What system interac...
 
Notifications
Clear all

What system interactions can we not prove?

5 Posts
4 Users
0 Likes
363 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Just curious about what we currently cant prove in terms of interactions with an OS. For simplicity, lets keep it Win 10.

Im thinking things like we cant tell how long an application has been running for (assuming it cant)? things like that. I know we can tell lots of things about user interaction, but what are the finer details which we cant? Maybe things like how many private browsing sessions have been implemented every day for example, of where private browsing is initiated.

Im curious about defining the things we cant determine in terms of interaction

 
Posted : 03/03/2019 8:27 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Are we talking just deadbox forensics or are we including RAM dumps???

 
Posted : 04/03/2019 10:37 am
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Thinking deadbox to start

 
Posted : 04/03/2019 10:39 am
(@athulin)
Posts: 1156
Noble Member
 

Just curious about what we currently cant prove in terms of interactions with an OS. For simplicity, lets keep it Win 10.

[…]

Im curious about defining the things we cant determine in terms of interaction

I probably misunderstand the question … but isn't it just about everything?

'Prove' must be to some level of acceptance. That should not be to 'generally accepted' there must be some rigour involved. Otherwise, we're content to remain at folklore or … 'urban legend' is not the right word, but the idea of something read on blogs, overheard at a coffee table, and vouched for by a FOAF.

For example – can we even prove a user login? Well, system security logs should help, so those need to be some kind of prerequisite.
Even if they are present, and haven't been tampered with (some some kind of quality level is required) … may malfunctions affect the issue? What obfuscation affects the issue – many 'manual' system log analysts don't check source information as carefully as it should be. And … if we're not manual, when and how was the log analysis tool validated? And even then … where are the log entries documented? And who made the validation tests that the documents are OK. Not to mention for how long they are correct? (Will one of these Win10 upgrades that seem to happen every month change anything? Ot are we still relying on log entries that were documented for Win7, but which aren't reliable from Win8.1 and later?)

Any 'proof' must involve a lot of those considerations solved to some level of acceptance. (And no, 'I've never had any problems' is not good enough.)

I vote for 'we can't prove a thing'. At least until proof to the contrary is presented. (The word 'proof' in that sentence is very deliberate.)

It's a good question we need some good answers.

 
Posted : 04/03/2019 2:03 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

The person behind the keyboard.

 
Posted : 06/03/2019 2:28 pm
Share: