I have had a PM discussion with keydet89 with regard to his thread on Issues/Projects. I've clarified what I understood from the posting, which is that keydet89 is proposing a knowledge base of forensic techniques and experimentation to try to prevent needless repetition of work across the board, and also to allow for independent verification of techniques.
I suggested the creation of a separate entity for the storage and indexing of such data, but I concur with keydet89 that we should try to avoid creating a plethora of sites, and that the forensicwiki would be a reasonable place to deposit such information ( … by the way, to get a login, the link is on the bottom of the right hand side … you need to scroll down for it … )
The continuing issue, as both of us see it, is actually getting people to submit information. My suggestion is, in order to make the process as painless as possible, that we provide a template with the key data points to fill, obviating the need for free form creativity from submitters )
Thus I produced the following as a starting point for discussion, fields are in bold, comments are italic and example data is normal font …
—–
Submitter Name or Pseudonym, credit where credit is due ) N.B. See comment (1) below … Azrael
Date Just for reference really … 11/07/07
Operating System ( major version / minor version) Windows XP, SP2 or MacOS X 10.4.2 for example.
Specific Software IE 7 or I suggest blank for OS related.
Description of Forensic Artifact Insert relevant data here, perhaps it is possible to create a few tick boxes for this item such as …
[ ] Metadata [ ] User Preferences [ ] Cached Data [ ] Entered Strings
[ ] Recent Files [ ] Passwords [ ] Connection Settings [ ] Other ( please detail below )
obviously these need refining … P
Perceived or obtained value of evidence I suggest that the value of the evidence should be mentioned and/or what can be inferred from it e.g. suggests knowledge of x or indicates use of y
Examination Tool ( major version / minor version ) WinHex 14.2
Verification Tool ( major version / minor version ) FTK 1.71 if any …
Method to obtain evidence (Lead Tool) This is the bit where some creativity is expected on the part of the person filling the form, however, a step by step should be adequate as other information is already filled out In WinHex select the data, click on … etc. etc.
Method to obtain evidence (Secondary Tool) As above, but for verification, if it exists.
Experimental Verification I would suggest here a quick check of the test environment so
[ ] Same OS Version [ ] Same Software Version [ ] Same Hardware
Please list any significant differences ___________________________
Experimental Methodology Again, we are at the mercy of the person filling out the form, but I would suggest that a few model examples carefully created and uploaded would be easy to follow.
Experimental Results ( Please note any Failures ) Highlighting the exceptions found is probably more valuable than the normal proof. For the obvious reasons …
References Links to technical documents to support findings e.g. http//
———
I think that there are perhaps one or two other fields that need to be added at a later stage
(1) A reference number - this is good for searching and referencing in future - could be as simple as an incremental count or as complex as being created from the OS Version/Date (WinXP-10-07-07.1) or whatever criteria are agreed by the general population …
(2) A field for listing reviewers/verifiers of the data, so that peer review is an added value to the information
(3) Fields for additional comments/data/evidence/methods to be added/addressed at such time as is necessary.
I think that the key will be in providing sufficient examples and guidance on filling out the more complex open format, ambiguous fields. There is guidance on filling out bug reports available on the web that might well be adapted to our needs, we can write our own, and providing a few, peer/forum reviewed examples of simple tasks should not be a problem.
I'd be very interested in feedback on this, as you can probably tell from other posts, I'm a bit of a fanboy for standards, and open ones at that. My background in InfoSec has shown me that they are generally valuable if done right, and part of doing them right is getting the input from the people that they are being designed for, who wants to fill out data that is perceived as irrelevant and not useful ?
Incidentally, I see this as the perfect compliment to an Open Methodology, as it would fill in the technical gaps that are not covered by a general purpose methodology.
Kind Regards,
Azrael
Nearly forgot ! Comment (1) It has been brought to my attention that people are nervous about contributing information as there may be a fear that some over zealous defence council will get hold of it and use it against the poster … I can understand this concern, hence the need for peer review, but I would suggest that perhaps an anonymous posting e-mail address - e.g. you submit to me and I post for you anonymously - or sufficent use of pseudonyms such as we do here, would negate the fear where as the benefit of saying that you have used a peer reviewed method might have a more general positive value.
One quick comment, I think you need to have a critial review section. This section will list the reviewer/verifier and any noted problems or errors.
I think this is a great idea - community based support - hope it works!
I think there will be the need for some type of executive oversight by a committee of senior leaders, participants, or monoarchy. Either login creditials are validated or content must be validated, otherwise, the community may waste hours chasing wild hares.
I believe that a GPL2 or GPL3 legal copyright clause might be necessary for content protection.
Where is the login link? I do not see any link botton right hand side.
Sorry - didn't make myself quite clear on that …
In order to get into the Wiki, you need to have an account created for you. Due to an intriguing design decision, the "Create Account" button on the top does no such thing - rather you have to send an e-mail to the address to the e-mail address given at the bottom right of the screen. This will then supposedly be vetted and you will be sent an account …
I'm still waiting … That's 3 days and counting …
With regard to the GPL comment, I like the GPL in some respects, but I think that the issue that I have with it is control. It allows for people to reproduce as and where they wish, and allows for changes. I'm not against changes, in fact, I'm absolutely for updates and modifications, however, I want them to be controlled in the same way as the initial entries are.
In this respect, the Creative Commons licenses are better, they allow for free distribution, but prohibit unauthorised modifications. I also like the fact that they restrict distribution for profit, as a community resource, I object to it being re-sold by anyone …
My opinion only, feel free to dissent !
