System Engineering and Tool Development Services
We Provide leading edge computer/network security consulting and system tool development through a combination of software development and system engineering. If you have a requirement for a custom tool to be developed or are in need of an experience system engineering consultants, give us a call.
What Our Tools Offer
Data Integrity in the Presence of Malware
Built from the ground up, all critical parsing of data is done via TZWorks' internal libraries. This approach minimizes the number of required library dependencies (or DLLs), which in turn, reduces the chances of an infected DLL will influence the final results. When appropriate, artifact data is collected at the cluster level to ensure file statistics or data content is not masked or modified by a rootkit. Our tools perform self-checks on startup to ensure their internal hash matches its original from when it was released from TZWorks. This in conjunction with signing each tool with an X-509 certificate, along with built-in error checking, ensures the tool has not been modified or corrupted during runtime. Collectively, these measures ensure maximum confidence that the data returned by one of our tools has not been affected by any hosted malware/rootkit.
Incident Response (Live Collection with Parallel Processing)
Pulling artifacts from a live system is the default behavior for our tools. Any file needing analysis that has been locked down by the operating system, such as registry hives, journaling files, or other critical files, can be examined by reading raw data at the cluster level. This live data collection is paired with parallel processing to convert the raw data into readable/useable results to the responder in near real-time so that data triaging can be performed. Our tools run out-of-the-box without any required installation, so running them from either: a CD/DVD, a USB thumb drive or network share, can be done to collect data quickly while ensuring the minimal footprint is left behind. For live ubiquitous Windows collection, the tools are compiled for Intel based machines and work with a range of Windows versions, from Windows XP up to Windows 8/Server 2012.
Cross Platform for Offline Artifact Processing
Our tools work across a number of operating systems, giving flexibility to the examiner to use their choice operating system for offline processing during artifact analysis. Currently over 90% of the tools have been compiled to work on Linux 32/64 bit, OS-X 32/64 bit, and of course, Windows.
Work Across Multiple Language Character Sets
When considering the unique character sets that exist globally, ensuring your tools can handle Chinese, Arabic or any other non-ASCII character set, is paramount. Therefore, a Unicode library is embedded into each of our tools so they have the ability to process and output in multi-language character sets.
Modularity and Flexibility
By leveraging any of the various popular scripting languages, one can automate the TZWorks toolset for easy insertion into many workflow processes. On the front end, one can configure the tools to read in raw ‘dd’ images, VMWare images, raw files that were extracted from another tool, or a collection of many files that are located in various directories. On the back end, the output can be put into CSV format, Log2Timeline format, or unformatted text output.