Sunday, April 24, 2005

Gaps in Windows forensic analysis

For the past week or so, I've been posting to a couple of lists I'm on, asking about forums or communities where the forensic analysis of Windows systems is discussed. The results have been...well, let's say, less than satisfying.

Most of the responses included, "...go here...", or "...try this site...", without any real consideration for the content of the site. I've received references for sites that may contain anything even tangentially related to security. However, not much of the information at the site really has a great deal to do with forensics analysis of Windows systems?

So...maybe I got what I asked for, and my question was vague. I thought about that, but I don't see how someone can think "forensics analysis of a Windows system" is vague. If you start with the image of a drive, I know some folks mount it on a write-blocker, and then do A/V scans, examine file hashes, etc....all part of data reduction. But who's interested in looking deeper in the Registry? Who wants to correlate Registry information (ie, data and LastWrite times) to log files from the system...and I don't mean just IIS and Event Logs?

Given that a great many systems being examined by law enforcement are Windows systems, I would think that this would be a more popular topic. I can only guess as to why this doesn't seem to be the case...but I'll refrain (that kind of speculation bores me).

So, it would seem that contrary to what Fox Mulder thinks, "the truth" just isn't out there. I'll continue posting my thoughts, musings, and research here...and if anyone comes across a site that discusses these sorts of things, let me know...I'd appreciate it. I'd like to see what kinds of things keep the analyst up at night, and what kinds of things the analyst would like to know more about. I'd also like to have a free-flowing exchange of such information...not just a site where people ask questions that are never answered...

12 comments:

spencer said...

Hello everybody,

I saw your mail (and the few responses) but didn't know
such a resource.

So this remains probably to be made.

If you want "free-flowing exchange of such information...not
just a site where people ask questions that are never answered...",
I think you'll have to restrict access to the active part of the project:

for example if it's a web site, only members can add content.

and 'filter' members : to become a member you have to send a ORIGINAL paper
or script or whatever.

Have a nice day

John said...

Harlan

Maybe you have just hit it on the head. Perhaps there are no (at least worthy) Windows forensics sites or blogs other than windowsir.blogspot.com. I certainly can not think of any.

If windowsir.blogspot.com if the first (and if not, the preferred) Windows forensics site, maybe it can be used as the building block as to what you, and the frequent visitors, are looking for?

Anonymous said...

How about creating a formal newsgroup for forensics, maybe even several groups (network, linux, windows, mac)? It's a pretty annoying task to do such a thing, unless you just want to newgroup an alt. group though. Still, every time I refresh my groups list I wonder at the absence of such groups considering how topical they are currently.

--
Michael Cecil

Keydet89 said...

John,

I started the blog for exactly that reason...there were no other sites that addressed what I was looking for.

Mike,

I've already tried...as a Yahoo Group...but the difficulty is this - if you open it to everyone, you get a low signal-to-noise ratio. I've heard of lists where the moderator is a bit hard-core and will email someone if they post off topic, or post blatantly incorrect information, and ask them why they did that. Public forums are going to get a lot of that, so I wouldn't want to moderate.

If you limit membership, you run the opposite risk...getting a lot of people signed up, but no activity. The issue seems to be that most folks actually doing the work don't have time for professional networking and the exchange of information. I joined a LEO-based group recently and almost immediately saw a question that I knew I could answer. After watching my and several other responses go by, I tried several times to contact the original poster (OP)...and when he finally responded, he stated that as soon as he'd posted, something else of higher priority had come up...so it was a "post and run" kind of thing. I really think that the issue he had presented should have been archived in a FAQ, but that would only have worked if he'd (a) tried the responses, and (b) posted back to the list which of those responses worked.

To be honest, I'm tired of seeing the posts that include "...I'm too drunk/hung over/haven't slept in three days..." in technical forums. It's as if the person doing that knows that the answer they're giving isn't going to be of great use to anyone. What I'm looking for is a professional exchange of information, specifically regarding the forensic analysis of Windows systems...this can even include issues on the networking side, in addition to the host.

