±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 4
New Yesterday: 2
Overall: 27634
Visitors: 56

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Lack of Feature or Improving Features

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Lack of Feature or Improving Features

Post Posted: Thu Oct 24, 2013 12:22 pm

Hi

Actually I've just decided to develop some special computer and mobile forensic suites, I'm in the middle of them, I'm thinking about releasing them as open source or closed source (but free), anyway...

I want to ask from you guys, which had hands on actual forensics with real world examples, I want to ask and learn from your skills and experiences about lack of features you've noticed in most of computer and/or mobile forensic suites/tools. Also I would be happy if you point me about some features which exists, but you guys would have been happier if it was better.

I don't know if I chose right forum, but I want to learn from experts, I'm expert in programming and IT security, I've started writing my codes, but people with hands on actual forensics would know so much more than me about these type of things, so I decided to ask here, which I and a lot of other viewers will enjoy reading about your ideas.

So I'll be waiting for your comments...Thanks  

cmuc
Newbie
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Fri Oct 25, 2013 3:37 am

Try and use your software as a user will. Try a few real / dummy jobs. You will find the holes that way. Is there a problem that is tedious, difficult, impossible - can you find a solution to that.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Fri Oct 25, 2013 4:28 am

Most of the tools that i came across are great when it comes to "get the data" and "decode/convert" data...but their features for presenting the data are somehow limited.

So i suggest that you really try to think of the situation that all the data has to be presented to someone that is (mostly) a user with no (or very small) technical background. That should be something to keep in mind from the ground up building your software.

for example (in mobile forensics) :

There are plenty of tools for analyzing sqlite data (even deleted/fragmented data and so on)
but a lot of them only support some .csv or basic (and ugly) .pdf/.html-report features. This is fair enough for a forensic investigator but as soon as you have to parse it to a local police departmend/ e.g. you will run into alot additional work.

So i think there is plenty of room for improvement - just a few quick thoughts on this:

variety of export options and customizing the report
customized comments / markings
dynamic html pages as reports eg. (you can do fancy stuff with html5 and JQuery, Datatables)


The second issue is the amount of data that has to be analyzed/processed etc.
Be aware that your software might be forced to handle huge amounts of data and therefore
the user should have tools for hiding/filtering data.
Even expensive commercial software are lacking in this discipline...if you ever tried to work with phone memory dump with 40k+ images that is processed on the fly...you know what i mean Smile

Even though you have some "sorting" tools - i got the feeling that these are just built on top of a software structure that was originally not intended to handle this amount of data. So you should consider this in the first place Smile

hope that helps  

Zergling
Member
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Fri Oct 25, 2013 8:26 am

@mscotgrove, thanks, that's a good idea. I'll keep that in mind. I'll try to use my software several times with several scenarios to spot hinders and holes.

@Zergling, thank you for your detailed comment. It was really useful for me, as I thought before also, most of application doesn't have a nice reporting feature. I'll keep in mind about HTML5 and JQuery. Just a question here, it won't be as nice as you see on computer when you print it, do you think it would make a problem? Printing vs viewing files on PC, which one is more popular?

Do you have any good ideas for UI of report? I mean can you explain a little about report you would have loved? For example, what I planned is to have a software which can easily let user to customize and put comment per each evidence, but also I need a little more ideas about it, if you have something special on your mind please let me know.

About fast processing of huge amount of data (images, videos, files, texts, ...) That's very nice idea... Most of my code is multi-threaded, so I'll also work more on efficency of algorithms while processing, I hope to beat other codes speed-wise at least.

Thanks once again guys, I'll be happy to have more ideas... I'm open to ALL suggestions, PC forensic or mobile forensic, anything! Just let me know your thoughts.  

cmuc
Newbie
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Sat Oct 26, 2013 12:37 am

- cmuc
... about lack of features you've noticed in most of computer and/or mobile forensic suites/tools. [...]


What I may have to add to the discussion is not so much about features but about more fundamental design.

A tool (or toolset) may have been designed to support one particular workflow: you have to follow a certain series of steps. If you try to go off the predefined tracks, you may find that things just don't work well anymore.

I've noticed one aspect of this in some Unix-based tools lately: output may be perfect as a final report, columns are lined up, data correctly adjusted, etc. But when you need to take the data in that output and work on them in some other tool, it's very difficult: the output format is not well defined, and turns out to be inconsistent (say, tabs between some columns, but multiple spaces between others, and the occasional backspace before the first character in other places), etc.

Neat output is useful. But sometimes well-defined and unambigious output is more important, particularly if you expect tools to follow the Unix model -- that output shold be easy to pipe into the next tool, which may not be one of the tools that are included in this particular toolset.

That is, tools need to work in a context. That context is also set by the tool user, and not only by the tool designer. Expressed in different terms, if the tool (or toolset) imposes a policy, the user has to submit to that policy. It often works for users who don't want too much flexibility (or who can't cope with it, and need some degree of handholding). If the tool sticks to providing a mechanism, the user is free to impose his own policy, but also free to combine the tools in ways the tool maker may not have anticipated. This often works well for experienced users, who know what they are doing, and require flexibility.

Some of this goes for GUI tools as well -- who hasn't cursed tool A (or even tool E or S) because some particular information could not be copied and pasted from the screen, but only saved into a file or, in extreme cases, only be reused as a screen-shot, or in the particular reporting system that tool provides. In information-retrieval systems (like computer forensic tools), information is where the gold is. Anything that prevents access to that gold, or makes it needlessly difficult to get at is just so much obstruction.

