In this series of articles, we have explored the automation of various aspects of your digital forensic workflow using Belkasoft X. To recap, we covered the following issues:
- Installing and licensing Belkasoft X from the command line, batch file, or script, without the need for a user interface. We showed you how to silently set up and license the product, whether you have a standalone or network dongle license
- Analyzing a device from the command line. This article explains how you create a case, acquire new or add an existing data source to it, and analyze it using a predefined analysis profile. We also showed you how to export the extracted data to a single or multiple report formats
- Orchestrating multi-tool workflows. We demonstrated how you can combine Belkasoft X with other forensic or non-forensic tools. We used Amped FIVE as an example, feeding it the output of Belkasoft X (specifically, media files extracted and carved by Belkasoft)
Now, with all the pieces in place, you have the ability to orchestrate workflows of any complexity.
Case 1: Conveyor of multiple tools
In a typical DFIR lab, multiple tools are used because each tool has its own unique strengths, and there is no one tool that can do it all. For example, you may use tool A for Windows forensics, tool B for macOS analysis, and tool C for specific media analysis. Another reason to use multiple tools, even if they have overlapping functionality, is to cross-check results, which is especially important when working on a criminal case.
Now, if you would like to run your data source through multiple tools and all these tools support unattended execution, you can easily combine them into a complex workflow. For example:
- Your step one could be an acquisition of a hard drive from a Tableau TX1 device using Belkasoft X
- Step two could be performed by Belkasoft X, too, and include file system analysis, extraction and carving of media artifacts, and, finally, export of findings to a TAR file
- Step three could be import of the exported data into another digital forensic tool (such as Amped FIVE, Griffeye etc). Based on your workflow, you can further employ other tools, whether DFIR or regular analysis tools, for instance, timeline tools
Case 2: Leveraging the power of the Cloud
One of the biggest and most painful challenges in modern DFIR is dealing with growing volumes of data. Every incident, even not related to hi-tech, involves some kind of digital device, such as a personal mobile phone, CCTV camera, smart house, or car computer. With devices having more and more memory—10Tb for a computer and 1Tb for a smartphone are not uncommon—the old approach of analyzing and carving everything on a single regular computer is becoming increasingly impractical. Such analysis can easily take weeks—unless your tool, like Belkasoft X, allows you to flexibly tune options of what to do and what not to do.
One solution to this problem is to use decentralized cloud processing, and this is where Belkasoft X automation can help a lot. Here is what you can do to easily tune and use multiple instances of your public or private cloud nodes:
- Create a standard virtual machine image using a script, including a silent install of Belkasoft X, which can be easily licensed without any user interface. Copy this image to multiple cloud nodes
- Alternatively, use an installation and licensing script for each cloud node where you want to run Belkasoft X, automating the node setup without needing a pre-prepared image
- Run Belkasoft X without a user interface using options configured with the help of our configurator tool
- Analyze an image from an S3-compatible cloud bucket, eliminating the need for local storages or NAS servers
- If your case is split into multiple images stored on an S3 bucket, each image can be processed by a separate instance of Belkasoft X in the cloud
- Last, but not least, you can automatically generate reports for all the information extracted by different cloud instances of Belkasoft X. You have the flexibility to choose from a variety of supported report formats, including PDF, HTML, CSV, XLSX, and many others. It is a breeze to merge some of them into a single report, if you opted for CSV, XSLX, XML, or DOCX
By using the aforementioned process, you can eliminate the need to open the DFIR tool's user interface and instead work exclusively with the merged report, created by multiple Belkasoft X instances. However, if you need to clarify a specific question, you can always access the case in question within the product's user interface.
In this article we demonstrated how to integrate various components of the digital forensics and incident response process through automation. With the help of Belkasoft X, which offers built-in automation capabilities for its X Forensic and X Corporate editions at no extra cost, you can silently install the software, automate analysis and reporting, and even orchestrate complex workflows involving multiple tools. This article highlights two practical examples of these capabilities: orchestrating multiple tools and leveraging the power of the cloud to streamline and accelerate the investigative process.