> What precisely are you asking for?
A suitable system for testing Vista Ultimate (IR and CF research) in a manner that will be pertinent to what we're going to see in the real world.
"Robert Hensing told me that a Dell D820 w/ 2GB RAM smokes Vista!"
"…searching on just D820s with 2GB RAM"As I have already stated, I have Vista Ultimate, and VMWare, but I'm waiting for the upgrade.
Harlan,
Thw work you want to do would benefit the community greatly, I can commit to pay 50% of the funds (provided it does not exceed $2k) you need and i'm sure you will share your results.
Alan
> …I and others have certainly supported your work by buying your books.
I do greatly appreciate the fact that you've purchased my books, but thinking that doing so supports my work is a misconception. Having just done my taxes (like all good Americans!! 😉 ), one of the things I have to address is a 1099 from AWL/Pearson Ed for 2006 royalties on my first book. After taxes, that isn't enough to cover the cost of the system I'm typing this on now, so things such as VMWare upgrades, renewing my Perl2Exe license, purchasing an external HDD for extra storage space, DVD purchases (to ship master copies of the second book to the publisher) and other ancillary costs directly attributable to what I do are not covered.
Alan,
> …and i'm sure you will share your results.
I already do.
I understand that a lot of folks are probably seeing this exchange and thinking, "wow, Harlan's some kind of greedy little piglet"…I can understand that, but I also think that's a gross misconception, as well. A while ago, I wrote a tool that you can point at a Windows 2000 RAM dump and extract an executable image…it's a unique tool, it took a great deal of work and research, and I released it for free. I'm not asking to be paid for that…not at all. All I'm suggesting is that there is a considerable amount of research that can and should be done, and it's not as if I can load up Win95 on a old 486SX to do it.
Thanks to everyone who has contributed to this thread so far…this has been educational.
Harlan
Harlan,
I did not mean to imply that by purchasing your books we have financially supported your work. I understand that authors don't really make that much unless the book sells a million copies(or some other outrageous number).
I mean that your work is valued and we support the research you've done. A few coins from the book doesn't hurt though. I know firsthand that research doesn't pay well or doesn't pay at all in many cases. The struggle you are facing is shared by just about any developer that releases an open source product. Renaud at Tenable now..certainly felt the same way. "hey if I'm going to bust my a*s for nothing and no one else is contributing then I'm going to have to charge for my work". You don't want to get paid but you're asking for help..by having the community buy a system(which is reasonable).
This is the quandary that any "community" faces. Very few people contribute and those that do, eventually want to get paid(in some way) for their valuable work and I understand exactly where you are coming from. So, set up the paypal fund or whatever, see how far it goes and we'll see if you can afford the system(s) you need - I'm sure there are enough people on the various groups you're a part of that will chip in for this.
A note of caution before you put up formal notice of "the harlan fund". Just be aware that this now could become a situation of "funded" research where the funders expectations can rise and the sense of entitlement to even more work from you can occur as well.
> …we'll see if you can afford the system(s) you need
It's not really about what *I* need…it's about what the community wants. As I've been saying, I can easily install Vista Ultimate into my VMWare now…only the version I have doesn't support USB in Vista. So I can do what research I can with what I have, but someone's eventually going to ask about ReadyBoost or BitLocker or something, and I won't be able to even look into some of those technologies.
> I'm sure there are enough people on the various groups you're a part of
> that will chip in for this.
From the few responses I've seen in the list and my personal email…we'd get part way there, but not all the way.
> A note of caution…
I thought about that before I even posted my first query. In fact, I've already seen that sense of entitlement…"you've already put out these things, why not this other stuff?" Or the other one is "feature creep"…"Okay, this is a great tool, but can you make it do this…??"
Maybe this wasn't such a good idea after all. When I first sat down to write the original post, I flashed back to when I was teaching a Windows 2000 IR course in LLNL several years ago. We were talking about live response, NTFS ADSs, etc., and one of the guys in the class kept asking me, "…what does this look like on XP?" I had to finally say, "I don't know…I don't have a copy of XP." His response was, "Do you want one??" He handed me a legit, still-in-the-shrinkwrap copy of XP and I've been using it ever since.
Maybe instead of looking back at that, I should remember the attendees to the presentations at the HTCIA and GMU/RCFG conferences over the passed couple of years, where I'd present on USB devices and someone would ask, "okay, but what about Firewire devices?" I'd respond with, "If you loan me such a device, I'll do the research, post it, and return the device to you." I started doing this in 2003, and as yet, no one has taken me up on it.
In a lot of ways, this thread has been very instructional. I do appreciate everyone's time in contributing their thoughts, and for those of you who have offered…thank you. However, at this point, there just isn't enough support. This isn't a "Harlan Fund"…in fact, I don't even have to be the one to receive the funds or equipment. There's enough folks pointing out whats wrong with idea that maybe it's just not a good idea.
Thanks, all…
Harlan
BitLocker or something, and I won't be able to even look into some of those technologies.
Well I have researched this in depth and will do a Presentation on BitLocker and its forensic considerations at CEIC.
Harlan,
Needless to say, it's disappointing. Have you pinged any vendors yet? I know they're a royal PITA - but the NSF does have grant money available for research in the computing field.
In the case of doing what you can with what you have, I guess you just make due. Of course there will be questions about Bitlocker, Readyboost, TPM interaction, and a host of other things. It doesn't mean that you have to be the one to provide the answer. Of course you want to - you are one of the authorities on the subject of windows forensics, but why not lean on the community to help answer the questions, or atleast provide the data so you can answer the question?
For instance…
You want to test something, tell me how and I'll run it through my test lab, and send you the disk image, the usb key etc,. Not ideal by any means but it's doable.
I think at this point you might be taking this too personally. I (and I hope others) know it's not a "Harlan Fund" just like Jerry doesn't actually have that many kids. The idea is sound in principle, but you're up against mistrust, apathy, and others self-indulgence ("hey I can't even buy a system for myself, why should I help you?") which are pretty tough adversaries. Even in the past few years, a lot has changed in people's attitudes. Notice if you will the difference between the two crowds you mention. LLNL - researchers. GMU/HTCIA - Corporate or LEO. Researchers are more generous to other researchers - for they understand. So maybe your answer lives there - try to talk to other researchers.
Hogfly,
Like I said, it's been a very educational discussion.
Have a great weekend.
H
Ken,
I received your email on Wed, and replied, and sent a follow-up yesterday. The emails I sent are still in my Sent folder. I responded to your email just a few moments ago…just so you know, there have been a couple of folks who've told me that my emails to them have gone into their spam folders.
Thanks,
Harlan