Now and again, the question comes up about writing technical forensic examination reports. Often in some forums, you'll see someone say that they feel that folks should publish their report formats...most often without doing so themselves. Funny how that works, eh?
Here's a link to a recent DFI article that describes what a report should contain.
Not long ago, John H. Sawyer wrote a nice article for DarkReading that mentioned my name...very cool, and a very nice reference. Thanks, John!
From the sausage factory, there's a great blog post about Windows Photo Gallery artifacts. IMHO, for the most part, we don't see enough of these kinds of posts...great work! Here's another, similar post from the ThinkTankForensics blog.
This past week, I had an opportunity to be around and talk to some really smart people, and had some really interesting thoughts about WiFi geolocation data extracted from acquired images. Okay, it's not quite as simple as that, per se, but I do think that for some folks (in particular, law enforcement), this sort of data exploitation will be extremely useful.
Ran across a reference to the Digital Forensic Framework last week, and thought I'd take a look...yes, Virginia, there is a Windows version! I'll have to read a bit more about it and give it a run.
Speaking of frameworks, ProDiscover version 6 is available! Thanks to Chris Brown's generosity, I've been using PD since version 3, and have written several ProScripts, which is the Perl scripting interface into ProDiscover. Some of the updates in version 6 are very, very welcome, including the ability to conduct regular expression raw mode searches. Very cool! I also ran across some comments in various lists that version 6 also supports access to Vista Volume Shadow Copy files...this is something I definitely need to check out. One of the things I've always loved about ProDiscover is the cleaner interface than some other tools, and I really like the Perl scripting capability!
...you'll see someone say that they feel that folks should publish their report formats ... most often without doing so themselves. Funny how that works, eh?
ReplyDeleteI've shared my report format with a host of examiners, though on an individual basis. It's been very well received by a few LEAs and by local and federal prosecutors in my venue. I also provide an "Analysis CD" with every report. The problem with "publishing," IMHO, is that I have a few formats that I use in different cases. In that regard, I have a 30-page template that contains stock language that I cut and pase. For example, I have a paragraph or two that explains link files for the non-geek. Of course, boiler plates must be updated routinely. Another issue with publishing is that some folks don't recognize that a report is not a white paper on a given topic. It's easy to criticize a report for being "incomplete."
[ProDiscover] version 6 also supports access to Vista Volume Shadow Copy files ... this is something I definitely need to check out.
Please do and let us know. I was part of the thread on that topic. The fellow who noted this said that PD mounts the volume, if I recall correctly. I imagine that you at least must run PD on Vista.
Jimmy,
ReplyDeleteRe: ProDiscover and VSS...I contacted Chris Brown directly and he said:
Once you are connected to a remote system with a VSC you can right click over the physical disk and choose to mount any and all available shadow copies.
Go to the ProDiscover Resource Center for a webinar on this...
Very cool stuff, and a great, big THANKS to Chris!
Thanks for the mention of my blog posting re Windows Photo Gallery. The think tank forensics posting is a straight copy of my blog. This is happening more and more. As one of the major computer forensics bloggers Harlan, I would be grateful of your opinion - is this fair play?
ReplyDeleteRichard Drinkwater
Rich,
ReplyDeleteI see this a lot myself...I'll make a post with a specific term in the text and then wait a week and do a search...
I guess I've always had an issue with those who don't actually create their own content or contribute back to the "community" (with respect to whatever they're doing) but instead just copy other's material for their own site content...but then, that's what happens if you don't protect your IP...