Course description

 If you are reading this, you must be interested in remote threat reconnaissance and incident response. Basic idea of this is to have a shell and a collection of tools at the remote location where a security incident occurred. This is the foundation of scoutware. There is a lot added on top of this, such as secure and low bandwidth comms, user access control, session sharing and monitoring, interactions with the physical owner of the remote system and more. You will learn about some of these features and can extend them to match your custom needs. To avoid confusion, let's clarify what Bitscout is. Generally, it's a project name for a live OS constructor. Live OS is an operating system that can boot from removable media, such as a CD or a USB drive. The live OS constructor is simply a collection of shell scripts and resource files that produce a bootable system disk image file in ISO format. However, Bitscout name can also be used for the instance of a live running system booted from this disk. More to that, once Bitscout is fully running it splits into two systems: Bitscout host and Bitscout container. Bitscout host system is natively running live OS. It has the main filesystem (rootfs) present in RAM (equivalent to RAM disk). This is why modifying any file on Bitscout doesn't affect any of the physical media. The media contains a compressed rootfs image which is decompressed when a file needs to be accessed. Bitscout host is used to configure the network, run a VPN link and forward connections to the Bitscout container, manage physical storage devices and attach them to Bitscout container for analysis by an expert. Bitscout container is literally a containerized system (based on systemd-nspawn) which replicates Bitscout host. Why are there two systems? For access control, isolation, and additional protection against unintended system changes. Bitscout container is a disposable environment that runs as an unprivileged system user. This environment is provided to the expert using Bitscout remotely. Although the expert works as root and can install new software packages, change almost any system configuration files, it is an emulation of a superuser account. The 'root' user in the container cannot load/unload kernel modules, mount filesystems through kernel drivers, create device files, change firewall rules, etc. Please treat Bitscout as a launchpad of your own remote scoutware. It comes with a set of default settings and tools, mainly including disk and file recovery and analysis tools, filesystem drivers, pattern recognition tools, and forensic frameworks. You may reduce the set of included tools and add your own, depending on your use case.

What will i learn?