I ran across a question on a list recently that I responded to when I saw it, but as time has passed, I've reconsidered my response somewhat. And whatnot.
The question I saw had to do with RegRipper, specifically my thoughts on meeting the needs of the community and creating new plugins. Basically, all I've ever asked for in that regard is a concise description of the need or issue, and a sample hive file. The person asking the question wanted to know if I seriously expected folks to provide hive files from live cases. My initial reaction was no, there are other ways to provide the necessary data. Such as setting up a test environment, replicating the issue, and sending me that hive file. However, I began to reconsider that response...if someone doesn't really know the difference between a Registry key and a value, and they have a question, how would they go about crafting the question? Once they do that, how would they go about discerning the responses they received, and figuring out which applied to what they were working on?
Seriously, there are a lot of things out there that require specific use of language, and specificity of language can be somewhat lacking in our community.
Taking that a step further, one of the problems I've seen for a number of years is that some questions that need to be asked simply don't get asked, because people in the community don't want to share information; apparently, "sharing information" has a number of different connotations. Some folks don't want it publicly known that they don't know something...even if asking the question means that they'll end up knowing the answer. I've seen this before...I didn't want to ask the question, because I didn't want to look dumb. To that, my response is usually along the lines of, so you don't ask the question, and we overcharge the customer for an inferior deliverable, our billing rate drops, AND you don't know the answer for the next time you need it. Really...which situation really makes you look dumb? Another one I see is that some folks don't ask questions publicly because they just don't want others to know that they had to ask...to which I usually suggest that if they had asked the question, they'd then know the answer, obviating the issue all together.
Others apparently don't ask questions because they're afraid that they'll have to give up sensitive information...information about a case that they're working on, etc. I understand that folks working CP cases don't want that stuff out...and to be honest, I don't either. I do want to help...and sometimes, due the "cop-nerd language barrier" sometimes the best and fastest way to help is to get the actual Registry hive or Event Log file. And guess what? Hive files don't (usually) contain graphics.
Like many folks, my desire to help comes from just that...a desire to help. If my helping makes it easier for an LE to be prepared to address the Trojan Defense, or better yet, to do so in a manner that gets a plea agreement, then that's good. I do NOT want to see the images, and I and others can help without seeing them.
Another issue is that some folks don't ask questions because they don't know enough about the situation to ask the question. This can be a particular issue in digital forensics, because there are certain things that really make a difference in how the respondent answers...such as, the file system, or even the version of the operating system. NTFS is different from FAT is different from ext2/3, and Windows XP has a number of differences from Windows 2000, as well as Vista.
Here's an example...some folks will ask questions such as, "how do I tell when a file was first created on a system?", without really realizing that the system in question, and perhaps even the document type, can greatly affect the answer. So sometimes the initial question is asked, but there may not be any response to (repeated) requests for clarification to the original question.
Does the version of Windows really matter, generally speaking? When you're dealing with any kind of IR or forensic analysis, the answer is most often going to be "yes".
So the big question is, if you have a question, do you want an answer to it? Are you willing to provide the necessary information such that someone can provide a succinct response? I know some folks who will not even attempt to answer a question that require an encyclopedic answer.
Before we go on, let me say that I complete understand and agree that we can't know everything. No one of us can know it all...that's where there's strength in a community of sharing. There's no way that you're going to know everything you need to know for every exam...there are going to be things that we don't remember (maybe from a training course a couple of years ago, or something you read once...), and there are going to be things that we just don't know.
So what can we, as a community, do? Well, one way to look at is that the question I have...well, someone else in the room or on the board may have the same question; they may not know it yet. So if that question gets asked, then others will be able to see the answers and then ask the next question, expanding that information. The point is that no one of us is as smart as all of us together.
Find someone you can trust, someone you're willing to share information with. If you need to, establish an NDA. Have community meetings in local areas. If you don't feel comfortable sharing with some folks because you don't know them...get to know them.
The other option is that you learn to do it yourself...and that's not always going to work. You may spend 8 months examining MacOSX systems, and suddenly have to examine a Windows 7 system. What're you going to do then? Sure, spending all weekend gettin' giggy wit' Google will likely net (no pun intended) you something, but at what point do you reach overload?
Over the years, I've met a number of folks with skills and abilities for which I have a great deal of respect, and some of those I've reached to for assistance when I've needed it. Conversely, I've done my best to respond to those folks who've reached to me with questions regarding areas I'm specifically interested in.
Anyway, I'll bring this rambling to a close...
Addendum: Sometimes a really good place to start with questions is to seek answers at the ForensicsWiki. This is also good place to post the answers once you get them.
He who asks a question is a fool for five minutes. But, he who does not ask a question is a fool for a life time.
ReplyDeleteUnfortunately, I think some folks tend to go with...
ReplyDeleteBetter to remain silent and be thought a fool, than to open your mouth and remove all doubt.
Sadly, if you don't know and don't ask, then you just don't know.
Providing information from a live case is, I submit, premissible in most cases that we in LE work. States typically have criminal justice information acts that mandate the confidentiality of different, yet specifically defined, types of information. Such information is restricted in regard to dissemination. Usually, it may be divulged if it is necessary to do so to advance your investigation.
