Unfortunately, our new website relies on browser features that are not available in
older versions of Internet Explorer. As Microsoft has officially stopped supporting these browsers, we have chosen
to do the same. Instead, we recommend that you upgrade Internet Explorer if you are running Windows 7, 8, or 10, or
that you download a newer browser, like Mozilla
Firefox or Google Chrome.
We at WetStone Technologies thank you for your interest and your patience.
WetStone Announces New Release of Gargoyle Investigator™ MP
Posted by wetstone on September 6, 2022
Skaneateles, NY – September 6, 2022— WetStone Technologies, the world’s leading provider of commercial steganography detection software, today announced the availability of a new version of its premier malware discovery tool, Gargoyle Investigator™ MP. Version 7.5 adds significant capabilities to Gargoyle MP, improving the efficiency and focus of Digital Forensics and Incident Response (DFIR) investigations.
Gargoyle MP simplifies breach and malware triage investigations and incident response activities. Investigators can perform a rapid search for malicious applications and lost or leaked corporate assets. Gargoyle MP is designed to provide significant clues regarding the activities, motives, and intent of a suspect.
Features introduced in Version 7.5:
Ability to scan files, captured memory images and, when scanning live systems, active processes for evidence of potential malware infection using user-defined YARA rules.
Standardized file names generated by Gargoyle.
Improved third-party and custom hash file ingestion.
In announcing this major new release of one of WetStone’s flagship products, Gargoyle Investigator MP, Carlton Jeffcoat, Senior Vice-President, said, “Law enforcement and corporate security teams, world-wide, use Gargoyle with WetStone’s extensive datasets to discover and identify malicious applications and other files of interest in their digital forensics investigations. With the release of version 7.5 we are pleased to offer our users a powerful new capability, an integrated YARA engine, that extends their ability to detect and classify malware.”
Gargoyle Investigator MP is licensed as an Electronic Software Download (ESD) for forensic workstations or on WetStone-supported USB flash drives (G-Flash) for field investigations. Current Gargoyle Investigator and G-Flash users with active support agreements may upgrade to version 7.5 at no additional charge.
WetStone Technologies, Inc.: (www.wetstonetech.com) is a global provider of innovative cyber security solutions. Since 1997 WetStone has equipped their customers with the research, technologies, trainings, and services that are needed to defend against today’s cyber criminals. WetStone is a subsidiary of Allen Corporation of America (www.allencorp.com).
For more information, please contact:
WetStone Technologies, Inc. Phone : 1-844-4-WETSTN (1-844-493-8786) Phone: 571.340.3474 sales@wetstonetech.com
StegoHunt™ MP FAQ
Where do I get my license of StegoHunt?
StegoHunt comes in two different deliverables. If you choose the Electronic Software Download (ESD) version you will be provided access to your unique account on our Customer Support Portal where you will be able to instantly download your copy. If you choose the SH-FLASH option, your configured token will be shipped to you directly.
What do I get with StegoHunt?
With the purchase of StegoHunt you receive copies of StegoAnalyst and StegoBreak as well. Both the ESD and FLASH versions include all three products. **Restrictions apply on the StegoBreak distribution.
What is the difference in the ESD and the FLASH deliverables
The ESD version, when downloaded, will only be able to be used from the computer that it is downloaded to. This is best used in lab settings. The FLASH version will be delivered on a mobile token that will support multiple computers and mobile investigations. The FLASH version is best used for field investigation.
Do I need to keep my license file (for ESD purchases only)?
Yes, you should store the license file in the event that you need to re-install.
Do criminals and terrorists actually use steganography to communicate or hide information?
Yes, there have been many reported incidents where steganography has and is being used. Today, over 1000 different steganography programs exist for free, anonymously downloaded from the Internet. To view recent cases, please visit the StegoHunt product page and review the “in the News” section.
What type of digital carrier files might contain steganography or hidden messages?
The most popular type of carrier files today are digital images (jpeg, gif, bmp, etc.). However, programs exist that will hide data in digital audio and digital video files as well. In addition, some programs can hide information in text files, html web pages, and executable files.
Why would someone use steganography to hide information when encryption programs are available that do that same thing?
There is one very important difference between steganography and encryption. The purpose of encryption is to scramble information so that only those that hold the keys can recover the data. On the contrary, the purpose of steganography is to hide the existence of hidden information. This is what makes steganography more sinister than encryption.
StegoHunt says that it is not licensed for the device I am running it on. What should I do?
Because StegoHunt requires no type of physical HASP token, it must be licensed before running it. To do so, generate the registration code using the message dialog box that displays on first run of the tool. Once the code is generated, navigate to the Customer Portal found on the WetStone Technologies website and proceed to the StegoHunt section. Once there, click on the “Generate License Key” tab and enter the registration code that was generated by StegoHunt. The license key will be automatically emailed to the address listed on the portal account within 30 – 45 minutes. The license file can then be imported into StegoHunt using the same message dialog box that states that the product is not licensed
What types of steganography can StegoHunt detect?
Today we supply algorithms that process the most common image types. They include paletted images such as bmp, gif, and png, and true color images like 24-bit BMP files and lossy compressed images such as JPG (including F-5 detection). In addition, we have both statistical and signature detectors for audio files such as wav and mp3. Lastly, we are able to detect common video embedding techniques for mp4 files.
How do I get updates after I buy the software?
If you have a current maintenance contract, you will receive software updates when they become available. The email that we have on file for your Customer Support Portal account will be notified of updates and you can log in to access the updates. The steganography dataset will be posted to the portal in the StegoHunt directory under the downloads section.
What if I find an image that I believe contains steganography? What’s next?
After running the steganography detection algorithms against the suspect image, our software provides two additional steps. Stego Analyst allows you to examine image or audio files for “artifacts” that are typically caused by the insertion of information into digital images or audio files. Once you determine that there is a high degree of suspicion that steganography exists, breaking or cracking the steganography may be possible. Our software currently can attack the most popular types of steganography programs. The Stego Break product within the suite provides these capabilities.
Do you offer training on steganography investigation?
Yes, WetStone offers a 4-hour online Kick Start and Certification training class that is offered at various times each month accommodating clients in different time zones. For more details, visit: http://wetstonetech.com/product/stegohunt/trainings/.
Can StegoHunt detect the presence of steganography in any image 100% of the time?
Absolutely NOT! Nobody can. The art of steganography has been around for over 2500 years, and the ability of our adversaries to conceal information and covertly communicate is a key element in modern and medieval warfare. We continue to improve our detection, analysis, and cracking capabilities to counter these threats.
Gargoyle Investigator™ MP FAQ
Where do I get my license of Gargoyle?
Gargoyle Investigator comes in two different types of delivery. If you choose the Electronic Software Download (ESD) version you will be provided access to your unique account on our Customer Support Portal where you will be able to instantly download your copy. If you choose the G-FLASH option, your configured token will be shipped to you directly upon purchase.
What is the difference in the Electronic Software Download (ESD) and the FLASH deliverable?
The ESD version is designed for lab settings and will reside on the computer it is downloaded to. The FLASH version will be delivered on a mobile token that will support multiple computer scans and provide mobile investigations. The FLASH version is best used for field investigations.
Do I need to keep my license file (for ESD purchases only)?
Yes, you should store the license file in the event that you need to re-install.
Should I be concerned about Malware?
Yes, various types of malware exist on home and corporate computers. Many have legitimate uses, while others have a very specialized use. Is there a reason why a suspected terrorist has steganographic applications on his system? Why does your secretary have a password cracker on her workstation? Should a high school lab system have a virus building toolkit on it?
Can Malware be detected with 100% certainty?
Yes and No. Gargoyle can be used to detect the presence of files installed by a particular malicious application. If the files are detected by Gargoyle, then the files installed are from one or more malware applications. However, it is possible these detected files may also be installed by other legitimate applications also. These detections are called false positives. Each Gargoyle dataset is scanned against various test systems and the NIST NSRL to minimize potential false positives before it is released.
Why can’t I just look for installed programs under C:\Program Files or in the Control Panel?
You can. But if someone is trying to hide the existence of an application on their computer, they will try to hide the application by renaming it, installing it into an unlikely directory, or moving the files. Many malware applications do not have an installer, so they will not appear in the Control Panel and can be simply extracted into any directory. Gargoyle will conduct a search of the files that constitute the malicious program. The location and name of the files are not relevant.
What types of Malware can Gargoyle detect?
