ronanmagee, good point. Each different tool too probably.
Tool wise just wondering, is it possible to include open source tools? If they havent been proven in investigations/court and could possibly be challenged would this be a good idea to include them? I have read the interview on Forensic Focus from John Patzakis (Guidance Software) who included links to challenges to Encase in the US. Encase came out the better and can be trusted in court for such investigations.
What about antiforensic tools and the affect they could have on the investigation? Oh boy, I see why this is so hard!!
I think that for the main methodology it would be wise to steer clear of any tool implementations.
(1) It would increase the workload exponentially.
(2) It would potentially exclude people using "non-standard" tools.
(3) It would require updating every time a vendor released a new version.
I would think that either such information could be included as Appendices, or, better still, if we succeed in producing a good methodology and reporting standard, that vendors would be interested in producing documentation themselves that shows how their product is the "best" to use to follow it -)
If you look at the OSSTMM ( I know that I keep going back to it … But it is the closest thing that I've seen yet ) it highlights what needs to be tested, the length of time that one can expect certain things to take, billing guidelines (!?!) and report formats. Not once does it go into a specific tool to carry out an operation. So for us, we should look at what we would hope to gain from a specific type of evidence, details of where to look for it, hints on possible complications/obfuscations, reporting guidlines and -P billing guidelines.
My suggestion for a starting point, and feel free to argue this, would be to look at the U.S. DoJ "Electronic Crime Scene Investigation" Chapter 7* - and to begin with a basic methodology for each of the data elements listed under the various crime categories. e.g.
- address books
- calendar
- chat logs
- databases
- e-mail
etc.
Actually the best place to start is to get this list and discuss which categories should and shouldn't be covered, and to expand the list if required !
However in my opinion, if we are going to include any tool examples, they should be explicitly defined as "examples" and only use tools that are freely available to everyone, and if possible, their correctness should be verified … The ones that spring to mind are md5 and dd
—
* - It is available for download from http//www.forensicfocus.com/index.php?name=Downloads&d_op=viewdownloaddetails&lid=4&title=Electronic%20Crime%20Scene%20Investigation%20A%20Guide%20for%20First%20Responders%20(pdf)
but no matter how I tried, I couldn't make the link work inline in the above text. Sorry !
—-
See the new ACPO guidelines are out …
Reading it seems pretty good … updated for wireless/networks/live analysis.
Not a bad read at all, and has lots of useful information thou does lack some technical details (then again its not meant to be too technical).
Might be a good base to start from?
Yeah, I've downloaded it, I'll read it and see where we go from there …
-)
Right, I've had a chance to look at it now, at least superficially.
I'm reassured that we won't be reproducing a document that is already in existence. The Guidelines, to me, seem to largely detail the procedures ( and good advice it is too ! ) for seizure, containment and handling, and presentation. Very little on the actual "examination" phase.
I think that the additional guidance presented for networks/wireless/live/pda etc. is very valuable, and does give a good starting point for further coverage of these areas. When I first imagined the Open Methodology, I thought of it more as a Windows ( or at least OS ) centric set of methods, but I can see that, in the long run at least, it will have to be more detailed, covering some concepts such as those above related to other hardware devices and also network interactions of forensic value.
I must admit that I was hoping for a few more people to put their names forward, either on the forum or to me by PM … Anyone else like to sign up to help ? You need not be involved in any writing or editing roles, but the more active discussion there is, the more relevant this will be to our work across the board.
Ok. I'll warn in advance that this is quite a long post, so if you fancy getting a tea or coffee, now is the time to do it …
Pending any further movement from anyone else, there are two things that I would like to put forward
(1) Licensing I would suggest that we follow the same licensing as the OSSTMM does. This is basically a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. http//
Open Methodology License (OML)
Copyright (C) 2002 Institute for Security and Open Methodologies (ISECOM).PREAMBLE
A methodology is a tool that details WHO, WHAT, WHICH, and WHEN. A methodology is intellectual
capital that is often protected strongly by commercial institutions. Open methodologies are
community activites which bring all ideas into one documented piece of intellectual property
which is freely available to everyone.With respect the GNU General Public License (GPL), this license is similar with the exception for the right
for software developers to include the open methodologies which are under this license in commercial
software. This makes this license incompatible with the GPL.The main concern this license covers for open methodology developers is that they will receive proper
credit for contribution and development as well as reserving the right to allow only free publication
and distribution where the open methodology is not used in any commercially printed material of
which any monies are derived from whether in publication or distribution.
