tag:blogger.com,1999:blog-9518042.post1646847923055088949..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: LinksUnknownnoreply@blogger.comBlogger23125tag:blogger.com,1999:blog-9518042.post-55080580810428190442015-06-12T10:35:06.120-05:002015-06-12T10:35:06.120-05:00Instead of burning the speaker of "A Blind Sp...<i>Instead of burning the speaker of "A Blind Spot in our Incident Response Tools" in a blog post, did you start a dialog with them?</i><br /><br />First off, how was it a "burn"?<br /><br />Second, here's a quote from my post:<br /><br /><i>That being said, I contacted herrcore, and as a result of an email exchange where he sent me some sample data.</i><br /><br />Maybe the issue isn't one of how digestible it is, but the delivery of the message.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53220592441018759662015-06-12T10:22:40.160-05:002015-06-12T10:22:40.160-05:00> Funny...that's essentially what I've ...> Funny...that's essentially what I've been saying.<br /><br />We don't disagree there.<br /><br />We disagree on how to make that happen.<br /><br />The current course of things does not seem to stimulate a dialog.<br /><br />It only seems to make things more silo-ed. IMO that is not because people don't want to share, it is that they don't want to be criticized.<br /><br />Instead of burning the speaker of "A Blind Spot in our Incident Response Tools" in a blog post, did you start a dialog with them?<br /><br />IMO give the right example there. I said this before and will keep saying this "pray what you preach".<br /><br />> Less isolated thinking, more dialog across the field.<br /><br />This is what I have been doing not just saying ;) and apparently that message is not as digestible for every one (our Anonymous poster). <br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63570990681429083072015-06-12T10:02:59.130-05:002015-06-12T10:02:59.130-05:00Less isolated thinking, more dialog across the fie...<i>Less isolated thinking, more dialog across the field.</i><br /><br />Funny...that's essentially what I've been saying.<br /><br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-74496188612688954882015-06-12T01:19:44.576-05:002015-06-12T01:19:44.576-05:00> I guess the "community" will have t...> I guess the "community" will have to wait patiently until Joachim (the self appointed god of DFIR) finally releases the "perfect" forensics book then. Until then I guess we should all just give up.<br /><br />> the self appointed god of DFIR<br /><br />Come on anonymously throwing mud, how mature of you.<br /><br />Apparently you did not read my comments. We don't need more books, blog posts, we need more dialog, more peer-reviewed findings. Less isolated thinking, more dialog across the field.<br /><br />If you don't agree with my point of forensics books then come with solid arguments not with childish remarks.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-91570111478080624322015-06-11T13:35:43.541-05:002015-06-11T13:35:43.541-05:00I guess the "community" will have to wai...I guess the "community" will have to wait patiently until Joachim (the self appointed god of DFIR) finally releases the "perfect" forensics book then. Until then I guess we should all just give up.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-21637333327957969482015-06-11T13:00:40.746-05:002015-06-11T13:00:40.746-05:00> I have a small group of fellow analysts that ...> I have a small group of fellow analysts that I share things with, knowing that they can appreciate it and that they will (and have) share, in return<br /><br />Good then one last point here, something to reflect on. Be aware of group bias (http://en.wikipedia.org/wiki/In-group_favoritism), closed "communities" lead to isolated thinking patterns. Which for me as an outsider to some of these is a very concerning development as well. Long term this will have a serious negative effect on the field.<br /><br />> Yes, I have. And yes, it appears to be the case.<br /><br />Then please reflect this perception of "ground truth" in terms of group bias.<br /><br />There are several projects out there with a healthy "community" (talking about a broader perspective than DFIR). Reflect on what they do different, what your project and those people you've spoken to, don't. <br /><br />So I don't agree with these claims here one bit. I agree that the ratio of users versus active contributors is not 1 to 1, but I don't expect it to be.<br /><br />> After all, that's what happened with "The Art of Memory Forensics"...the authors published something in the book that they had researched<br /><br />That book is full of stupid mistakes in computer science and forensic analysis basics. Also claims were copied without verifying and mentioning the source material. Wou can't convince me that book is peer-reviewed. I think this is a good example of the damage group bias has on your thinking.<br /><br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86209514135333355422015-06-11T12:16:31.976-05:002015-06-11T12:16:31.976-05:00> I asked you on which facts you based your sta...> I asked you on which facts you based your statement below...<br /><br />That was one question that I missed. You saying that I am not answering your questions implies that I missed more than one.<br /><br />> Have you read about/talked to other projects how they perceive this? Is this something typical to the field of DFIR?