left edge shadow
Allen Corporation of America
WetStone Technologies, Inc.
top menu - tab edge Home      members Customer Portal     shopping cart Shopping Cart     corporate Corporate     contact us Contact Us
main menu - top edge
content area - top edge
FAQ - Gargoyle Investigator™
  1. What do I get with Gargoyle?
  2. What is Malware?
  3. Should I be concerned about Malware?
  4. Can Malware be detected with 100% certainty?
  5. Why can’t I just look for installed programs under C:\Program Files or in the Control Panel?
  6. What types of Malware can Gargoyle detect?
  7. How often are Gargoyle datasets updated?
  8. How do I renew my product?
  9. How do I get updates after I buy the software?
  10. Do you offer training on malware detection and investigation?
  11. I just ran a Gargoyle scan on a system and it reported that it found many malware applications. Should I be concerned?
  12. How does Gargoyle find malicious software?
  13. Can Gargoyle scan forensic drive images?
  14. How does Gargoyle differ from an Antivirus tool like Symantec or McAfee?
  15. How do I get updates to the malware datasets?
  16. What if I have my own hashes I want to scan for?
  17. What kind of reporting does Gargoyle provide?
  18. Does Gargoyle scan archived files?
  19. If I want to investigate a machine across my network, can Gargoyle help me?
  20. What is the Create Gargoyle Hash File.EnScript in my install directory?
  21. What does the convert FTK button on the hash tab within Gargoyle do?
  22. Can Gargoyle mount drive images in Windows Vista 64-bit edition?
What do I get with Gargoyle Investigator?
When you purchase Gargoyle, you will receive an installation CD, an HPV required for use, all user manuals and documentation are included on the installation CD. You will need to contact your Account Executive to set up your account to the 24 hour customer support portal.

What is Malware?
Malware, short for malicious software, is designed to wreak havoc, hide potentially incriminating information, and/or disrupt or damage computer systems.

Should I be concerned about Malware?
Yes, various types of malware exist on home and corporate computers. Many have legitimate uses, while others have a very specialized use. Is there a reason why a suspected terrorist has steganographic applications on his system? Why does your secretary have a password cracker on her workstation? Should a high school lab system have a virus building tool kit on it?

Can Malware be detected with 100% certainty?
Yes and No. Gargoyle can be used to detect the presence of files installed by a particular malicious application. If the files are detected by Gargoyle, then the files installed are from one or more malware applications. However, it is possible these detected files may also be installed by other legitimate applications also. These detections are called false positives. Each Gargoyle dataset is scanned against various test systems and the NIST NSRL to minimize the potential false positives before it is released.

Why can’t I just look for installed programs under C:Program Files or in the Control Panel?
You can. But if someone is trying to hide the existence of an application on their computer, they will try to hide the application by renaming it, installing it into an unlikely directory, or move the files. Many malware applications do not have an installer, so they will not appear in the Control Panel and can be simply extracted into any directory. Gargoyle will conduct a search of the files that constitute the malicious program. The location and name of the files are not relevant.

What types of Malware can Gargoyle Investigator detect?
Gargoyle can detect over 20 different types of malware. Gargoyle is currently distributed with the following datasets: Steganography, Encryption, Key Logging, Piracy, Virus Creation Toolkits, Scareware, Wireless Network Exploits, Trojan Horses, Root Kit Use, Password Cracking, Denial of Service (DoS) attacks, Spyware, Botnets, Gaming, Antiforensic, Credit Card Fraud tools, File Splitting, P2P, and Remote Access programs.

How often are Gargoyle datasets updated?
Gargoyle datasets are continually being updated. A minimum of 12 releases per year are guaranteed to those who have an active dataset subscription.

How do I renew my product?
There are two ways in which you can renew your product. 1) Yearly maintenance which includes product version upgrades and technical support 2) Subscribing to the Dataset Subscription which will provide a minimum of 12 dataset updates per year. For pricing and additional information, please contact your Account Representative.

How do I get updates after I buy the software?
Each Gargoyle customer will need to activate his/her copy by contacting their Account Executive.  Each customer is then created a unique login account for the WetStone Customer Support Portal located on the WetStone Technologies website that makes downloading the newest version of the datasets quick and easy.  Alternatively, the datasets can now be automatically updated within the Gargoyle application.  This can be done by going to the HELP menu and selecting either UPDATE DATASETS or UPDATE APPLICATION.  Once there, a username and password will be required.  This is the same username and password used to access the WetStone Customer Support portal with the exception that the first letter of the password must be capitalized when used inside of Gargoyle.  

Do you offer training on malware detection and investigation?
Yes, WetStone offers a two day, hands-on training course that provides in-depth training on the process of investigating malicious software as it pertains to the hacking process. For more details, please contact sales@wetstonetech.com.

