> Does anyone else now use OSS tools such as Farmers or Helix
I have seen others use Helix. I don't have a great deal of use for many of the Linux bootable disks, as they are useless when it comes to live response/acquisiton on Windows systems.
I write a lot of my own stuff, a great deal of which is coming out on the DVD with my new book.
> and if so have you had difficulties backing up your evidence either in a
> LE or corporate case?
I haven't had an issue go that way yet. Even in cases where I walk in the door and someone wants to prosecute, more often than not, many folks won't go that route due to the fact that it makes far too much public.
> I would like an OSS solution
For what?
Remember, everything is going to have a cost associated with it…either in $$ or other resources.
Here's an example…I've been looking for a way to automate a lot of the things I extract from a Windows image. *What to look for* isn't the issue…my new book covers a lot of that. The issue is how to extract and represent it. I'm not going to do EnScripting…I don't use EnCase often enough and I really don't have the familiarity with EnScripts. I was thinking about doing something in ProDiscover, but that may be an issue, as well. On top of that, each of these apps costs money.
However, I have come up with an almost completely free solution. Starting with a dd image acquired via your tool of choice, FTK Imager Lite (free) or dd (free), you can use several free tools to mount the image as a read-only drive letter (see the end of the "Mount an image" thread), and then access everything via Perl (which is free).
So, starting with a read-only drive letter, I have been thinking about how to create a forensic preprocessor. This is not a replacement for ProDiscover or EnCase…nor is it a replacement for hash comparison capabilities, etc. Rather, I want to put all of my current tools together, add in some additional tools, and have a process which will extract data, translate it (Rot-13, binary, Unicode) as necessary, and even provide references/links to validation data (ie, MS KB articles pertaining to the use of certain Registry keys, etc.).
The idea behind this is
1. Automation & Consistency - It's easier for me to write this all once and run it than to try to remember obscure Registry keys, particularly when I've been up all night on a plane, and am trying to do IR under pressure.
2. Documentation - 'nuff said!
3. Reproducability - I can run something just as easily as anyone else. So, another team member across the country runs the tool, PGPs the data, and sends it to me with a love note that says, "what do you see??" I don't have to get on the phone and keep asking, "did you check…??"
4. Finally, lets say I know 100 artifacts to look for, and another team member with different experiences knows 100, but we only overlap in 80 of the artifacts. Between us, that's 120 artifacts to look for…more than either of us individually.
Hope that helps,
H
Hi keydet thanks for the reply.
My I would like an OSS solution I guess is just meant as a vent of frustration.
To be a forensics examiner its appears that the general concensus is you need lots of experience and qualifications.
I feel that using Encase the demo disk or FTK's limited demo version you are gaining a snapshot of how they work but you become constrained to how much forensics experience you can gain from them.
With an OSS version that offers some of the commercial features but in a freely usable manner then it would be possible to gain forensics experience by creating your own test beds to discover evidence in.
I like your idea of the script, would you design different scripts for different scenarious or just one blanket script for all cases.
> would you design different scripts for different scenarious or just one blanket script
It's not a matter of one script…my plan is to build a framework. I've already written different scripts, and they're coming out on the DVD with my book.
> With an OSS version that offers some of the commercial features but in a freely usable manner
Remember, everything has a cost. For examle, what I'm considering may require you to install Perl, and run the tools from the command line. For many, this is far too much of a "cost", even though everything is free - they'd rather pay for a commercial application than have to install a couple of free tools and run things from the command line.
I cant wait for your book, it sounds like its going to be good learning and reading material.
I think if the cost is free or reasonable priced then you would have to be mad to ignore the opportunities.
My only concern is that with the commercial packages being used more and more, will there come a point were say prosecution have used the latest whizzbang commercial software to create a case.
Then defence use lots of tools, scripts and maybe even some smaller commercial tools to provide evidence that the prosecution case is flawed.
But by this time the whizzbang software is recognised as the god of forensic software.
Prosecution win and some poor soul's life is possibly ruined, because high cost = more believabilty than experience and skill
At the moment I lack all three so I'll aim for the experience and skill because the only cost is hard work and who knows maybe santa will bring me the tools to make me believable.
Hurry up with your book please.
> Hurry up with your book please.
Sorry, it's not in my hands…I'm done. Talk to the publisher.