Saturday, May 31, 2008


I was reading a list entry recently, looking at some of the functionality that was being added to a popular forensic analysis application, and I got to thinking...what areas of what we do (incident response and computer forensic analysis) are in need of innovation? What could we do better, through process or whatever, to do what we do better...more efficiently, more accurately, more completely?

What about adding functionality to forensic analysis applications? In the instance I was looking at, the request that had been granted was to add parsing of ASCII-based logs to the application. Is this really necessary? Is this something that needs to be added to applications that are still unstable, crash without notice or without any sort of debugging information, and currently contain far too much "functionality" so as to require a certification just to use the application (forget doing actual forensic analysis).

I'm not picking on any one application either. There's another one that I like a lot, and updates have been delayed while functionality is being added to it...functionality that is available in other tools.

What I'd like to see is a core, stable application capable of opening image files, and allowing the analyst to quickly and accurately perform keyword and grep() searches, for file content, file names, etc. From that point on, major functionality (such as parsing PST files) could be easily added as plugins, allowing the core application to remain stable.

I'm also a firm believer that too much functionality in a forensic analysis application moves that analyst further and further away from understanding the data itself. As analysts are removed from the data, their understanding of what's expected and what's unusual or suspicious lessens. One person can't be expected to know everything, but that's why we have a "community", right? Having analysts that understand how various pieces of data interact to build a more complete picture is extremely important, particularly as the sophistication of cybercrime continues to rise.

What are some areas that you feel need a little innovation? How about just shook up enough to flake off the shell of "...but that's how we've always done it"?


Jimmy_Weg said...

Not to detract from other tools, but I think you're describing X-Ways Forensics :-) Small, efficient, can be run from a thumb (dongle required), extremely fast, configurable, etc. It's not a push-button tool, and the user should expect to have an "understanding the data itself" as well as the file systems under review.

Keydet89 said...

I met Stefan in Hong Kong in Dec, 2007 and attended his presentation on X-Ways. He graciously offered me a demo license, but even to this date, I have yet to have the opportunity to test it out. I've heard some very good things about the tool and will likely be contacting him yet again to see if I can get a demo license to try out.

Any comments on the tool would be greatly appreciated.

cosimo_anglano said...

I definitely second what Jimmy said. I would also add that (at least for the tasks I used it) it is very robust and stable, and when it crashes provides you a reasonable deal of logging. Furthermore, the time taken to resolve a problem after it has been reported is very very short, if compared to other tools (a few days, at most, in my relatively short experience).

Fred F. said...

Hi All,

look at the DFLAbs open source solution. PTK seems to be a forensic base tool with the main fundamentals functionalities and a plug-in structure. I've tested it and is very good base point and it's free !

Keydet89 said...

Yes, and I'm waiting on the Windows version...