multiple libraries in order to perform analytical tasks, but is exceptionally resilient to external library failure and incorporates mechanisms that allow the user to identify which libraries are more trusted.”
The DSD authors said some existing open source carving tools struggled to find data contained within other files.
“An example of this might be an image, located inside a word document, located inside a zip file.”
They explained that Pronghorn was resilient to component failure and quick to recover because each process was completely separated.
It also made heavy use of the Filesystem in UserSpace libraries that allowed analysis of data without duplication and the use of a wide range of open source libraries with little modification.
More than just spooks
The DSD authors planned to demonstrate Pronghorn and other tools at Linux.conf.au next year, to promote the intelligence agency as one that has actively engaged with the open source community for the last decade.
“As Australia is experiencing an increasing number of attempts to infiltrate networks in the public and private sectors, DSD actively participates in the open source community. This collaboration is of mutual benefit for the open source community and DSD,” the authors said.
“DSD encourages an environment conducive to innovation by fully supporting projects that contribute to and benefit the open source community.”
Some open source tools were developed privately by DSD security staff, to help with professional development.
Others were part of official DSD security projects and released to the public for various reasons.
The WhiteTrash proxy tool, for example, was released as a useful tool to demonstrate how such a system could be implemented by other open source projects or vendors.
Other DSD open source software projects of note include:
- PyFlag - a forensic and log analysis graphical user interface. The name is an acronym of Python Forensics Log Analysis GUI. It has been used for network forensics and in forensics challenges. (pdf)
- White Trash - an easy-to-use proxy that makes it harder for malware to exploit HTTP and SSL. The name is derived from a whitelist ‘trashing’ malware.
- Spill Guard – is a Data Loss Prevention plugin for Microsoft Office. The name simply refers to the prevention of spills.