Wednesday, January 03, 2007

New Year's Resolutions

I read today that there are some technical bloggers that have resolved to not make any New Years resolutions. Uh...okay...but isn't saying that you're not going to do that, in essence, a resolution? Hey, I'm just sayin'...

To kick 2007 off, I'm going to resolve to think big thoughts about IR and CF this year. Seriously. There has to be more to IR and forensic analysis than just what we're seeing. Think about it. There's got to be ton of evidence in Registry, right? After all, no one goes there. What about in RAM? And I know that there are a lot of questions out there, as I see some of them again and again. Questions like:
  • How do I show files were copied to/from a system?
  • How do I show that a CD/DVD was created on a system, and by whom?
  • How do I show that a user account was changed from a User to an Administrator, and when?
What I would ask of all of you for 2007 is to build the knowledge base of the forensic community. Remember, it takes a village...I know, I can't believe I said that either, but hey, it makes my point. I've heard that a lot of folks don't post or comment or ask questions online because they don't want to look stupid. Okay, so post under someone else's name so they look stupid. Or post anonymously. Whatever works. The point is that there're a bunch of us out there working in this area, and every now and then a "hey, what about..." or "hey, what if..." or "hey, look what I found..." would really go a long way toward adding to all of our knowledge.

I've also been told that LEOs don't like to post questions because opposing counsel might see it and hold that against them in court. Well, if that's the case, then couldn't opposing counsel pretty much get any testimony thrown out because at one point, before all of your training and reading, you didn't know anything? I mean, doesn't it make sense that you'd ask, get an answer, and verify it, and let that be the case, rather than go into court with less of a case, all because you didn't want to ask a question?

One last thing...please resolve that in 2007, when posting questions, you'll include the OS and version. Seriously. I know some of you think that when someone responds to your post with "what OS/version?", you've been "chastized" or p0wned...whatever. Get over it. Most times, the answer will be different, depending on whether we're talking Windows 2000, XPSP2, or Vista, and I don't have the time to write or read an if...then...else encyclopedic answer.

4 comments:

Bill Ethridge said...

Good resolution, it's like DNA, it was always there, ust took advancement of science and methodology to identify it as a useful forensic item, the accepatance in legal system as valid, now hardly a physical crime goes by that doesn't include DNA evidence. We have to find our DNAs.

I would like to see the move to more live acquisitions for couple of reasons. Use of encryption is becoming more commonplace. Any CF examiner who shuts down a system without first checking to see if FDE is being used is going to be in for some rude surprises after the image is made. Also, performing just a dead system analysis is somewhat akin to performing an autopsy when the brain has been removed from the body. As far as the courts go, it will be a matter of getting it admitted by fair judges who will look at the documentation and methods and decide they are sound. BUT, if no one tries and performs none of these, they will never be seen as "normal" or "acceptable".

I know it's hard for me to setup lab time to practice new ideas or find new registry keys to look at etc, when I have billable time I could put in, BUT it's a price I have to pay to be able to advance my abilities. The big picture has to change from third party forensic tool use, to knowing the nuts and bolts of the OS's and file systems we analyze so we even know what we are capable of proving.

Oh yeah, I forgot, my NY resolution was to not get on a soapbox this year. Oh well.....

H. Carvey said...

...it will be a matter of getting it admitted by fair judges who will look at the documentation and methods and decide they are sound

And it is up to us, as the examiners and first responders to ensure that the documentation and methods are sound. Also, I think that there are a lot of folks out there who are afraid to fail...afraid to make the attempt at the risk of getting shot down. When the sun sets, remember Thomas Edison didn't the light bulb right the first time.

The big picture has to change... to knowing the nuts and bolts of the OS's and file systems...

Agreed. The information is out there and it's ridiculously easy to come by. You can even get it by going to one of the social networking events like NoVASec or even just grabbing a beer with someone.

Bill Ethridge said...

I'll bet more advances have been made over a beer in all facets of human endeavor than anything else...

"Also, I think that there are a lot of folks out there who are afraid to fail.."

True, we all have that instinct up to a point, a hero isn't the guy that has no fear, a hero is the guy that acts in spite of his fear. We need some good old fashioned military type discipline and go gettum.

It's easy to jumpp on the CF bandwagon, it's something else to advance the science.

H. Carvey said...

I'll bet more advances have been made over a beer in all facets of human endeavor than anything else...

Without a doubt! Case in point...Tunn Tavern.

Jump forward to Belleau Wood, June, 1918...two German machine gunners sitting in a fighting hole, sharing a brew. One says to the other, "Hey, what should we call these guys, these "marines"?"

The other says, "How about 'Teufelhunde'?"

;-)