Who We Are |
What We Do |
Cyber Security Technologies (CST) is a software technology company dedicated to developing and distributing innovative products for digital investigations. We direct our efforts to developing software solutions that are technically advanced, affordable, and easy-to-use, which address two under-served needs: technology to investigate live, running computer systems across a network; and technology to automate the detection and analysis of Peer-to-Peer (P2P) client programs and associated files.
Our products are built for IT security and investigative professionals in corporations, service providers and government, and for law enforcement, military and intelligence investigators. Our tools are used for incident response, compliance, e-discovery and law enforcement. We build our products to adhere to digital forensic best practices.
Live Investigations: The OnLine Digital Forensic Suite
Corporations and government agencies are confronted with the need to investigate their own live, running computers with processes that support a valid forensic capability for a multitude of reasons. IT security is the leading reason but not the only reason - enterprises need to respond to lawsuits by producing relevant electronic evidence, and increasingly enterprises realize that computer investigations are a component of compliance with external regulatory requirements.
The capabilities for software products to support computer investigations in medium to large-scale network environments are:
Examines running systems: The fundamental goal of OnLineDFS is to capture information from a running system. Unlike traditional disk imaging approaches, OnLineDFS captures volatile data - valuable information that is lost when traditional disk duplication approaches are used. This information includes open ports, running processes, related applications and files, network connections, listening servers, and memory. There are several vital benefits:
- information is gathered about the running state of the target computer that cannot be gained any other way;
- this information can be critical to determining the nature of a potential problem quickly and initiating the right corrective action in time to make a difference; and
- this can be done without disrupting the operations of the target computer, potentially yielding substantial cost savings to the computer's owner.
Similarly, OnLineDFS optimizes the examination and capture of persistent data from a live, running system, ranging from the acquisition of a single file to taking an image of the entire running hard drive, to searching the logical or physical drives, to obtaining file metadata, and much more. OnLineDFS has been specifically designed to address the issues of examining and capturing persistent data from a live, running system. An investigation with OnLineDFS can be done without disrupting the normal operations and use of the target computer (unlike what happens when a target computer is taken out of service for imaging), potentially yielding substantial cost savings to the computer's owner.
Supports secure remote investigation: The investigator's time is a scarce resource. OnLineDFS was designed to increase the efficient use of this time. The web-based interface allows the investigator to connect from anywhere and conduct an investigation. The investigator can use a wide variety of web browsers and any OS platform and IP-based network that connects to the OnLineDFS. This connection does not need to be high speed. The web pages are small by design to facilitate communication between OnLineDFS and a remote investigator.
The connection to the investigator is secured through the use of secure http (https); all data sent across this connection is encrypted.
Law enforcement has also found it valuable to conduct live investigations. Frequently law enforcement investigators are called upon to conduct investigations in a corporation or government agency, where extreme discretion, speed and non-disruptiveness are vital. Live investigations are the best way, and sometimes the only way, to achieve law enforcement goals.
CST's flagship product, OnLine Digital Forensic Suite (OnLineDFS) is the only product in the market built from its inception for the investigation of live computers in networks. We understand the enormous advantages in cost, timeliness and operating efficiency that live investigations deliver.
The Value of Volatile Data
OnLineDFS is built around the capture and analysis of volatile data - data which is lost if the computer being examined is powered off. Analysis of this data, including memory, system state, current user activity, active network connections, etc., is the quickest and best technique for understanding what is going on in the computer being investigated. It is the technique that is best suited to the investigative requirements of the enterprise. OnLineDFS enables quick insight into the running state of the system, and access to both volatile and persistent data for analysis and capture. Thus, OnLineDFS facilitates timely action to resolve the reasons for the investigation.
Designed for the Enterprise
OnLineDFS fits the investigative demands of an enterprise environment, where mission-critical servers cannot be taken down without economic harm, where imaging of terabytes of data is impractical and disruptive, where computers to be investigated may be geographically remote and mobile, and where compliance monitoring must be discreet, unobtrusive and non-disruptive to be effective. OnLineDFS was designed to meet investigative needs of enterprise-scale organizations with no impact on normal operations.
Investigations from Anywhere at Anytime
OnLineDFS enables an investigator to investigate a computer anywhere in the network, whether that computer is in the next room or thousands of miles away. No pre-installed agents are required on the target. With OnLineDFS, an investigator can collect forensically sound volatile and persistent data from a live remote computer anywhere, anytime, through a secure Internet connection.
Automating Peer-to-Peer Analysis: P2P Marshal
Peer-to-peer (P2P) file sharing networks are a popular, widely-used method for sharing information on the Internet. While much of the use of these technologies is valid and entirely appropriate, it is common to discover its use in criminal activities.
P2P Marshal is an innovative forensic software product that provides the ability to automatically analyze P2P usage on mounted images of hard drives. It automatically detects what P2P client programs are or were present, automatically presents per-user information for each client, including shared files, downloaded files, and peer servers, and extracts configuration and log information. P2P Marshal performs a full analysis for BitTorrent, LimeWire, uTorrent and Azereus, and detects and shows default download locations for Ares, Google Hello and Kazaa.
P2P Software Investigations - Automating the Complex
P2P software is freely distributed from a variety of sources. Currently there are a few dozen networks and several dozen client programs in general use on the Internet. While a small handful of programs comprise the majority of P2P usage, each program is different. Few tools currently exist for examining P2P systems and the analysis of data pertaining to P2P usage with this limited set of tools is done by hand. With the large number of different client P2P programs in use, analysis is a slow, lengthy, labor-intensive process that requires a unique skill set for the investigator. P2P Marshal greatly accelerates the time required for an investigation by automating these processes.
Automated Data Collection and Analysis
Of particular interest to investigators is gathering the data that relates to the configuration parameters (user name, password, peers/servers used), times of use, time of install, log files of any transactions and the downloaded (or shared) files themselves. Currently an investigator must gather, categorize, and analyze all of this information by hand. This typically requires the investigator to research the specific P2P software to determine the location on the disk where the software stores files, the names of configuration files and their content (this is unique for each P2P client). In addition, the investigator may need to obtain some additional software that is not usually included in the investigator's normal forensic tool set that translates a log or cache file into a human-readable format. Clearly this is a time consuming process that can often yield inconsistencies and result in problems with the forensic integrity of the examination.
P2P Marshal accomplishes all of the above work automatically for the roster of the most common P2P clients which we support.