<br /><br />Yes, I have. And yes, it appears to be the case.<br /><br />From what you've shared, I can see your point. If a "community" is based on shared values, and a few have a value that the majority do not seem to share, then down-size the community. And this is something I've done. I have a small group of fellow analysts that I share things with, knowing that they can appreciate it and that they will (and have) share, in return.<br /><br />> ...other non-peer-reviewed "stuff" that are being churned out under the banner of "forensics"<br /><br />Along those lines, part of the reason I use the blog and write the books is so that it can be peer-reviewed (and technically, the books ARE peer-reviewed). <br /><br />After all, that's what happened with "The Art of Memory Forensics"...the authors published something in the book that they had researched, and while I do not consider myself a "peer" of theirs, I was able to use that information and validate their findings through my own independent use of the information. I did not replicate their tests...instead, I used the information operationally, and was able to use analysis techniques to validate and confirm their findings across multiple engagements, and multiple systems.<br /><br />Why, then, cannot the same thing be done with blog posts? That's a rhetorical question.<br /><br />> There is never a lack of critics, alas that most of them are uninformed.<br /><br />And one of the intentions of the post was to inform them. For the true critics, it's irrelevant...but for the few who actually have an idea that they want to share, and simply don't know how...maybe it informs them.<br /><br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-46129467735821437402015-06-11T12:03:48.765-05:002015-06-11T12:03:48.765-05:00> blanket statements such as "you didn'...> blanket statements such as "you didn't answer my questions" make it difficult to respond. And I'm more than willing to respond.<br /><br />Good, we have a dialog ;) Throwing blankets seem to have helped.<br /><br />> Again, I do not agree. I read the links you sent, and it states that in order for the license to be correctly applied, it needs to be included in every source file. <br /><br />I asked you on which facts you based your statement below, or that it was, how it came across to me, that you are basing this solely on your personal observation and experience.<br /><br />> There are a lot of reasons for this, but the fact is that most DFIR<br />> analysts simply do not want to communicate with others within the<br />> community. <br /><br />Have you read about/talked to other projects how they perceive this? Is this something typical to the field of DFIR?<br /><br />> And you do so taking the statements out of context.<br /><br />Enlighten me, I respond on how I read your article. If I'm not reading the message you are trying to bring across I would like to know what your message is then? Apparently this is not clear to me from the original article, but I see you added some elaboration in your last comment.<br /><br />I read you find the lack of contributions disappointing, and I give you some suggestions on why this might be. <br /><br />You did not mention the license/copyright anywhere in the article, so that is not something part of your original statement. I'll leave this topic with if it should be GPL v2 please follow their instruction, if is not then except certain people NOT contributing.<br /><br />> My overall point, which you seem to take exception with, is this concept of "community"<br /><br />I take exception with your concept of community. Let me elaborate:<br /><br />http://en.wikipedia.org/wiki/Community<br /><br />"A community is a social unit of any size that shares common values."<br /><br />(WARNING don't take this too literally but should bring across the point) So if no ones contributes, there are no common value of sharing, and thus not a value part of the community. That means there is no community or it is a different one.<br /><br />Since you find sharing an important value, my take on this is, focus on the people that do contribute (since that is the actual community you want), not on the people that don't. This requires a bi-directional communication style, and not a mono-directional one where saying "tough shall contribute". <br /><br />> What that tells me is that the vast majority of those using the tool are doing so blindly...and that concerns me in more ways than simply the use of the tool.<br /><br />Totally agree (on the being concerned side), I have a similar concern with books, blog posts, and other non-peer-reviewed "stuff" that are being churned out under the banner of "forensics". Alas not much you can do there if this what the majority of people in the field value.<br /><br />> There are those who are seeing ways that RegRipper can be extended, but their way of communicating this is to state in public forums, "...RegRipper has a problem and a blind spot because it does not do this..."<br /><br />There is never a lack of critics, alas that most of them are uninformed.<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-37366519039330519632015-06-11T11:07:28.596-05:002015-06-11T11:07:28.596-05:00> I cite you again:
