Saturday, October 07, 2006


This post is likely to be the first of several, as it's something I've been thinking about for quite a while, and it takes new form and shape every time it pops into my head. So...please bear with me...

We see all the time that cybercrime is increasing in sophistication. We see this in reports and surveys, as well as in quotes. From this, we can assume (correctly) that there is a widening gap in abilities and resources between those committing the crimes, and those investigating the crimes. This gap is created when innovation occurs on one side of the equation, and not on the other.

I guess we need to start with the question, is there a need for innovation in the field of incident response (IR), and consequently computer forensic (CF) analysis?

I know that this is going to open up a whole can of worms, because not everyone who reads this is going to interpret it the same way. Even though I get this question running around inside my brain housing group from time to time, I don't think I really have a solid grasp of the concept yet. I see things and I think to myself, "Hey, we could really use some innovation here", or as in the case of Jesse Kornblum's ssdeep, "Hey, THAT'S an innovation!!"

I know what isn't an innovation, though...hash lists are not an innovation. Not any more. Sorry. 'nuff said.

Let's look at it this way...right now, Windows systems are being investigated all the time. I'm on several public and member-only forums, so I see the questions...some of the same ones appear all the time. There are just some things that folks don't know about yet, or don't have a clear understanding of, and simply don't have the time to research it themselves. From a more general perspective, there are areas of a Windows system that are not investigated on a wide basis, simply due to lack of understanding (of what data is available and how it could affect the investigation). I firmly believe that if there were more of an understanding and more knowledge of these areas, some investigations reap significant benefits.

So, is the innovation need in the area of knowledge, communication, or both?

Vista is bringing about innovations in technology. Un- or under-documented file formats require application-specific innovations (and these include Registry entries, not just binary format).

See what I mean? It's kind of hard to put your finger on, even though it's there...just outside your direct line of vision, like trying to see someone at a distance, at night. On the one hand, cybercrime has a motivation to Innovations are made out of necessity. But what about other cases or issues, such as missing childern? Business innovations in technology and applications (MySpace, Xanga, IM applications, etc.) just naturally require innovations in the areas of understanding, investigations, and subsequently communications. Outside innovations in storage media have led to different (albiet, not new) means of committing information theft and fraud.



Anonymous said...

Hey Harlan, thanks for giving me credit on fuzzy hashing. I have to point out, however, that I didn't develop the algorithm. It was originally part of a spam detector called Spamsum by Dr. Andrew Tridgell.

I'm writing this because I want to underscore that it's really hard to come up with something new. I think it's easier to find advancements in other fields and then apply them to ours.

Surely we can't be the only community having the problem of information overload. What about people who deal with credit card fraud? Phone phreaking? Surely they have ways to communicate that we could use as well?

H. Carvey said...

I have to point out, however, that I didn't develop the algorithm.

Yes, but you took that algorithm and turned it into an immensely useful and easy-to-use tool.'s really hard to come up with something new.

In some senses, perhaps. But maybe what we need is an innovation in another in the form of communications, or conveying knowledge.

I know one thing...whether it's via Worlds of Warcraft or some other mechanism, the bad guys have ways of innovating and sharing information; we need to do something.

Bill Ethridge said...

I see our thread made your blog Harlan.

It's got me rethinking my level of communication at any rate.


Anonymous said...

In a sense, it did...but check the dates on the FF post and the blog post. What really happened was writing to FF allowed me to focus my thoughts enough to create a blog entry.

Also, this addresses communications...there are a lot of folks who may read FF who have no idea about my blog, and vice versa.