±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36459
New Yesterday: 3 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Thoughts on Tools/Processes

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

Thoughts on Tools/Processes

Post Posted: May 09, 13 22:17

I am responding to a post to another thread...

- jaclaz

What is the practical suggestion?

  1. Do not use any third part software and write your own tool.
  2. Use multiple softwares and delve deeper if there are differences between results.
  3. Test as deeply as you can all available software, then choose one and only that one, because you already know which "quirks" it may produce.
  4. Other (please specify).

If #1, then all software houses could close down, and each forensic examiner will have to write, validate and eventually "defend" in court his/her tool against the findings of the expert witness of the other party. who also wrote his/her own tool and has exactly the same issue.

If #2, then all forensic investigators should test the data/SIM/whatever against *all* available tools, freeware or Commercial and "hope" that no inconsistencies are found. (as one of the tools may be "right" in one specific point but "wrong" on another)

If #3, the risk of a peculiar artifact not having being tested or tested properly seems to me rather BIG.

I would say that all three approaches above are either very problematic or very non-productive.

What is option #4? Question


I don't think that any of the options is necessarily "practical". #1 is simply untenable, as is #2. #3 is simply not practical, either. I also don't think that a solution of any kind can necessarily be lumped into a single, absolute option.

A while ago, I was asked for my assistance...the request came in this manner: "The tool you gave me doesn't work." It took a bit of time and exchange of emails to find out that this analyst had been given Windows XP Event Logs by another analyst, and ran a tool I had written against them, and not gotten any output. I was assured that the files were indeed Windows XP Event Logs. I asked for a sample, and within seconds of it arriving in my inbox, I opened it in a hex editor and found that what was called "secevent.evt" was not, at all, a Windows Event Log.

I don't expect every analyst to write their own tools, nor to test every possible tool against each data set. However, there are solutions:

First, understand the data structure you're looking for/at, as well as what the tool you're using actually does with respect to the data. If you ask me for my MBR parsing script, and then run it against a memory dump, please don't then contact me with, "your tool doesn't work."

Does this mean that every analyst has to memorize all of the various possible data structures? No, not at all...it's hard enough as it is just to keep track of Windows Event Logs...now throw formats of SMS messages on the different platforms, and that would simply be too much. Instead, share information. Document what you find. Make use of sharing sites such as forensicswiki.org. Crowd-sourcing your question by simply posting it to a forum can prove beneficial to some, but in the end, how many of us are actually sharing what we learned back with the community?

Engage with other analysts. Not just in the general sense, but directly, as well.

I know that not everyone has the time nor the interest to do this sort of thing...but I've seen quite a few analysts spend way too much time on something, all for the sake of figuring out for themselves. If you spend 8 hrs on something that you should have been able to complete in 15 minutes, then it should be pretty clear why you don't have time for other things.

I once talked to an analyst who spent over three months working on something, trying to figure it out themselves, before asking for help. After three months, they finally decided to ask a question, and in less than 20 minutes were provided an education and a tool to help them with their task.

Overall, I'm concerned about the level of engagement within the community, in that a great deal of information is being lost. Let's say someone has a need or question...they go to ForensicsWiki.org, do a search, and don't find what they were looking for. If they simply stop there, so much is lost. Did they search for the right thing? Did they ask for assistance from someone else? Did they let anyone know that what they were looking for wasn't there, so that someone can then research it and provide the information, i.e., fill in the gap?

I didn't read Yunus' paper, in short because I don't deal with SMS messages and mobile devices at the moment. However, I have seen comparisons of tools before, and one of the things that has concerned me is the evaluation itself. I've seen tools be evaluated for being "scalable to the enterprise" and fail, when they were never designed to be scaled to the enterprise. There needs to be some peer review of the information in general, whether it's the description of a data structure, or the evaluation of a particular tool to parse and display that data structure, and a wiki is a great way to go about that.

HTH  
 
  

mscotgrove
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 00:51

I think option 2 is the closest to a possible answer.

However, ultimately the answer must be some knowledge to recognise relevant data structures from a hex dump.

Finding help can be difficult - but Google / newsgroups / forums can often help set one in the correct direction.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

jaclaz
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 02:08

Just for the record the original thread is this one:
www.forensicfocus.com/...c/t=10575/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Bulldawg
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 02:40

I've only been in the field for a few years, and I'm just now getting enough work that it's a full time job. Just consider that in my reply.

I find there are too few active online communities of digital forensics examiners. I don't know why this is, but I suspect too many of us work or used to work in an agency where secrecy was important. Coming from that environment, sharing is not encouraged outside the agency, even if it's just techniques, best practices, or problems encountered. The only way we can grow the knowledge base of the community is to share as much as possible.

As someone new to the field, I crave information. I have a whole library of books, most of which are excellent resources but grow stale quickly in this environment. There are a number of excellent blogs. However, this isn't enough without active engagement from experienced examiners. There are a handful on here that I think fall into this category. When I've posted questions about specific problems, I've received great responses. The threads with specific questions seem to be the most popular, but they are few and far between. In a perfect world, this forum should be much more active with 1,000+ new posts daily. We have 24,102 members are the moment. Where are they?

I'm going to CEIC in a couple weeks, and I hope to meet some examiners there. (BTW, if you're going to be there let me know. I'll buy you dinner in exchange for picking your brain a bit.)  
 
  

Passmark
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 04:50

Slightly off topic,

- Bulldawg
We have 24,102 members are the moment. Where are they?

If it is anything like the forums I run, 98% of the sign ups are from automated spam bots and not from real people.

Mainly using XRumer spamming tool.
en.wikipedia.org/wiki/XRumer

Might be just my bad luck however. One of my sites is #5 worldwide in a list of good sites to spam, www.thetechfizz.com/hi...list-2013/ Crying or Very sad  
 
  

Adam10541
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 05:33

- Bulldawg

I find there are too few active online communities of digital forensics examiners. I don't know why this is, but I suspect too many of us work or used to work in an agency where secrecy was important. Coming from that environment, sharing is not encouraged outside the agency, even if it's just techniques, best practices, or problems encountered. The only way we can grow the knowledge base of the community is to share as much as possible.


The big problem is the "elitist academics" on these type of boards, you'll spot them and they basically discourage question asking and knowledge sharing. So forums like this that used to be very active, become less active because people get sick of dealing with them. Smile  
 
  

trewmte
Senior Member
 

Re: Thoughts on Tools/Processes

Post Posted: May 10, 13 06:17

- Bulldawg
As someone new to the field, I crave information. I have a whole library of books, most of which are excellent resources but grow stale quickly in this environment. There are a number of excellent blogs. However, this isn't enough without active engagement from experienced examiners. There are a handful on here that I think fall into this category. When I've posted questions about specific problems, I've received great responses. The threads with specific questions seem to be the most popular, but they are few and far between. In a perfect world, this forum should be much more active with 1,000+ new posts daily. We have 24,102 members are the moment. Where are they?


A very fair appraisal of what happens and is happening.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 1 of 2
Page 1, 2  Next