|FAQ - Gargoyle Investigator™|
- Where do I get my license of Gargoyle?
- What is the difference in the Electronic Software Download (ESD) and the FLASH deliverable?
- Do I need to keep my license file (for ESD purchases only)?
- Should I be concerned about Malware?
- Can Malware be detected with 100% certainty?
- Why can’t I just look for installed programs under C:\Program Files or in the Control Panel?
- What types of Malware can Gargoyle detect?
- How often are Gargoyle datasets updated?
- How do I renew my product and what is included in the annual maintenance contract?
- How do I get updates after I buy the software?
- Do you offer training on malware detection and investigation?
- I just ran a Gargoyle scan on a system and it reported finding many malware applications. Should I be concerned?
- How does Gargoyle find malicious software?
- Can Gargoyle scan forensic drive images?
- How does Gargoyle differ from an Antivirus tool like Symantec or McAfee?
- How do I get updates to the malware datasets?
- What kind of reporting does Gargoyle provide?
- Does Gargoyle scan archived files?
- If I want to investigate a machine across my network, can Gargoyle help me?
- What is the Create Gargoyle Hash File.EnScript in my install directory?
Gargoyle Investigator comes in two different types of delivery. If you choose the Electronic Software Download (ESD) version you will be provided access to your unique account on our Customer Support Portal where you will be able to instantly download your copy. If you choose the G-FLASH option, your configured token will be shipped to you directly upon purchase.
What is the difference in the ESD and the FLASH deliverable?
The ESD version is designed for lab settings and will reside on the computer it is downloaded to. The FLASH version will be delivered on a mobile token that will support multiple computer scans and provide mobile investigations. The FLASH version is best used for field investigations.
Do I need to keep my license file (for ESD purchases only)?
Yes, you should store the license file in the event that you need to re-install.
Should I be concerned about Malware?
Yes, various types of malware exist on home and corporate computers. Many have legitimate uses, while others have a very specialized use. Is there a reason why a suspected terrorist has steganographic applications on his system? Why does your secretary have a password cracker on her workstation? Should a high school lab system have a virus building toolkit on it?
Can Malware be detected with 100% certainty?
Yes and No. Gargoyle can be used to detect the presence of files installed by a particular malicious application. If the files are detected by Gargoyle, then the files installed are from one or more malware applications. However, it is possible these detected files may also be installed by other legitimate applications also. These detections are called false positives. Each Gargoyle dataset is scanned against various test systems and the NIST NSRL to minimize potential false positives before it is released.
Why can’t I just look for installed programs under C:Program Files or in the Control Panel?
You can. But if someone is trying to hide the existence of an application on their computer, they will try to hide the application by renaming it, installing it into an unlikely directory, or moving the files. Many malware applications do not have an installer, so they will not appear in the Control Panel and can be simply extracted into any directory. Gargoyle will conduct a search of the files that constitute the malicious program. The location and name of the files are not relevant.
What types of Malware can Gargoyle Investigator detect?
Gargoyle can detect over 20 different types of malware. Gargoyle is currently distributed with the following datasets: Encryption, Key Logging, Piracy, Virus Creation Toolkits, Scareware, Wireless Network Exploits, Trojan Horses, Root Kit Use, Password Cracking, Denial of Service (DoS) attacks, Spyware, Botnets, Mobile Malware, Anti-forensic, Credit Card Fraud tools, P2P, Exploits Scanners and Remote Access programs.
How often are Gargoyle datasets updated?
Gargoyle datasets are continually being updated. A minimum of 12 releases per year are guaranteed to those who have an active annual maintenance contract.
How do I renew my product?
With the purchase of Gargoyle Investigator, one year of free product maintenance is included offering you technical email support, product updates and dataset updates. To ensure that you continue to receive these offerings, there is an annual maintenance contract for the Gargoyle Investigator product line. You will be notified by our Maintenance Specialist that your subscription is due. If you do not renew, after the 60 day grace period, your account will start to accrue daily reinstatement fees that will ultimately result in you purchasing a new license at full price.