I created the Windows-IR group on Yahoo a while back, but it just sort of died...it seems that most of the folks joining were interested only in taking, not giving.

If you guys have a better idea of how to go about this, I'll be happy to try and implement it.

spencer said...

hello everybody,

why not try an IRC channel.

It's faster and easier.

Have a nice day.

Keydet89 said...

IRC would be good for chatting, but what about retention of knowledge? If someone posts a solution, how do you maintain that historically?

What if someone pops on and there's no one around on the channel to ask the question of?

spencer said...

Here we are (again!).

Isn't this all about informariotn sharing ?

Is it more important to find solutions or to
know who was the first to whatever ?

That's exactly why most forums/newsggroups/... doesn't work.

Everybody is for info sharing but nobody wants to share !

For the presence on the channel, it would be same as when
you post a message on a forum and wait hours for an answer
(if you get one).

It's not a commercial support group, you don't have to be online 24hours.

Have a nie day.

John said...

Based on the gist of what I am reading, what Harlan is after, basic newsgroups and mailing lists will not cut it, unless someone is dedicated enough and/or has the time to moderate to ensure quality, both of questions, as well as answers. I am sure many who visit windowir.blogspot.com can admit to seeing a degradation in the quality of some/many newsgroup postings over say the last five years (or even the last couple of years) or so.

As far as maintaining an online 'knowledge base' (for lack of a better term), it has all ready been mentioned that it is based upon 'sharing'. There are many security related sites that currently perform this function. It requires those willing to commit their time to share without direct financial compensation.

As an example, www.windowsecurity.com and www.isaserver.org (run by Tom and Debra Shinder). Both do a pretty good job with the content they post and host - some written by Tom and Debra, and some written by their contributors/colleagues. No direct financial reward (as far as I know) is received by any of the contributors, and I believe the contributors either are known to Tom and Debra prior to submitting or have earned a name for themselves and have been asked to submit on behalf of the sites and the communities the sites are directly related to.

Going this route, or something similar, will require I believe some level of peer review of the content. I have worked for company's in the past that require content submission to an internal KB as part of the overall KPI for the staff member. Submittal work is peer reviewed and graded (with most professionals wanting to ensure what they submit is only of high quality, both for peer review as well as the impact on their KPI's) and becomes part of the company's IP which is used as part of marketing and sales promotion to potential future customers.

My .02

John

Anonymous said...

FWIW, Guidance Software (makers of Encase) have some very useful forums. Everything from Encase specific information to general forensic procedure is discussed. From the page:

The Guidance Software Message boards include the EnCase® User, EnScript™ and Hardware Forums, and are resources for the law-enforcement and corporate security professionals to exchange ideas, ask questions, and provide solutions. Thousands of our skilled and experience users are registered on the boards, reviewing posts every day, and can offer their expertise on all of the functionality of EnCase®, forensic hardware issues, and writing EnScripts™. The Guidance Software Message boards are an invaluable resource for the forensic analyst.

Unfortunately, you need to be a licensed user of Encase to participate...

Greg Marshall said...

I agree that Guidance maintains the best forum for computer forensics. In fact, it's a big part of the value of Encase in my mind. It may sound backwards, but I believe some sort of control, registration, etc. over the membership is necessary for the free flow of ideas. Forensic Focus is shaping up to be a good forum as well, but I'll regularly post things to the Encase boards I wouldn't on Forensic Focus. It's just the nature of the work that we don't want some of our questions (or answers) posted to an open forum.

Keydet89 said...

Greg,

I agree...sad, but true, but some form of control or restriction is required to maintain a quality forum.

I don't know that I completely agree about ForensicFocus...particularly b/c of your comments about posting to the forum, vice the Encase forums.

John said...

The only 'issue' I see with EnCase is you have to have paid the product fees to participate or access the forums. It is one way of ensuring some level of quality, but what about all the analysts who don't have the $$$ required to use EnCase?