Special considerations to the Free Software Foundation and the GNU General Public License for legal
concepts and wording.TERMS AND CONDITIONS
1. The license applies to any methodology or other intellectual tool (ie. matrix, checklist, etc.) which
contains a notice placed by the copyright holder saying it is protected under the terms of this Open
Methodology License.2. The Methodology refers to any such methodology or intellectual tool or any such work based on the
Methodology. A "work based on the Methodology" means either the Methodology or any derivative
work by copyright law which applies to a work containing the Methodology or a portion of it, either
verbatim or with modifications and/or translated
into another language.3. All persons may copy and distribute verbatim copies of the Methodology as are received, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and creator or creators of the Methodology; keep intact all the notices that refer to
this License and to the absence of any warranty; give any other recipients of the Methodology a copy
of this License along with the Methodology, and the location as to where they can receive an original
copy of the Methodology from the copyright holder.4. No persons may sell this Methodology, charge for the distribution of this Methodology, or any
medium of which this Methodology is apart of without explicit consent from the copyright holder.5. All persons may include this Methodology in part or in whole in commercial service offerings, private
or internal (non-commercial) use, or for educational purposes without explicit consent from the
copyright holder providing the service offerings or personal or internal use comply to points 3 and 4 of
this License.6. No persons may modify or change this Methodology for republication without explicit consent from
the copyright holder.7. All persons may utilize the Methodology or any portion of it to create or enhance commercial or free
software, and copy and distribute such software under any terms, provided that they also meet all of
these
conditionsa) Points 3, 4, 5, and 6 of this License are strictly adhered to.
b) Any reduction to or incomplete usage of the Methodology in the software must strictly and explicitly
state what parts of the Methodology were utilized in the software and which parts were not.c) When the software is run, all software using the Methodology must either cause the software, when
started running, to print or display an announcement of use of the Methodology including an
appropriate copyright notice and a notice of warranty how to view a copy of this License or make
clear provisions in another form such as in documentation or delivered open source code.8. If, as a consequence of a court judgment or allegation of patent infringement or for any other
reason (not limited to patent issues), conditions are imposed on any person (whether by court order,
agreement or otherwise) that contradict the conditions of this License, they do not excuse you from
the conditions of this License. If said person cannot satisfy simultaneously his obligations under this
License and any other pertinent obligations, then as a consequence said person may not use, copy,
modify, or distribute the Methodology at all. If any portion of this section is held invalid or
unenforceable under any particular circumstance, the balance of the section is intended to apply
and the section as a whole is intended to apply in other circumstances.9. If the distribution and/or use of the Methodology is restricted in certain countries either by patents or
by copyrighted interfaces, the original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.10. The Institute for Security and Open Methodologies may publish revised and/or new versions of the
Open Methodology License. Such new versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
NO WARRANTY11. BECAUSE THE METHODOLOGY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
METHODOLOGY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE METHODOLOGY "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE IN USE OF THE METHODOLOGY IS WITH YOU. SHOULD THE
METHODOLOGY PROVE INCOMPLETE OR INCOMPATIBLE YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY USE AND/OR REDISTRIBUTE THE METHODOLOGY
UNMODIFIED AS PERMITTED HEREIN, BE LIABLE TO ANY PERSONS FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
TO USE THE METHODOLOGY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY ANY PESONS OR THIRD PARTIES OR A FAILURE OF THE
METHODOLOGY TO OPERATE WITH ANY OTHER METHODOLOGIES), EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Boring, I know, sorry, but hopefully getting this out of the way now, leaves space and time for the discussion of other, more relevant things ! In a nutshell, use it till you go blue in the face and feel free to make money from using it, just don't sell it on it's own, don't claim it is yours and don't change it without asking first. For those of you that skipped over it ( and I don't blame you ) Clause 1 is the one that says we can use the license if we want, so long as we include it in full.
