Greetings,
As I sit here looking into extending analyzeMFT and developing a larger collection of timeline analysis tools, I find myself wondering how important cross platform support really is? I did all my development work on my daily driver - a MBP running OS X SL. I really like being able to run on any platform, and making the tools available to the widest possible audience is clearly desirable.
But there is a lot of wheel recreation to be done to port some tools off of Windows. For example, Microsoft provides LogParser, a very nice SQL-like interface to anything that looks like a log file on a Windows box. I could build on that, saving a lot of time and gaining a lot of power, or I can go figure out how to recreate most of its functionality in Python.
Recreating the functionality means that the functionality is available to a broader audience, using LogParser directly means I can spend more time working on the tools I want to develop.
I suppose the real answer depends on the direction I want to go - develop some useful tools, or start developing a collection of Python modules to enable other people to develop more tools.
Thoughts?
-David
Personally, I hate running on Windows for a number of reasons including frequent security flaws, relatively poor performance (I'm a command line tool kinda guy, not a GUI lover), lack of support in certain platforms for certain hardware, etc., so much of my work is done in Unix/Linux/OS X.
To put it another way, if any of the Windows tools that I used were ported to something else, I'd jump ship.
Greetings,
One of the things I'm looking into is dumping a lot of information from a Windows analysis system to another system running MySQL. I can use native tools on the Windows box to do the collection and then portable tools on the target system to do the analysis. This seems to get me the power of the native tools while getting us onto our preferred analysis system as quickly as possible.
-David
I feel that having a tool that will support analysis of a particular file system or OS is more important to me than having it run in a particular OS. My collection and analysis tools run in Windows or Linux and if there was a particularly great tool that I needed, that only ran on MacOS, then I'd buy myself a Mac for that purpose. Porting your results to another platform for inclusion in a report isn't that hard these days since Mac, Windows and Linux all now happily share files with minimal effort, not like 10 years ago.
In case of forensic analysis I do not think it is important that the tool is able to run on several platforms. Most of the OS used by our "customers" run Windows - I would say > 95%. Linux-users for instance always have the possibility to use Wine or Virtualbox to get the tool run.
I personally prefer a single .exe-file I can put on a usb-stick without any hassle to some neat scripts which require the installation of libraries and extensions.
Personally all the tools I write (10 for forensics, 30 for pentesting, 10 other) are for Windows, they are written using .Net so in theory they are cross platform via the Mono libraries.
If people don't want to run the OS that the tool is designed for then that's their issue, personally it's best tool for the job, regardless of OS. If I ever need *nix then I have an Ubuntu install in a VirtualBox VM.