A forensic tool that would perform real time monitoring of machine. This involves, network activity and process activity. This tool would then provide feedback on the monitored traffic if malicious or legitimate.
Intro
In a crime scene, a detective always must have a blueprint on how a certain event happened. This blueprint is delved down in to even smaller packet of details, resulting in a more comprehensive series of events. Investigator must have a keen mind of observation by which with the data he collected, he must create a story of events that might've happened.
Cyberforensic investigator and Incident Response pips plays the same role with the a crime scene investigator. Computer Forensic Analyst must have gathered all the data he needed with regards to the outbreak. The analyst must have all the evidence and data that caused the incident. With those data, he must educate the user on precautions in order for that incident not to reoccur. Forensics can be done on the host and with the network the host is connected to.
But there are times that gathering informations and performing analysis specially when the data got so big becomes a difficulty on the analyst itself. It consumes a lot of time, effort and energy with a pretty less efficiency. That is the reason why I came up with Rav3n! A tool that would be the investigator's bestfriend.
Why create Rav3n when there are tools available out there?
I created this application for an investigator to have a better way of getting things done. There can be lot of tools that could help you analyze host traffics, but this tools are limited, and would really not give you the data you needed. Thus, you still need to provide investigation on the data you collected, giving you more time on investigation and less efficiency.
With Rav3n, you will have the best forensic environment. This tool is capable of data analysis, so you won't need to perform deep diving. You don't need to perform research on a certain remote IP, for it resolves DNS. You don't need to perform threat info gathering, for it is capable of doing that for you. I have gathered several threat intel sites, to provide feedback on a certain traffic.
Goal
The goal of this application is to provide the investigator the needed data that caused a certain incident.
To monitor traffic on host, for user to be aware of its utilization.
Monitor real time traffic of host, if a certain threat found ways to communicate with the host.
Check if an applicaton running is malicious or not.
Walkthrough
Rightnow, operations are set by commandlines. For now this application is run by 2 commands, netmon and procmon.
[RaV3N-->>netmon
This features the host's real time connection with other hosts. Each traffic is analyzed if good or bad. I have considered the following indicators for traffic evaluation:
a. If malicious ports has been utilized. I have included ports/services used in host as a sign of potential compromise. Port numbers are indicated on list, so if one port service was used, it will give a feedback that the machine could be infected.
b. IP reputations to source or destinations. Inbound and outbound traffic is well analyzed as this would totally depend on the IP's reputation, especially remote IPs. I have crawled a thousand of blacklisted IPs on web. These IPs are listed on a text file 'ip-rep.txt'. I hava designed this application to provide an update on the file, everytime this program launched. If IP belongs to the list, then it will be a bad traffic.
[RaV3N-->>procmon
These is a realtime monitoring of the current running process in host. This will indicate; Username, the account name where the process is running; PID, process ID; Process Name, the name of the process ; and the Evaluation, the evaluation of the traffic.
Traffic evaluation will depend if file hash belongs to my malicious list. This list came from https://virusshare.com, a virus repository containing all the current malicious file hash present on the wild right now. The website updates its repository so often, so I would recommend this to be a must check. Script to check for updates on this site is provided on this program, so if new malicious hash has been added, program will update its list.
Conclusion
This is the first version, still got a lot of features to be added. I really am working with alot more, like web history review,ntfs analysis and recovery, etc. I will update you guys in the future.
Commentaires