Comments on licensing ?
Ok …
(2) Extracted from the U.S. DoJ document mentioned above are the following categories of artifact …
General Information
Databases
E-Mail/notes/letters
Financial/asset records
Medical records
Telephone recordsSpecific Information
Account data
Accounting/bookkeeping software
Address books
Backdrops
Biographies
Birth certificates
Calendar
Chat logs
Check, currency, and money order images
Check cashing cards
Cloning software
Configuration files
Counterfeit money
Credit card generators
Credit card numbers
Credit card reader/writer
Credit card skimmers
Customer database/records
Customer information/credit card data
Date and time stamps
Diaries
Digital cameras/software/images
Driver’s license
Drug recipes
Electronic money
Electronic signatures
Erased Internet documents
ESN/MIN pair records
Executable programs
False financial transaction forms
False identification
Fictitious court documents
Fictitious gift certificates
Fictitious loan documents
Fictitious sales receipts
Fictitious vehicle registrations
Games
Graphic editing and viewing software
History log
“How to phreak†manuals
Images
Images of signatures
Image files of software certificates
Image players
Internet activity logs
Internet browser history/cache files
IP address and user name
IRC chat logs
Legal documents and wills
Movie files
Online financial institution access software
Online orders and trading information
Prescription form images
Records/documents of “testimonialsâ€
Scanners/scanned signatures
Serial numbers
Social security cards
Software cracking information and utilities
Source code
Sports betting statistics
Stock transfer documents
System files and file slack
Temporary Internet files
User names
User-created directory and file names that classify copyrighted software
User-created directory and file names that classify images
Vehicle insurance and transfer documentation
Victim background research
Web activity at forgery sites
Web page advertising
So, is this too detailed, not detailed enough, irrelevant, what's missing ? To my mind, there is at least "Stored Passwords" missing …
I look forward to your feedback, either on the forum, or by PM if you are shy -)
Many Thanks & Kind Regards,
Azrael
Hi everyone,
Based on this thread, I've been asked to create a new forum for the discussion of methodology. Generally speaking I try to restrict the number of forums as far as possible so that we don't end up with too many "orphans" with very little activity (and posts which are subsequently overlooked) and as a result I'm trying to weigh up whether the benefits outweigh the risk of that happening.
Personally I think that this is a very important subject area and I'm delighted to see that there are members keen to push forward with it. Before making a decision I'd like to ask for your opinions - would it be useful to create a new forum devoted to methodology? If so, should a new forum concentrate on developing a single specific methodology (such as the model proposed by azrael) or should it be more general?
All thoughts and comments appreciated.
Jamie
Jamie,
I appreciate your support of the effort. I agree, it's pretty important – probably one of the most important issues facing the profession.
I think that if you create a forum, the question of should it be a single specific methodology or a general methodology would be one if the first issues addressed by the forum. The question of new forum or not is a judgement call for you. I suspect you've seen issues rise and fall and can judge that with this. I also suspect the question becomes a forum one in that how many users want to ignore "those guys" who are quibbling over the smallest procedural questions. ) A new forum might be a blessing to them.
I think that if you create a forum, the question of should it be a single specific methodology or a general methodology would be one if the first issues addressed by the forum.
This is a very good point, because of the way that things are working out in timescales, and responses, it seems that we are likely to generate a smaller "experimental methodology" ( a method for experiments … Not a … You know what I meant … ) With regard to the "Information Exchange" thread …
I suggest after the publication of this, that we discuss if we should - extend, expand and produce a single methodology, or if it is considered better to have numerous smaller documents, that could, perhaps be cross referenced by a top level guide …
I also suspect the question becomes a forum one in that how many users want to ignore "those guys" who are quibbling over the smallest procedural questions. ) A new forum might be a blessing to them.
That to me sounds like the voice of experience -)
Seems reasonable. Guys, any thoughts on next step. I preceive we're all ready and just waiting for something to happen.