±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34485
New Yesterday: 1 Visitors: 168

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Pitfalls of Interpreting Forensic Artifacts in the Registry

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 04, 2012 8:46 pm

jaclaz,

Sure, the issue is all around the definition of "normally".


The issue is not just around the definition of "normally" it is about as deep and correct understanding of the subject as we can achieve. The discrepancies that Jacky found are there precisely because prior forensic research focused on what seemed reasonable and was not comprehensive enough.  

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 05, 2012 9:26 am

- pavel_gladyshev
jaclaz,

Sure, the issue is all around the definition of "normally".


The issue is not just around the definition of "normally" it is about as deep and correct understanding of the subject as we can achieve. The discrepancies that Jacky found are there precisely because prior forensic research focused on what seemed reasonable and was not comprehensive enough.

Well, no.

Some of what Jacky found is what happens "normally" but had not been observed/recorded/interpreted correctly/completely.

The systems do remain of deterministic nature, "facts" happen "normally" and now we have a more accurate description of them, but there is seemingly nothing (yet) "casual", "random", "stochastic", i.e. everything is perfectly reproducible.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 05, 2012 10:22 am

jaclaz,

I think I misunderstood initially what you meant by "normally". I think you meant "deterministic", in which case the crux of your criticism - if I understand it correctly - is this: undetectable faults are rare, and their impact on forensics is negligible, and therefore thinking about it is essentially a waste of time.

My point is that hardware faults do happen. I am sure that you witnessed or at least heard of HDDs failing during evidence collection. In my experience hardware faults are not always easy to detect. Back in 2001 I developed a flash file system for a voice mail module of a mini-PABX by Lake Communicaitons Ltd. About 6 months after the product launch, customers started to complain about peculiar sounds in some of the recordings that looked like a bug in GSM voice compression algorithm. We checked our software and after three days the problem was traced to the use of a bad batch of flash memory chips that could not stand +40C inside the enclosure and added single bit errors to the data. The stored data looked pretty random (a bunch of coefficients), and we were unable to spot the problem by just looking at the hex dump of the data.

I am not saying that we need to predict the unpredictable - I do not think it is possible. I am saying that we should at least consider the impact of faults on our conclusions and not simply dismiss them as a superstition. Maybe all we need is better consistency checks? Maybe not.

My two pence.

Pavel  

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 05, 2012 11:05 am

I guess that there is still some misunderstanding going on.
If you open NOTEPAD, give focus to it and press the "5" key (I love pressing key "5" Wink ) on your Num Keypad with NumLock on , in the NOTEPAD window a digit 5 will appear.
You can try all the times that you want, "normally" this will happen.
If NumLock is off, nothing will appear in the NOTEPAD window.
You can try all the times that you want, "normally" this will happen.

If your baby just spewed some liquid on the keyboard, it is "possible" that when you press "5" either "6" or "#" or "@" or "*whatever*" will appear instead of "5".

If your dog chewed a bit on the keyboard cable , it is "possible" that when you press "5" either "6" or "#" or "@" or "*whatever*" will appear instead of "5".

If you have a wireless radio keyboard it is possible that your neighbour opening with his remote his garage door makes "&" appear on the NOTEPAD or the Bandit (from Smokey and the Bandit ) is passing in front of your house at 120 Mph with a completely untuned but very powerful CB radio,

If the (Chinese) manufacturer of the keyboard cleaned not well enough the keybard pads, it is "possible" that when you press the "5" key a "9" will appear on NOTEPAD.

If the designer of the keyboard chip designed it poorly, he/might have implemented a buffer that added 1 every 20K keypresses, only if the 20001th key press was a number, and you might get "6" on the NOTEPAD (when the chip overheats).

If a software manufacturer installs a "deviated" keyboard driver, "globally" (i.e. system wide" or "application specific", *anything* may happen.
As an example Office Excel Italian re-maps the "." (dot) key on Num Keypad to "," (comma) as comma is the stadard decimal separator in Italian).

Now, if you find a .txt with just a "5" in it "normally" it means that the user pressed the "5" key.
If you prefer, it is more likely that if a "5" is found it is the consequence of a press of key "5", and not the result of a dice roll (which actually gives 4 instead Wink )


thus, in practice (and IMHO), it is better to understand fully the "repeatable" consequences of pressing "5" and the actions that can have "normally" produced the "5" than spending time theorizing all the possible (infinite) ways the "5" could have come out EXCLUDING the press of the "5" key, and in the specific:

- JackyFox
With the regard to the apparent inconsistencies that I observed, it goes without saying that the data was always there. I think they just became easier for me to identify by automating the correlation of the data sets and observing them over time.


The behaviours observed were there, have always been there, will always be there, they are "normally" there, only they were NOT noticed before.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 05, 2012 11:15 am

jaclaz,

thus, in practice (and IMHO), it is better to understand fully the "repeatable" consequences of pressing "5" and the actions that can have "normally" produced the "5" than spending time theorizing all the possible (infinite) ways the "5" could have come out EXCLUDING the press of the "5" key


Your point is crystal clear, but it does not really refute what I said in my previous post. I think we will just have to agree to disagree on it. Smile

Thank you for taking the time to read my posts. I really enjoyed this little debate.

Pavel  

pavel_gladyshev
Newbie
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 05, 2012 12:29 pm

- pavel_gladyshev

Your point is crystal clear, but it does not really refute what I said in my previous post. I think we will just have to agree to disagree on it. Smile

Thank you for taking the time to read my posts. I really enjoyed this little debate.

You are very welcome. Smile
But it wasn't meant to refute what you said, only to point out how IMHO it didn't specifically apply to the good work by Jacky.
Be aware of the RISK of "doctors agreeing" Wink :
reboot.pro/13601/page_...ntry119524

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Mon Nov 12, 2012 5:58 pm

Jacky,

Can you please contact me at john.yeager.ctr @ dc3.mil ? thanks  

jwyeager
Newbie
 
 

Page 5 of 8
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next