And you do so taking the s...> I cite you again:<br /><br />And you do so taking the statements out of context.<br /><br />My point is that license or not, there have been contributions to RegRipper, but that vast majority of the community simply does not contribute.<br /><br />Those who have, have done so on their own free will, regardless of licensing or copyright. A copyright did not prevent them from either doing something with the tool, or asking that something about the tool be modified.<br /><br />Before there was even a reference to a license in the tool, RegRipper was incorporated into training courses, added to Linux distributions, etc. People downloaded the tool, people "used" it. Very few of those people did anything to extend the tool...some did, and I'm thankful for that. <br /><br />Those who have stood up in front of others, or posted to a blog, stating "...RegRipper does not do this..." have done so after acknowledging neither copyright nor license. They would have done so regardless. Some have said that they didn't change anything because they aren't familiar with the programming language that RegRipper was developed in...they never referred to the copyright or license (or lack thereof). When I have informed others of what I've been saying from the very beginning (that I entertain requests), almost all have come back and said that they didn't know that...again, no reference to either copyright or license.<br /><br />My overall point, which you seem to take exception with, is this concept of "community". In my mind, I cannot fathom that of the number of people who are using RegRipper, there aren't more who are seeing ways to extend the tool. What that tells me is that the vast majority of those using the tool are doing so blindly...and that concerns me in more ways than simply the use of the tool. There are those (very few) who are seeing ways to extend RegRipper and are doing so. There are those who are seeing ways that RegRipper can be extended, but their way of communicating this is to state in public forums, "...RegRipper has a problem and a blind spot because it does not do this...". <br /><br />Maybe you're correct...maybe this idea of "community" is mythical.<br /><br />> Also you are diverging from the subject again,...<br /><br />Again, I do not agree. I read the links you sent, and it states that in order for the license to be correctly applied, it needs to be included in every source file. <br /><br />Reading this, I felt that it was important to ask the question.<br /><br />I have answered your questions. Are you perhaps trying to say that I'm diverging because I haven't fulfilled the actions that you want me to, because I have addressed the points you brought up. If you feel that I haven't, please address them specifically...blanket statements such as "you didn't answer my questions" make it difficult to respond. And I'm more than willing to respond.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75396048338057003742015-06-11T10:49:25.319-05:002015-06-11T10:49:25.319-05:00Also you are diverging from the subject again, as ...Also you are diverging from the subject again, as often, and still not answering questions. Another reason why having a dialog fails.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54969662784889277812015-06-11T10:42:19.040-05:002015-06-11T10:42:19.040-05:00No Open Source license means, copyright who ever t...No Open Source license means, copyright who ever the author is. So not Open Source as in libre or free, but then Open Source as in transparent.<br /><br />That is fine with me but then don't be surprised if no one contributes to copyrighted software. Since a lot of companies/organization do not allow their employees to do since that would be in violation with their contracts.<br /><br />I cite you again:<br />"but rather that analysts would either write and contribute their own plugins, or request (providing sample data, as well) plugins be developed."<br /><br />"however, that speaker had never reached to me to say, "...here's a plugin I wrote...", "<br /><br />So what do you want copyright or contributions ?<br /><br />And is an Open Source license a guarantee for contributions? No way in hell, but not doing it is excluding a potential audience that might.<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57886011790310958902015-06-11T10:30:04.401-05:002015-06-11T10:30:04.401-05:00I don't see why an open source license is requ...I don't see why an open source license is required...which is why I asked the question. Adding even a semblance of a license hasn't changed anything about the tool and how others use it, at least, not that I'm aware of. <br /><br />Why does RegRipper require a license, in your mind? H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89172092256407311692015-06-11T10:25:30.551-05:002015-06-11T10:25:30.551-05:00In your own words:
Since I first released RegRipp...In your own words:<br /><br />Since I first released RegRipper, my intention was that it would be community-based.<br /><br />Would bit a bit hard to do this without an Open Source license, wouldn't it? Or do you think otherwise?Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-15916407520866894942015-06-11T10:23:38.909-05:002015-06-11T10:23:38.909-05:00Just so I'm aware...why does RegRipper need an...Just so I'm aware...why does RegRipper need an open source license in the first place?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-45937026866958815832015-06-11T10:11:10.982-05:002015-06-11T10:11:10.982-05:00which one? GPLv2 ?
