Thursday, June 10, 2010

TSK/Open Source Conference

I have to say, when someone who's attended conferences sets out to create a conference, things tend to turn out pretty well. Aaron's OMFW (2008) turned out that way, and Brian's Open Source conference (9 June) was another excellent example.

There were seven presentations, all of high caliber (well, six of high caliber, and mine! ;-) ) and two time-slots for open discussion. I like the shorter talks (unless there's some kind of hands-on component), but that also requires the presenters to develop their presentations to meet the time constraint. For example, Cory had some great stuff (I know, because I was sitting next to him during earlier presentations when he developed it!) in his presentation, but had to skip over portions due to time.

Rather than walking through each presentation individually, I wanted to cover the highlights of the conference as a whole. In that regard, there were a couple of points that were brought up with respect to open source overall:

Tool Interoperability - Open source tools need to be able to interoperate better. During my presentation, I mentioned several times that due to the output provided by some tools and the format that I need, I use Perl as the "glue". Maybe there's a better way to do this.

Tool Storehouse - There are a number of open source (and free) tools out there that are very useful and very powerful...but they're out there and not accessible from a single location. It's difficult to keep up with so many things in forensics and IR, following blogs and lists...it can be too much. Having a centralized location where someone can go and search for information, kind of like an encyclopedia, would be more beneficial...maybe something like the Forensics Wiki.

Talking to a number of the other folks attending the conference, it was clear that everyone was at a different level. Some folks develop tools, other use and modify that tools, still others use the tools and submit bug reports or feature requests, and other simply use the tools. One of the benefits of these conferences is that all of these folks can meet, share thoughts and opinions, and discuss the direction of either individual tools, or open source in general. Some folks are very comfortable sharing ideas with a larger audience, and others do so on a more individual basis...conferences like this provide an environment conducive to both.

I think one of the biggest things to come out of the conference is that open source tools come from a range of different areas. Some come from academic research projects, others start as a need that one person has. Regardless of where they come from, they require work...a lot of work. Take memory acquisition and analysis...lots of folks have put a lot of effort into developing what's currently available, and if anyone feels that what's available right now isn't sufficient, then support the work that being done. I think AW covered that very well; the best way to get your needs met is to communicate them, and then support those who are doing the work. Learn to code. Don't code? Can you write documentation? How else can you provide support? Loaning hardware? Providing samples for analysis? There's a great deal that can be done. We all have to remember that for most of this, the work is hard, such as providing a layer of abstraction for a very technical and highly fluid area of analysis (i.e., memory) or providing an easily accessible library for something else. It's hard work, and very often done on someone's own time, using their own resources. I completely agree with AW...folks that do those things should get recognition for their good works. As such, organizations (and individuals) that rely heavily on open source (and free) tools for their work should be offering some kind of support back to the developer, particularly if they want some additional capabilities.

On the organizational side of things...rather than operational...it's always good to see a conference where some of the things that you don't like about conferences are improved upon. For example, the attendee's badge wallet had the complete schedule listed on a small card right there in the back of the wallet. That way, you weren't always looking around for the schedule. Also, there were plenty of snacks, although I haven't yet been to an event like this where the coffee was any good. ;-(

Overall, this was a great conference, with lots of great information shared. One of the best things about conferences is that they bring folks together...folks that may "know" each other on the Internet or via email, but haven't actually met, or haven't seen each other in a while. Great content generates some great conversations, and the folks that share end up sharing some great ideas. I'm really hoping to get an invite to the next one...which means I should keep working with open source tools and "going commando"...

6 comments:

joe said...

The BASIS conference was well worth attending. What was that tool that reported differences between two disc images? Differences.pl? Where is this located?

H. Carvey said...

In which presentation was this tool mentioned?

Cory Altheide said...

Simson mentioned it, it's part of fiwalk at afflib.org.

H. Carvey said...

Ha! I knew you read my brain droppings, Cory! ;-)

Cory Altheide said...

Only the posts that mention me by name. :)

H. Carvey said...

Looks like I just came up with a new tag...