How do I get updates after I buy the software?
Each Gargoyle customer will need to activate his/her copy by logging into the customer support portal located on our homepage. Each customer is provided a unique login account that makes downloading the newest version of the datasets quick and easy. To update the datasets, simply navigate to the HELP menu select "UPDATE DATASETS".
Do you offer training on malware detection and investigation?
Yes, WetStone offers a 4 hour online Kick Start and Certification training. The classes are offered in various time zones, multiple times each month. For more details, please visit: http://wetstonetech.com/product/gargoyle-investigator-forensic-por/trainings/.
I just ran a Gargoyle scan on a system and it reported that it found many malware applications. Should I be concerned?
The exact answer depends on the number of files found per program, the types of files found, the programs detected, the category of the program, and the location where the files were found. First, verify the list of loaded datasets. Did Gargoyle detect a program that could be installed? For example, it is highly likely an Anti-Forensics tool or encryption program is installed on your system without you knowingly installing it as part of a standard application. Second, were a large number or percentage of files found for an application? A high number of found files for a particular program would indicate a higher likelihood of the program installation. However, a larger percentage associated with a product with only a few files may not lead to the same conclusion. Third, where were the files found on the system? Are they in an obviously named directory, in the System directory, or buried in an obscure directory? The location of the file may provide more details about the use of the file. Fourth, the possibility of false positive detections must be examined. What types of files were found? Although every effort is taken to ensure that the Gargoyle Datasets are up-to-date and accurate, false positive detections may occur since users may have software installed that we have not tested. This usually occurs with simple, small, common files such as icon, image or installation files. However, if you find any known false positive detections with Gargoyle, please report these occurrences to our support staff so that they can update and ensure the accuracy of all Gargoyle Datasets.
How does Gargoyle Investigator find malicious software?
Gargoyle detects malicious software by first using a Fibonacci hash pre-filter and then verifying any hits using a full MD5 hash.
Can Gargoyle Investigator scan forensic drive images?
Yes, Gargoyle has the capability to mount and scan DD/RAW, SMART, ISO, and SafeBack images.
How does Gargoyle Investigator differ from an Antivirus tool like Symantec or Norton?
Most antivirus companies are primarily looking for Virus and Trojan Horse signatures; however, Gargoyle scans a much broader range of malware including Botnets, Anti-Forensic tools, Denial of Service applications, Wired and Wireless Surveillance programs, Rootkits, P2P clients, mobile malware, Key Loggers and more.
How do I get updates to the malware datasets?
Each customer will be given a unique login account for the WetStone Customer Support Portal located on the WetStone Technologies website that makes downloading the newest version of the datasets quick and easy. Customers will use the portal to download and update the .cab file which can be used by Gargoyle to automatically apply updates.
What kind of reporting does Gargoyle Investigator provide?
As with most forensic tools, reporting is a key issue. Gargoyle Investigator provides an extensive configurable XML Evidence Report.
Does Gargoyle Investigator scan archived files?
Gargoyle does support archived file scanning including; .zip, .rar, .jar, .bh, .arj, .lha, lzh, .tar, .war, .enc and .bz2 files.
If I want to investigate a machine across my network can Gargoyle Investigator help me?
Both G-PRO and G-FLASH versions allows for a single scan of a machine over the network, provided you have administrative credentials. The Gargoyle Enterprise Module (GEM) allows you to scan an unlimited number of machines concurrently. If your use case requires more of an enterprise wide scanning ability, please visit http://wetstonetech.com/cgi-bin/shop.cgi?view,3 for more details on our GEM solution.
What is the Create Gargoyle Hash File.EnScript in my install directory?
This EnScript allows investigators to be interoperable with Guidance Software's EnCase®. Move this file into your EnCase® enscript directory and you will have the ability to conduct Gargoyle hashing from within EnCase®. After running the script, import the .xml file generated by EnCase® from the hash tab within Gargoyle.