Monday, February 25, 2008

Getting Started, pt II

Okay, in the face of recent (and completely bullsh*t) claims by Sen. Clinton that Sen. Obama plagiarized speeches (so the guy used some phrases...so what?), I thought that it would be best that I was up-front and came clean...I did not have se...oh, geez...wait a sec...

I was on the e-Evidence site this morning and saw a paper listed from Kennesaw State University, entitled,
"Digital Forensics on the Cheap: Teaching Forensics Using Open Source Tools", from Richard Austin. This paper goes right along with what I was referring to in my earlier post, but also takes it a step further with regards to using specific tools, in this case, Helix and Autopsy. This is a great read and definitely very useful.

So, you're probably wondering...what's the point? Well, lists of free and open-source tools, as well as to documents that describe their use can be used to provide a solid foundation in the fundamentals (and even in more advanced information and techniques) of computer forensic analysis. Some college (community college as well as university) courses may not have the budget for some of the more expensive tools, but can provide the time and impetus necessary for folks wanting to learn and develop skillz to do so.

The availability and access to images and tools for creating and obtaining images, as well as the access to tools for analysis also provide a foundation for training programs, as well, in order to develop more advanced skill sets. Not only that, but new areas of computer forensic analysis can be explored...for example, it's not entirely difficult to locate malware on a system, but one of the areas that isn't explored is how it got there in the first place. Training sessions, brown-bag or white-board discussions all lend themselves very well to advancing the knowledge base of any group of forensic analysts, and the availability of the tools and images put the basis for these training sessions within reach of anyone with a Windows system and some storage space.

One final thought to close out this post (but not this subject)...has anyone thought about using these resources as part of an interview process? I can easily see three immediate ways of doing so...
  • 1. Query the interviewee with regards to familiarity with the tools and/or techniques themselves; if familiarity is mentioned or discovered during the interview process, ask probing questions about the use of the tools (Note: this requires the interviewer to be prepared).

  • 2. Prior to the actual interview, have a candidate perform an exercise...point them to a specific image, and give them instructions on what tools to use (or not to use). Part of the interview can then be a review of their process/methodology.

  • 3. If an interview is conducted on-site, with the candidate coming into the facility (rather than a remote interview), have the candidate sit down at a workstation and solve some problem.
The whole point of the use of these tools and techniques as training and evaluation resources would be to get analysts thinking and processing information beyond the point of "Nintendo forensics", going beyond pushing a button to get information...because how do you know if the information you receive is valid or not? Does it make sense? Is there a way to dig deeper or perhaps validate that information, or is there a technique that will provide validation of your data?

3 comments:

Greg said...

SANS had this article just before the holidays:
http://isc.sans.org/diary.html?storyid=3669

I loaded up a USB drive with a lot of these programs, and have used them with success.

I had been running my initial homegrown IR scripts from the USB drive, but I've since started working on placing my scripts on cdrom.

Martin said...

New version of HELIX, 2008R1(2.0).

H. Carvey said...

Martin,

Thanks...I downloaded and burned it two days ago...