https://github.com/keydet89/Re...which one? GPLv2 ?<br /><br />https://github.com/keydet89/RegRipper2.8/blob/master/license.txt<br /><br />Then please read:<br />https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html<br /><br />And:<br />https://www.gnu.org/licenses/gpl-howto.html<br /><br /><br />You should also include<br />* a copy of the license itself somewhere in the distribution of your program. All programs, whether they are released under the GPL or LGPL, should include the text version of the GPL. In GNU programs the license is usually in a file called COPYING.<br /><br />Where is that file?<br /><br />https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLOmitPreamble<br /><br />The preamble and instructions are integral parts of the GNU GPL and may not be omitted. In fact, the GPL is copyrighted, and its license permits only verbatim copying of the entire GPL. (You can use the legal terms to make another license but it won't be the GNU GPL.)<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-17845079887109917952015-06-11T07:46:53.771-05:002015-06-11T07:46:53.771-05:00Joachim,
I didn't see the point, given your r...Joachim,<br /><br />I didn't see the point, given your request for a license for RegRipper. It has a license.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66082497092706617582015-06-11T07:22:28.197-05:002015-06-11T07:22:28.197-05:00There was suffucient opportunity. You mention you ...There was suffucient opportunity. You mention you disagree, then elaborate what you disagree on. What you perceive as different. What you think it could be. Instead of "I disagree" end of discussion. You also did not answer my question where you base your claims on. Another thing you could have elaborated.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29561192546551041752015-06-11T06:18:55.495-05:002015-06-11T06:18:55.495-05:00Not at all, Joachim...I'm more than happy to h...Not at all, Joachim...I'm more than happy to have an exchange of ideas, opinions, and I've always been open to other perspectives.<br /><br />I simply didn't see an opportunity for any of that in your first comment.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-21145499269716936642015-06-11T00:48:15.561-05:002015-06-11T00:48:15.561-05:00See you do it again. You are stopping any chance o...See you do it again. You are stopping any chance of dialog, it is you that stops a dialog, not this mythical community you keep talking about.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54358297238212076972015-06-10T13:21:49.024-05:002015-06-10T13:21:49.024-05:00Joachim,
You and I will simply have to agree to d...Joachim,<br /><br />You and I will simply have to agree to disagree.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-72963200950899346682015-06-10T13:19:12.544-05:002015-06-10T13:19:12.544-05:00> There are a lot of reasons for this, but the ...> There are a lot of reasons for this, but the fact is that most DFIR<br />> analysts simply do not want to communicate with others within the<br />> community. <br /><br />Facts? Which facts? IMO you basing this solely on your personal observation and experience.<br /><br />Blogging is not seeking a dialog. Writing a book is not seeking a dialog. Tweeting is not seeking a dialog.<br /><br />These one directional, post and forget. IMO you are giving the wrong example here if you want dialog.<br /><br />Do not ask what the community can do for you ask what you can do for the community.<br /><br />Start contributing to other projects; start answering questions with answers not with more questions; give RegRipper an Open Source license; <br />be open to other perspectives instead of "I haven't yet encountered a ...".<br /><br />IMO if you want dialog, learn to communicate.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-38236172944459782062015-06-08T05:34:16.409-05:002015-06-08T05:34:16.409-05:00Carlos,
"Well put".
How so?Carlos,<br /><br />"Well put".<br /><br />How so?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54950283237671069292015-06-07T08:47:14.222-05:002015-06-07T08:47:14.222-05:00Well put Harlan. And thanks for RR and all your c...Well put Harlan. And thanks for RR and all your contributions back to DFIR.Carloshttps://www.blogger.com/profile/10204960193232380067noreply@blogger.com