Tuesday, May 17, 2005

Remember the KISS principle

How often do you see someone post to a list with a question that they could have answered themselves had they bothered to test it out?

I ran across two recently...one that didn't have much of anything to do with Windows forensics at all, but applies more to human nature...

The first was a question about files changed when a system is recovered. You know, for some reason, you can't boot a system, so you pop the CD in and reinstall the operating system...in doing so, what files are altered in the process. I suggested to the original poster (OP) that he try running a 'simple' test to find out, and the response I got was the tests weren't all that simple. His reasoning was that you'd have to check every version of Windows.

Basically, it sounded to me as he was arguing himself completely out of discussion. After all, who out there knows ahead of time when they're going to have to recover their system, and runs a integrity checking tool ahead of time?

My suggestion to him was to keep the scope of the issue small...pick an exemplar system such as XP Home or Pro, and define your problem and methodology, in such a way that the testing process you use is repeatable. For example, say that all you have available is Windows XP Pro. Note the patch level (ie, service pack, any additional patches/hotfixes)...you can do with with psinfo or WMI. Run an integrity checking tool on the files in the system32 directory...use something like FCIV or md5deep (from Jesse Kornblum). Then 'recover' the system and re-run the integrity checking tool.

You may also want to get file versioning information from the binary files in the system32 directory, as well.

Correct me if I'm wrong, but to me, asking the question "are files changed when you recover a system, and if so, which ones" really doesn't do a lot to progress the community, particularly when no one's going to do any testing.

The second post had to do with PDA forensics...the OP asked if anyone had experience using dd for PDA forensics. It was kind of an odd question, as he also stated that his employer was just about to buy (or had just purchased) the Paraben product. The kicker to the post was the statement that the OP made about not finding anything on Google. A quick search turned up info at E-Evidence.info, as well as

1 comment:

Anonymous said...

There is another checksum tool for Widnows - http://www.accuhash.com