Monday, June 22, 2009

Links

My interview with Lee Whitfield is up as Forensic4Cast episode 17. Lee asked some interesting questions, so be sure to listen to the entire podcast...we talk about some things at the end of the interview that you like to hear.

Chris Pogue, co-author of Unix and Linux Forensic Analysis, has started his own blog...check it out! Chris and I have worked together, and it's good to see him getting into the mix now and bringing his experience and knowledge to the blogosphere, including posting a review of WFA 2/e! Chris will also be at the SANS Forensic Summit, speaking on the IR panel. I'm sure if you asked him, he'd be more than happy to sign your copy of ULFA, which, by the way, Syngress will have table at the Summit with their books available.

Hogfly posted on the Need for Speed, and I really think that this is something that cannot be said enough. While there is a need for speed in response, there's also a need to ensure that things are still done right and still done to a standard of accuracy and quality. Again, though...the need for speed in response is very real. In many cases, you'll have an issue of suspected data leakage or exposure, and acquiring a small number of systems and taking 2 months or more to provide an answer is simply unacceptable, as much or more so than providing the wrong answer too quickly. Processes and techniques need to be addressed, improved and implemented in such a manner as to answer the three most important questions:

1. Was the system compromised?
2. Did the system house or store "sensitive" data?
3. Did #1 lead to the exposure of #2?

Suffice to say that a lot of what it takes to answer these questions rests squarely on the shoulders of the system owners themselves. There's only so much that can be done when the breach goes unnoticed (often, for weeks), and then the first reaction of the on-site staff is to shut the system down and take it off of the network.

Hogfly also posted his review of WFA 2/e...check it out. I like to see what practitioners have to say about the book (or any other resource, for that matter), because who better to have an opinion on something like that than someone who works in the business, right? Seriously. If you wanted to get someone's opinion on, say, the acceleration and handling of a sports car, who would you look to? Eddie, the introvert who reads car magazines (and other things) online, or Danika Patrick?

3 comments:

Anonymous said...

Hi Harlan ,
I Have a question that not related to this post about the dd command which dd command is your prefered on windows usage for imaging and forensics ?
Which you think is the best version /dd type command ?

Keydet89 said...

Anonymous,

Questions like this are best emailed directly, or posted to a list.

Anonymous said...

Ok Harlan I will send you an email
on the subject :dd command :)