Another point: In many tools that deal with data from multiple sources there's often a tendency to make everything look the same, or to fit data into a predefined and inflexible pattern. For example, tool E may report timestamps from a CD as 'Time of File Creation', and make it look just like 'Time of File Creation' from FAT or NTFS. CDs don't contain Time of Creation -- they contain Time of Recording. And even though few if any CD-burning tools follow that rule, a column label that says 'Time of File Creation' may fool an analyst into believing that it actually is true. UDF has additional problems: timestamps can be UTC, local or even 'according to predefined agreement'. That is, the semantics of data is in danger of being lost, and timestamp 1 may be place in a relation with timestamp 2 even though they are not commensurable without additional argument.

Another issue is that of clearly identifying notation bases. If you find in a report that 'Partition type: 27' what do you need to interpret that? Showing the correct notational base would improve things: 'Partition type: 0x27', making it clear that we're not looking at a decimal number. Adding clear text interpretation would have even more helpful to lay readers: 'Partition type: 0x27 (NTFS partition, hidden from users)'. Notation base becomes very important in the (rare, admittedly) cases where a number just might be binary or octal.

In this area goes the choice of base of 'k', 'M' and 'G' prefixes: 1000 or 1024? Most tools do 1024, it seems, and most have exceptions that hit in unexpected circumstances.

This is about removing ambiguity, direct and indirect. It's about improving clarity, for the analyst as well as the final consumer of a report.

One way of addressing such issues is to put on one's black hat and try to misinterpret as much as possible in a report or screen. Or try to get a hostile review, out to pick as many holes as possible.  

athulin
Senior Member
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Sat Oct 26, 2013 4:19 am

- athulin

Another issue is that of clearly identifying notation bases. If you find in a report that 'Partition type: 27' what do you need to interpret that? Showing the correct notational base would improve things: 'Partition type: 0x27', making it clear that we're not looking at a decimal number. Adding clear text interpretation would have even more helpful to lay readers: 'Partition type: 0x27 (NTFS partition, hidden from users)'. Notation base becomes very important in the (rare, admittedly) cases where a number just might be binary or octal.

While perfectly agreeing with the notes about the notational base Smile , allow me to (partly) disagree with the specific example Shocked .
The "Partition Type" is already - to some extents - incorrect, more properly it should be called "Partition ID" and it should be underlined how the original meaning was (and still is in some cases) ONLY that of creating a "protective ID".
The partition ID is in many case far from univocal, in the specific:
07 - NTFS or HPFS or exFAT
17 - NTFS or HPFS or exFAT hidden
27 - NTFS or exFAT that the Windows OS will not mount - often a boot partition or a service one
+ a few more less known OS partitions:
www.win.tue.nl/~aeb/pa...pes-1.html

The issue here is more philosophical than anything, but the partition ID can (and will in some cases) be not connected to the actual filesystem used.
homepage.ntlworld.com....-type.html
as in a nymber of cases it represents merely a "protective" ID.

A suitably correct definition is (tentatively) the following:
The value of the fifth byte (and thus it is already implied that it is a hex value) of a partition table entry represents a Partition ID.
Such ID does not represent univocally the filesystem used on the volume that the partition entry addresses.
Each OS may interpret this ID differently and operate accordingly.
Commonly a hidden partition ID is made by the "normal" partition ID to which 0x10 is added.


Examples/tests:
  1. Create a small NTFS partition under any Windows NT based system, format the volume as NTFS, then hexedit the Partition ID in the MBR to (say) 06 <- what changes at next reboot/mounting?
  2. Write the LBA addresses of a .iso file residing anywhere on a disk (contiguous) in an empty partition table entry, leaving the partition ID 00, then try mounting under Linux the corresponding /dev/sdxn volume <- what happens?

As a side note, an example (Magic Bytes) where using the hex notation is "wrong":
thestarman.narod.ru/as...AA55H.html

Till now, in - say - 1000 cases, a Partition ID of 07 has been found corresponding to a NTFS formatted volume 998 times, the remaining two were an actual OS/2 HPFS filesystem and a manually hexedited partition table.
But now that exFAT is starting to become a rather common filesystem the probabilities that partition ID 07 corresponds NOT to a NTFS volume are increasing.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Lack of Feature or Improving Features

Post Posted: Sat Oct 26, 2013 9:48 am

Thank you all for specific and very detailed comments. I took note of all, I hope I would be able to somehow take care of all needs in a way everyone will like it. In addition to that, I just got some questions in my mind, I would be happy if you guys as forensics experts, help me with your answers:


1) Have you ever seen any tool able to do physical image from iPhone 4S+ ? I mean for example it would be somehow dd image which also you can use it to recover deleted files?

2) As forensic examiner, do you mind if my application works only on Linux or Windows? Which is more preferred or does it even makes difference for you? Which one is more preferred? Windows? Linux? Both? None (hardware based like Cellebrite) ?

3) I heard that even detection of Truecrypt, BitLocker, FreeOTFE doesn't exists. Do you think if I add them to my PC Forensic suite, it will be so important and useful? For example you've heard about TrueCrypt hidden OS feature, as I heard, there is no tool to detect it. Is it common issue among forensic experts?

4) Nowadays, mobile forensics or PC forensics, which one is more popular? Which one you would be interested more? Which one needs more attention, more tools, more features, more time?

5) Would you like to have your forensic suite to be all in one? I mean having PC and Mobile forensics together? Would it be useful?

6) Would you mind for PC forensics, forensic analyzer and imager become completely seperate? I mean there will be an imager tool which will image WHOLE memory and WHOLE filesystem, then you get that files and start analyzing in another computer which you'll have your analyzer software? I'm thinking about completely seperating this two, as you won't install and you won't run your real program in computer you want to examine. What do you think?

Thanks once again for all your comments, it's really helpful.  

cmuc
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next