Gargoyle can detect over 20 different types of malware. Gargoyle is currently distributed with the following datasets: Encryption, Key Logging, Piracy, Virus Creation Toolkits, Scareware, Wireless Network Exploits, Trojan Horses, Root Kit Use, Password Cracking, Denial of Service (DoS) attacks, Spyware, Botnets, Mobile Malware, Anti-forensic, Credit Card Fraud tools, P2P, Exploits Scanners and Remote Access programs.
How often are Gargoyle datasets updated?
Gargoyle datasets are continually being updated. A minimum of 12 releases per year are guaranteed to those who have an active annual maintenance contract.
How do I renew my product and what is included in the annual maintenance contract
With the purchase of Gargoyle Investigator, one year of free product maintenance is included offering you technical email support, product updates and dataset updates. To ensure that you continue to receive these offerings, there is an annual maintenance contract for the Gargoyle Investigator product line. You will be notified by our Maintenance Specialist that your subscription is due. If you do not renew, after the 60 day grace period, your account will start to accrue daily reinstatement fees that will ultimately result in you purchasing a new license at full price.
How do I get updates after I buy the software?
Each Gargoyle customer will need to activate his/her copy by logging into the customer support portal located on our homepage. Each customer is provided a unique login account that makes downloading the newest version of the datasets quick and easy. To update the datasets, simply navigate to the HELP menu select “UPDATE DATASETS”.
Do you offer training on malware detection and investigation?
Yes, WetStone offers a 4 hour online Kick Start and Certification training. The classes are offered in various time zones, multiple times each month. For more details, please visit: http://wetstonetech.com/product/gargoyle-investigator-forensic-por/trainings/.
I just ran a Gargoyle scan on a system and it reported finding many malware applications. Should I be concerned?
The exact answer depends on the number of files found per program, the types of files found, the programs detected, the category of the program, and the location where the files were found. First, verify the list of loaded datasets. Did Gargoyle detect a program that could be installed? For example, it is highly likely an Anti-Forensics tool or encryption program is installed on your system without you knowingly installing it as part of a standard application. Second, were a large number or percentage of files found for an application? A high number of found files for a particular program would indicate a higher likelihood of the program installation. However, a larger percentage associated with a product with only a few files may not lead to the same conclusion. Third, where were the files found on the system? Are they in an obviously named directory, in the System directory, or buried in an obscure directory? The location of the file may provide more details about the use of the file. Fourth, the possibility of false positive detections must be examined. What types of files were found? Although every effort is taken to ensure that the Gargoyle Datasets are up-to-date and accurate, false positive detections may occur since users may have software installed that we have not tested. This usually occurs with simple, small, common files such as icon, image or installation files. However, if you find any known false positive detections with Gargoyle, please report these occurrences to our support staff so that they can update and ensure the accuracy of all Gargoyle Datasets.
How does Gargoyle find malicious software?
Gargoyle detects malicious software by first using a Fibonacci hash pre-filter and then verifying any hits using a full MD5 hash.
Can Gargoyle scan forensic drive images?
Yes, Gargoyle has the capability to mount and scan DD/RAW, SMART, ISO, and SafeBack images.
How does Gargoyle differ from an Antivirus tool like Symantec or McAfee?
Most antivirus companies are primarily looking for Virus and Trojan Horse signatures; however, Gargoyle scans a much broader range of malware including Botnets, Anti-Forensic tools, Denial of Service applications, Wired and Wireless Surveillance programs, Rootkits, P2P clients, mobile malware, Key Loggers and more.
How do I get updates to the malware datasets?
Each customer will be given a unique login account for the WetStone Customer Support Portal located on the WetStone Technologies website that makes downloading the newest version of the datasets quick and easy. Customers will use the portal to download and update the .cab file which can be used by Gargoyle to automatically apply updates.
What kind of reporting does Gargoyle provide?
As with most forensic tools, reporting is a key issue. Gargoyle Investigator provides an extensive configurable XML Evidence Report.
Does Gargoyle scan archived files?
Gargoyle does support archived file scanning including; .zip, .rar, .jar, .bh, .arj, .lha, lzh, .tar, .war, .enc and .bz2 files.
What is the Create Gargoyle Hash File.EnScript in my install directory?
This EnScript allows investigators to be interoperable with Guidance Software’s EnCase®. Move this file into your EnCase® enscript directory and you will have the ability to conduct Gargoyle hashing from within EnCase®. After running the script, import the .xml file generated by EnCase® from the hash tab within Gargoyle.