Azrael.
Sorry, I rather skimmed your answer earlier in a desire to get to work on time ! I'll give it it's due attention now …
One quick comment, I think you need to have a critial review section. This section will list the reviewer/verifier and any noted problems or errors.
I agree, I think I was trying to get that across with the additional fields (2) and (3), but you are right to clarify that into a single, clearly defined section.
I think this is a great idea - community based support - hope it works!
Thank you, a good amount of credit goes to keydet89 -) Me too !
I think there will be the need for some type of executive oversight by a committee of senior leaders, participants, or monoarchy. Either login creditials are validated or content must be validated, otherwise, the community may waste hours chasing wild hares.
This is a very real problem, and in using the forensicwiki, which has some basic login authentication, there are some slight mitigations of the risk. One would hope that the Wiki system will keep track of modifications, thus ensuring that changes aren't made ad hoc. I don't know, I haven't received my login yet (if anyone is listening ?) If this turns out not to be a viable method, then I will provide a more appropriately structured resource for it, and I would then look, at least initially, to draw membership from this forum where there is at least some historical evidence of existence. -P
I would seek to restrict access, at least to some entries, so as to maintain the edge that we hope to have over those that we examine, conversely, I would seek to allow access to a wider audience in general than just current practitioners. Students spring to mind as not only a group that would be interested, but also a group who are potentially likely to carry out quite a lot of verification work purely because of who they are and what they are going to use the data for.
I believe that a GPL2 or GPL3 legal copyright clause might be necessary for content protection.
Where is the login link? I do not see any link botton right hand side.
This is the bit that I did read this morning !
Kind Regards,
Azrael
Just another thought
Ideally I would potentially like to be able to contact the originator of an item to ask a question, in a forum environment, this is easily handled via the PM. Should there be one of
(a) a contact details field ?
(b) a pseudonymous e-mail address system which will map across ?
© some form of PM in the wiki ? ( Does this already exist ? )
Ta,
Azrael
> I think there will be the need for some type of executive oversight by a
> committee of senior leaders, participants, or monoarchy
Monoarchy? 😉
I agree with you, in part…this is an issue with any publicly accessible forum. The…let's call it "approval committee" or "verifiers"…will have to be volunteers, and have to have a certain level of expertise in those areas.
So far, this sounds as if it's going down the right road. I recently posted a couple of blog entries regarding tool testing, so I hope if anyone has any questions about how to go about setting up a testing platform to look for forensic artifacts, they'll start there for some ideas.
H
For anyone who is wondering the blog is at http//windowsir.blogspot.com/
-)
Right - this ForensicWiki thing is causing some serious problems … That does not testify to sensible design to me !
I've had more than a few people asking …
On the main page, the following text is on the bottom right hand side …
Getting access
As this is a closed list all membership requests are vetted, membership is intended for forensic/security professionals, law enforcement and the legal profession. If you would like access then please send an e-mail to [1] from your 'official e-mail address (no hotmail, gmail, hushmail etc.) providing the username that you would like to use, please use a subject such as 'wiki access request' so that I can identify these emails.
If you are NOT a bone fide forensic practitioner then we are sorry but access will not be granted.
The e-mail address that you need to send to ( marked as [1] for some reason … ) is access@forensicwiki.com.
I hope that this makes it clear, and I hope that if any of the administrators of the forensicwiki frequent here that they would note that
THIS NEEDS CHANGING !!!
Thanks -)
Azrael
( Oh, and can I have my login please if any of you get through ? )
> THIS NEEDS CHANGING !!!
I'm sure that this isn't changing b/c the maintainer of the ForensicWiki likely isn't on the list, nor is he monitoring it.
If it needs changing…change it. Set up your own wiki. While I don't particularly like the thought of having yet another resource, it could be that the reason you haven't been vetted is (a) the person(s) doing the vetting is/are on holiday, or (b) you didn't pass muster for some reason.
That being the case, set up your own resource.
H
Not arguing -)
I did say "if any of the administrators frequent here" …
The thing is, though, that I 'm not the only person that thinks it is a little obtuse. ?
Could be that they are on holiday, fair enough - just getting frustrated talking about a theoretical resource that _you_ suggested that we should use - trusting in your judgment because I respect it - without having actually had an opportunity to see it myself.
(b) you didn't pass muster for some reason.
Ouch ! I'd hope that they'd (a) ask a question or two first and (b) be polite enough to let me know … I do realise that perhaps I don't explicitly fit their criteria though - oh hang on - on a re-read I do, being a "bone fide"[sic] security professional …
PLEASE ACCEPT MY RESIGNATION. I DON'T WANT TO BELONG TO ANY CLUB THAT WILL ACCEPT ME AS A MEMBER.
I'd have thought an "out-of-office" would have been nice if they were away as well though …
I've got really mixed feelings about creating an additional resource, in one respect I'd love to have something that I could access, and it could be better tailored for the needs of this particular project - I'm not sure that wiki software would be the best way to approach it necessarily - rather a database style … I'd also prefer that it wasn't linked to any organisation quite so obviously - even if they do claim to have a hands off approach …
On the other hand, why recreate the wheel ? There seems to be a resource there, the extent of which you can enlighten me on - is it being used extensively ? And if so, is it a wide ranging userbase, or is it used heavily by a small number of people ?
Our aim should be to make access to information simple for as many people as need it as possible, and thus far, the forensicwiki isn't easy ( I've had to point out how to get into it to too many people ) and in exactly the same way isn't allowing as many people as want to _reasonably_ get the information to get to it.