tag:blogger.com,1999:blog-9518042.post863607229581151984..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: UncertaintyUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-9518042.post-83944998318274736492014-07-14T08:59:15.094-05:002014-07-14T08:59:15.094-05:00I think ultimately it's important to figure ou...I think ultimately it's important to figure out a balance between 1) understanding where paralysis comes from, so we can encourage more participation; and 2) pushing participants to ask and discuss past their comfort zones. I tend to think that those who learn to ask and discuss will last longer and make the profession stronger than those who have learned topeluang usaha kecil sampinganhttp://goo.gl/9Dp5ZXnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-83803533873078897272012-01-10T16:46:40.946-05:002012-01-10T16:46:40.946-05:00In our postgrad forensics course, one of our assig...In our postgrad forensics course, one of our assignments is to complete an analysis and hand in a report on a given scenario. The scenario is, by design, incomplete meaning there will be holes in your report. You are then placed in a moot court situation where professional attorneys grill you over it in front of the rest of the class. This serves as a very good lesson if you are ever in this situation in the future!Garethnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-61915467128588988612012-01-10T12:53:11.327-05:002012-01-10T12:53:11.327-05:00"He who asks a question is a fool for 5 minut..."He who asks a question is a fool for 5 minutes. He who never asks, is a fool forever"<br /><br />Boy, how I have grown, and my salary, by simply asking qustions and documenting the answers.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11306211847552380812012-01-10T12:18:28.216-05:002012-01-10T12:18:28.216-05:00Christa,
I was primarily referring to the paralys...Christa,<br /><br />I was primarily referring to the paralysis that prevents folks from asking the questions in the first place...but I do get what you're saying.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57704792387401079372012-01-10T12:11:48.262-05:002012-01-10T12:11:48.262-05:00Sorry Harlan, I'd read that but forgot you bro...Sorry Harlan, I'd read that but forgot you brought it up. Thanks for the reminder.<br /><br />I think where paralysis happens is when forensicators think beyond "information exchange" and start reading tonality into "did you try looking for X?" -- depending on their personal influences, that tonality can sound positive or critical.<br /><br />Again, rational vs. irrational. But I have found I need to remind myself frequently to focus on the info exchange rather than "what does that mean," and I can be pretty paranoid/OCD, so that's a real task. :P<br /><br />I think ultimately it's important to figure out a balance between 1) understanding where paralysis comes from, so we can encourage more participation; and 2) pushing participants to ask and discuss past their comfort zones. I tend to think that those who learn to ask and discuss will last longer and make the profession stronger than those who have learned to "get by"...Christa M Millerhttp://christammiller.comnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-24189238128678458252012-01-10T11:54:09.794-05:002012-01-10T11:54:09.794-05:00This discussion reminds me of my old Master Chief ...This discussion reminds me of my old Master Chief in the Navy: "The only stupid question is the one you should have asked and didn't." Still sage advice. Thanks for the post. Thanks to Christa for the review.Hunter Images and Wordshttps://www.blogger.com/profile/16413053155967206450noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86831747054701058152012-01-10T11:49:15.271-05:002012-01-10T11:49:15.271-05:00Exam turn around time and case loads are a whole n...Exam turn around time and case loads are a whole new line of conversation here... There are different sets of barriers in LE / VS the private sector that can affect that as well.Cindy Murphyhttps://www.blogger.com/profile/12699448371512473414noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-77656076668648788312012-01-10T11:35:57.084-05:002012-01-10T11:35:57.084-05:00Cindy,
Good point, although in my experience, thi...Cindy,<br /><br />Good point, although in my experience, this doesn't/can't really happen in the private sector...because the customer usually has paid a lot of money for emergency response, and has someone pounding on them for answers.<br /><br />However, I do get your point. I know that some LE have been shocked when private sector turn around is quick...like in 4 days, rather than 8+ months.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63568897430250613082012-01-10T11:33:41.513-05:002012-01-10T11:33:41.513-05:00Or something that happens more often - an exam jus...Or something that happens more often - an exam just languishes indeterminately as the questions go unanswered and unresearched, and whatever evidence was there isn't utilized efficiently. Thankfully, investigations rely on multiple sources of information and evidence, and it's rarely one piece of esoteric digital evidence that the whole case hinges on... which isn't to say that couldn't happen.Cindy Murphyhttps://www.blogger.com/profile/12699448371512473414noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-35742218923699264222012-01-10T11:26:55.757-05:002012-01-10T11:26:55.757-05:00Christa,
Part of my post on contributions address...Christa,<br /><br />Part of my post on contributions addressed asking questions as a contribution.<br /><br /><i>...figuring out where the line is...</i><br /><br />There're a couple of ways to look at this...one being, you never know until you try. Seriously. Sure, the first time you ask, someone's likely going to respond, "which version of Windows are you looking at..." or "which version of EnCase are you using...", but that's part of the learning process...and very likely part of the overall paralysis issue, as well.<br /><br />If someone does ask the question, and get "did you try searching for X?" as a response, well, try it. I know I ran into that very problem back when I was first researching NTFS alternate data streams...Microsoft called them "alternative data streams" and "multiple data streams", so searching for just "alternate" wasn't as revealing as I'd've liked. <br /><br />Again, however...don't use the "what if I didn't use the right key words??" as a reason for paralysis...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-52168369909297982492012-01-10T11:20:42.837-05:002012-01-10T11:20:42.837-05:00Cindy,
Thanks. I think too many people believe &...Cindy,<br /><br />Thanks. I think too many people believe "'tis better to remain silent and be thought a fool, than to open your mouth and remove all doubt" (attr. to Abe Lincoln), but to be honest, that simply does not work. <br /><br />What happens if, because you didn't ask that question, a guilty man walks or an innocent man goes to jail?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-22740329916130850392012-01-10T11:14:42.632-05:002012-01-10T11:14:42.632-05:00Harlan, thanks for the very kind words, and for th...Harlan, thanks for the very kind words, and for the great riff off my post. Ironically I had written that review with regard to software coding or article writing or other "I can'ts" previously discussed, but I see how "contributing" is related to "just ask."<br /><br />That said, I think many forensicators -- especially the newer ones -- might have a tough time figuring out where the line is between asking for help when it is genuinely needed, and asking for help prematurely (i.e. before having done the research).<br /><br />In other words, if I'm working on a problem, and I've Googled and still can't find the answer, my next logical step might be to turn to a listserv or forum or buddy, explaining how far I've gotten. But... what if I used the wrong Google keywords? What if the answer really is glaringly obvious, and now I look lazy?<br /><br />I guess, how much time should someone spend looking for an answer before finally asking for help? Especially on a tight timeline or under other pressure?Christa M Millerhttp://christammiller.comnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55910050566748828292012-01-10T11:11:52.063-05:002012-01-10T11:11:52.063-05:00There's another great side effect to asking ot...There's another great side effect to asking others for their help, or just talking to them about their area of expertise when we're not as comfortable with a subject. <br /><br />Lloyd Alexander summed it up best when he said "Sometimes, we learn more by looking for the answer to a question and not finding it than we do from learning the answer itself." <br /><br />You're right - none of us know everything... Once you start asking questions, you start to learn how very true that is, and you start to learn how very fun it is to find out more!<br /><br />Nice post Harlan!Cindy Murphyhttps://www.blogger.com/profile/12699448371512473414noreply@blogger.com