ReplyDeleteI've given "live" case information to colleagues who can help me get through the data and make sense of what I don't know. After all, that helps both sides, given that we're all looking for the facts. Of course, I discriminate as to whom I'll provide a file, and I trust that it will be destroyed at the task's completion. For example, I've provided case files to the publisher of my primary software tool, so that he could see how to make his product interpret the data more efficiently or work through preceived bugs. That's esential to my job and producing acceptable results. So, it's necessary to the pursuit of my investigation.
Obviously, there are some black and white restrictions, e.g., grand jury material. That aside, perhaps those who are hesitant to provide case material to a trusted colleague are not studying the law closely enough. In the old days of my undercover work, I often "gave up" information in order to learn information. That's done routinely, and the disclosures are made to folks who are likely less trustworthy than you. ;-)
Jimmy,
ReplyDeleteThanks for that input...it's very insightful.
"Another one I see is that some folks don't ask questions publicly because they just don't want others to know that they had to ask..."
ReplyDeleteGetting a bit more specific, the fear I've heard is "We don't want to ask publicly because defense attorneys Google us, and they can attack our credibility." I.e., "You didn't know that? What else don't you know about your job?"
This is probably as much because of defense attorneys' own lack of understanding about computer forensics, but it would appear to be an effective form of introducing reasonable doubt.
Christa,
ReplyDeleteI would suggest, then, that if you don't know the answer and ask the question, then you will know the answer...so which is better? To not know and to leave that particular issue unaddressed, or to know and address the issue?
On the stand, the defense counsel could say, "...at 8:32am on 13 Nov, you posted this question to the user forum because you didn't know the answer...correct?"
To that the response could be, "Correct, but due to the responses, by 8:32am the following morning, I not only knew the answer but I knew more..."
Finally, while I can see the concern, I have to wonder how many times that's really happened.
I've heard this argument many times before, mostly by LE who are concerned a defense attorney is going to attack them on the stand for not knowing something and asking about it on a forum. I've never heard of this happening and I hope we in the forensic community will prevent it from happening. If a defense lawyer who hires me suggests such an attack, I would tell him/her in no uncertain terms that would be inappropriate because I myself have posted many questions on forums and most (good) computer forensic experts do the same. In fact, I would be concerned with a computer forensic expert who DIDN'T post questions and seek the advice and research of colleagues. I think the fear of looking stupid or incompetent by asking a question on a forum needs to be dispelled for all our benefit. Seeking answers, knowledge and truth should be the goal of all of us and we should support and encourage that, not attack it.
ReplyDeleteThe tone and condescension of some responses to typical naive 'newbie' questions on certain forums, can be enough to put people off from ever asking again, mind you. I have ceased reading Forensic Focus for that very reason, and only visit it if it crops up during research for some technical artifact.
ReplyDeleteBP,
ReplyDeleteThanks for the comment.
As someone who used to get called on "tone" and for being "condescending" quite a bit, I backed off...now, I'm seeing links to "let me google that for you", because those noob posts haven't changed.
I think that the reason (and I'm not supporting it, mind you) for this apparent "tone" is that the person posting apparently makes no attempt whatsoever to discover the answer themselves.
I also find that a lot of that apparent "tone" seems to be most apparent in posts where the noob simply says something like, "I can't get this program to work" - there's no reference to the operating system, version, program or application, etc. I think that if most folks thought about it for a bit, would they try to diagnose an issue with their car via email? "Help, my car doesn't work"? Or how about posting that to a home appliance forum?
I understand that sometimes new folks don't quite get some of the technical nuances of what they're working with, but the majority of posts that I still see responded to in the manner you describe are from folks who post with too little information, and never bother to follow up with clarifying information.
Harlan, I get what you're saying about now knowing the answer to the question you asked... but the cops I've talked to are afraid they'll be asked, "What ELSE don't you know?" Not necessarily on the stand, but perhaps in the form of a motion....
ReplyDeleteIt's an apparent leap in logic, but at the same time, someone I work with regularly is adamant that I don't put too many details about his unadjudicated cases in articles. He likes to refer to them as good examples of what another investigator might expect, but doesn't want to hear, "So, you've been talking to the media..." when his name comes up in a Google search attached to something I wrote.
I really liked Randall's response especially coming from a forensic expert who works for the defense. LE tends to get caught up thinking that everyone involved with criminal defense will pull dirty tricks...
"What ELSE don't you know?"
ReplyDeleteYeah, I can completely understand that...which is why I've offered to assist. In some cases, the offer has been accepted, and I have a couple of nice "thank you" letters to show for it. I've offered to do pro bono work in assisting LE, and regardless of any concerns someone may have about my blogging, I know enough to not talk about fight club.
The fact of the matter is that there's considerable work that can be done on the LE side to prove guilt or innocence, or lead well down that path, as well as gathering LE intel. The offer has been on the table and my inbox is open. I know friends of mine from other companies (this community is small) do something very similar, and their work has led to arrests and convictions.