I just ran a Gargoyle scan on a system and it reported that it found many malware applications. Should I be concerned?
The exact answer depends on the the number of files found per program, the types of files found, the programs detected, the category of the program, and the location where the files were found.  First, verify the list of loaded datasets.  Did Gargoyle detect a program that could be installed? For example, it is highly likely a file splitter tool or encryption program is installed on your system without you knowingly installing it as part of a standard application. Second, were a large number or percentage of files found for an application? A high number of found files for a particular program would indicate a higher likelihood of the program installation.  However, a larger percentage associated with a product with only a few files may not lead to the same conclusion.  Third, where were the files found on the system?  Are they in an obviously named directory, in the System directory, or buried in an obscure directory?  The location of the file may provide more details about the use of the file.  Fourth, the possibility of false positive detections must be examined. What types of files were found? Although every effort is taken to ensure that the Gargoyle Datasets are up-to-date and accurate, false positive detections may occur since users may have software installed that we have not tested. This usually occurs with simple, small, common files such as icon, image or installation files.  However, if you find any known false positive detections with Gargoyle, please report these occurrences to our support staff so that they can update and ensure the accuracy of all Gargoyle Datasets.

How does Gargoyle Investigator find malicious software?
Gargoyle detects malicious software using MD5 and SHA1 hash comparisons.

Can Gargoyle Investigator scan forensic drive images?
Yes, Gargoyle has the capability to mount and scan E01, DD/RAW, SMART, ISO, and SafeBack images.

How does Gargoyle Investigator differ from an Antivirus tool like Symantec or Norton?
Most antivirus companies are primarily looking for Virus and Trojan Horse signatures; however, Gargoyle scans a much broader range of malware including Botnets, Anti Forensic tools, Denial of Service applications, Wired and Wireless Surveillance programs, Rootkits, P2P clients, Key Loggers and more.

How do I get updates to the malware datasets?
Each customer will be given a unique login account for the WetStone Customer Support Portal located on the WetStone Technologies website that makes downloading the newest version of the datasets quick and easy.  Alternatively, the datasets can now be automatically updated within the Gargoyle application.  This can be done by going to the HELP menu and selecting either UPDATE DATASETS.  Once there, a username and password will be required.  This is the same username and password used to access the WetStone Customer Support portal with the exception that the first letter of the password must be capitalized when used inside of Gargoyle. 

What if I have my own hashes I want to scan for?
Gargoyle comes with a tool called the Dataset Creator that allows investigators to build new or merge hashes into existing datasets.

What kind of reporting does Gargoyle Investigator provide?
As with most forensic tools, reporting is a key issue. Gargoyle Investigator provides an extensive configurable html Evidence Report.

Does Gargoyle Investigator scan archived files?
Gargoyle does support archived file scanning including .zip, .rar, .jar, .bh, .arj, .lha, lzh, .tar, .war, .enc, and .bz2 files.

If I want to investigate a machine across my network can Gargoyle Investigator help me?
The Forensic Pro version allows for a single scan of a machine over the network provided you have administrative credentials. The Gargoyle Enterprise Module allows you to scan up to hundreds of machines concurrently.

What is the Create Gargoyle Hash File.EnScript in my install directory?
This EnScript allows investigators to be interoperable with Guidance Software's Encase®. Move this file into your Encase® enscript directory and then you will have the ability to conduct Gargoyle hashing from within Encase. After running the script, import the .xml file generated by Encase® from the hash tab within Gargoyle.

What does the convert FTK button on the hash tab within Gargoyle Investigator do?
If an investigator is using Access Data's FTK™ to do post forensic analysis, we can utilize the hashes collected from that tool. If the case is saved as an Access database, we can then import that into a format Gargoyle knows how to interrupt and save the overhead of having to rehash all the files.

Can Gargoyle mount drive images in Windows Vista 64-bit edition?
To run Gargoyle's drive mounting capability on a PC with the Vista x64 operating system, you must disable the Driver Signature Enforcement.  To do so, please do the following:
1) Turn on your computer
2) When you hear the system beep and/or before the system starts loading Windows, hit F8 on your keyboard (continue hitting until the Advanced Boot Options screen is shown)
3) From your choices on the Advanced Boot Options screen, use your keyboard down arrow to highlight Disable Driver Signature Enforcement
4) Now hit enter on your keyboard
5) Windows will now boot allowing the drive mounting drivers to load correctly
We are working on driver signatures that will prevent this from happening in the future.   
content area - bottom edge
Copyright © 2010 WetStone Technologies. Home  |  Research  |  Technology  |  Training  |  News  |  Support  |  Contact
right edge shadow