Saturday, December 29, 2007

Who you gonna call?

Remember that old tag line from the '80's? It's right up there with "where's the beef!" However, my question is directed more toward forensic analysis, including anything collected during live response.

Where do you go for thoughts, input or validation regarding your live response process? Do you just grab a copy of Helix and run the WFT tools? Or are you concerned about doing that blindly (believe me, there are folks out there who aren't...), and want some kind of validation? (I'm not saying that WFT and toolkits like are fact, that's not the case at all. What I am saying is that running the tools without an understanding of what they're doing is a bad thing.)

What about analysis of an image? Do you ever reach out and ask someone for insight into your analysis, just to see if you've got all of your bases covered? If so, where do you go? Is it a tight group of folks you know, and you only contact them via email, or do you reach out to a listserv like CFID, or go on lists like ForensicFocus?

Another good example is the Linux Documentation Project and the list of HowTo documents. These are great sources of information...albeit not specific to forensic analysis...and something I've used myself.

NIST provides Special Publications in PDF format, and Security Horizon is distributed in PDF. CyberSpeak is a podcast. IronGeek posts videos, mostly due to hacking. I included a couple of desktop video captures on the DVD with my book, showing how to use some of the tools.

While agree that we don't need yet another resource to pile up on our desks and go unread, I do wonder at times why there isn't something out there specific to forensic analysis.


Macaroni said...


I go to most of the resources you mentioned as well as internal resources we have at the company I work for. But still I am at a loss for where to find how specific things work. Recently, I was faced with a person who ran chkdsk /f on the hard disk before I could get to it. I found that I could not find any docs on what chkdsk actually does at the file system level to try and explain what I was seeing with deleted files on the system.

Are you just trying to get a sense of what people are doing. To figure out what would be worthwhile?


H. Carvey said...

...I could not find any docs on what chkdsk actually does...

I found this:
chkdsk on XP

There's more at TechNet...

Are you just trying to get a sense of what people are doing. To figure out what would be worthwhile?

Yeah, pretty much. I've seen recently where some data wasn't even looked at during an investigation, and when I asked about specific sites, I was told that they had no idea...

Macaroni said...

Thanks for the chkdsk link. I saw that as well but again it does not explain at a lower level what it does to fix the problems and I do not know of anywhere where it tells how it re-arranges sectors and clusters. I saw some pretty weird stuff in unallocated space for files that should have been recoverable.

Oh well,

Thanks again,