Sunday, January 27, 2008

Artifact Repositories

I see posts in a number of lists asking about (and for) forensic artifacts for P2P applications...lately, there have been several about LimeWire. For the most part, general questions regarding P2P apps drift toward...well...general questions, like "has anyone ever dealt with this" kind of questions. When specific apps are named, like LimeWire, specific questions are asked, such as "what are the contents of this file?" I can easily see how these issues would be relevant to cases involving files being shared, whether they are illicit images, or company proprietary information and IP.

It has occurred to me, time and again, that what is needed is a central repository of forensic artifact information. Something like a searchable database portal where you can login, type in a few keywords, and obtain a listing of relevant articles. These articles could be downloadable PDF documents...something that you can take with you, print out, etc. These articles would be written for forensic analysts, by forensic analysts...that way, they would contain relevant information, as well as have tips for techniques to use for data extraction and analysis, or even the tools themselves.

Now, the question becomes...if this repository were to contain more than just a few articles on forensic artifacts of P2P applications, but instead covered other areas, and even addressed other OSs, is this something you would pay for? Far too often in this community, when something is provided for free, it languishes unused...be it tools, information, or books. An annual subscription fee would be necessary to keep something like this up and running.

Now, articles would be updated, of course, and information would constantly be added to the library. Something like this could also have a forum where information could be exchanged, and clarify questions could be asked. Also, a subscriber could request additional information or make a request for the latest version of the app to be examined.

Is there anything else you'd like to see, or wouldn't like to see in something like this? Does this make any sense at all?

13 comments:

DJPnP said...

The current system of using forums is starting to creak a little and whilst research papers and books are great for the big, relatively slow moving topics such as OS artifacts, they will always be playing catch up with most software.

A combination of the various forensic wikis and a standardised framework for reporting artefacts as like hogfly's tool mark library http://forensicir.blogspot.com/2008/01/tool-mark-library-first-cut.html would be useful.

Although I'd only pay for it if it was proactive in its research and could guarantee a more rigorous peer review than the ad-hoc nature of the wikis.

H. Carvey said...

DJ,

Thanks for the response/comment...

I don't find the ForensicWiki as useful as it could be right now, and another drawback, particularly with LE is that the info needs to be private to them and not publicly available (although I do have a whole other rant about that...).

I'm not completely on-board with HogFly's toolmark library largely b/c I don't see how the classifications make sense at this point. I think someone would be more likely to search for "LimeWire" or "P2P" than they would for the various classifications. Also, reading some of the classifications, I can't say that I see a big difference between some of them.

I'd only pay for it if...

This is important to know. What I find about some of the information written already pertains to questions regarding rigor and completeness. I think that some of the folks doing this kind of "research" have little interest in expanding their toolkits or techniques to be more comprehensive, and simple want to get something out. In this way, some of the articles was see are not as complete as they could be, and perhaps not as relevant as they could be.

Anonymous said...

I wouldn't pay for it but I'd definitely download a torrent of it.

H. Carvey said...

So you wouldn't pay for it, but you would just take someone else's hard work?

hogfly said...

What classifications are you referring to Harlan? I don't think I've once specified the classifications yet other than to say that there are class and individual characteristics. I wouldn't pay for a subscription - because I sincerely doubt all of it would be useful and pertinent...but I might pay for specific write-ups of value to me. Ah well..good luck.

ForensicZone said...

One of the problems is the wide variety of needs for different investigators. Today I’m doing a Limewire Investigation and tomorrow I need detailed information on Perfect Keylogger. I mention Perfect Keylogger because I spent a day or two researching this program for an investigation. My research included “breaking the encryption” used by this program, finding the email address information is sent to and finding the headers of screen captures the program covertly sends out. I’m personally afraid to post my findings anywhere because of the liabilities with the company that creates that program. It would be a waste of time for another investigator to redo the same finding I have already made.

Richard McQuown

H. Carvey said...

What classifications are you referring to...

From this blog post, you mention refer to categories, including striated, impressed, crush or cut, and multi-stroke tools. I'm not sure that I agree with these classifications or categories, that's all.

...I sincerely doubt all of it would be useful and pertinent...

I'm sure all of it wouldn't be useful or pertinent to someone of your caliber. However, that doesn't mean that others might not find it to be an excellent resource. After all, there are many organizations currently paying for subscriptions to vulnerability information...why not forensic artifacts?

H. Carvey said...

Richard,

One of the problems is...

Problems...or opportunities? The purpose of having a library is so that things can be searched on.

...afraid to post my findings anywhere because of the liabilities...

I can understand that. However, if such a service included vetting of those signing up, then it really wouldn't be any different from someone who does, say, vulnerability research. Do folks who post vulnerabilities that they discover on vuln-dev face the same liabilities that you mention?

ForensicZone said...

Opportunity! You would have to an area like Yahoo Answers to ask specific questions. At times I get inundated with work and run into a small forensic puzzle I might like to research…if I had time… but now I need a quick answer. The answer would have to include the methodology and findings. In my “down time” I would like to be able to contribute back to the collective. There are so many areas of learning in computer forensics it is getting difficult to keep up on them all. It feels like you have to pick a couple of areas to focus your expertise. As far as money or a business model- I would pay for an information service and would like the ability to get credit for my contributions.
Richard McQuown

H. Carvey said...

You would have to an area like Yahoo Answers...

True, a forum or some way to interact with the folks maintaining the site and providing information would be necessary. This could be expanded to include interaction amongst the subscribers, as well.

...I need a quick answer.

Exactly my point! Look at CFID, HTCC, etc...folks get on these lists/forums all the time in need of a quick answer, and within days or weeks, you see yet another question...responses, when there are any, aren't archived.

The answer would have to include the methodology and findings.

Perhaps...but I don't see organizations doing vulnerability analysis providing their methodology...only what they've found, not how they've found it.

Contributing back to the community is something that we don't see a great deal of now, and I'm sure we'd all like to see more of it.

H. Carvey said...

Just an FYI...I've posted an example of some things I've been writing up here...see the Files section.

echo6 said...

I can see the need for a resource such as this. In fact we have started to implement our own department library. I would hope at some point they would also make their way to larger collective repository where others could benefit.

I'm not sure I like the idea of paying a subscription for such information. In lieu of tight budgets I think most organizations would side step it and just plod along with out such a resource thus not making it viable.

Why doesn't the ForensicWiki work? To me that would seem to be the logical way forward.

"particularly with LE is that the info needs to be private to them and not publicly available" There are operational reasons why that would be necessary. I am very much in favor of open source material free to all for scrutiny and peer review, granted there are occasions when certain articles should not be published. Personally I prefer http://www.forensicwiki.org over http://www.forensicwiki.com Yes they do exist and there is a subtle difference between the two! What I wouldn't want is for them to be competing against one another.

hogfly said...

Maybe the two should just combine efforts to maximize the flow of information..but I'm sure there's "blockers" to that happening..probably a layer 8 issue.