Does anyone see a need for innovation in the area of IR or CF? If so, what specifically do you see as the need?
I'm sure there are going to be responses that cover small embedded devices, etc. That's cool, and to be expected.
What are your thoughts?
H
Of course there is a need for innovation.
We need write blockers that allow non-harmful ATA commands through them. Only certain ones do.
IR needs a better out of band communication method. E-discovery has really driven home the need to protect the communications between incident responders during incidents that lead to notifications and possibly civil suits.
Virtual forensics labs need to be developed. http//
Personally, I'd like to figure out how to use gumstix for IR and forensics. It just hasn't come to me yet.
One other thing that I thought of yesterday (I haven't heard anyone talk about this yet) was a new digital camera that hashed your photos as you take them.
I'd also like to see some work done in the gaming console arena.
Personally I think the technical innovation will take care of itself, technology advances usually do.
I thnk the need for innovation is in the training, preperation and KNOWLEDGE of both IR and CF personnel. As can be noted from the questions placed on forum boards by CF "students" the current training market seems to be bent on placing cookie cutter and book knowledge people right into forensics. Now, I don;t think we can wait till we have a cache of folks with 25 years or more of tech, security and programming experience like some of us old farts, BUT the field and the results will suffer if real world experience is left out.
Second, I think we need innovative "small" programming skils on the scene. Every forensic exam and IR is different than the last. A good analyst must be able to develop scripts and routines to do what their canned progs can't. The true innovative genius is going to be the group of skilled folks who can stay ahead or at least keep up with the bad guys and develop a system for creating these tools and having a repository that lets them be found by others needing them. We must have a community of people and ideas, much like SourceForge and Cpan.
Just my take on it
Bill
> Personally, I'd like to figure out how to use gumstix for IR and forensics. It just hasn't come to me yet.
What's a "gumstix"?
> I'd also like to see some work done in the gaming console arena.
Such as? I've seen presentations on X-Box forensics.
> I think the technical innovation will take care of itself, technology advances usually do.
I don't know. The Windows Registry has been around for a while, and even today, there are still people only now venturing into it, mostly b/c they've heard others mention things that can be done through Registry analysis.
> I thnk the need for innovation is in the training, preperation and KNOWLEDGE of both IR and CF personnel.
I agree strongly with that. I think that there's a lot that can be "cookie cutter", even by example, but I also think that we need to get folks up to speed on how to go about answering questions, as well as documenting those answers for others use.
> We must have a community of people and ideas
In some ways, these folks are available…they simply don't communicate.
Great thoughts, guys!
I believe that the reason Windows Registry as well as Physical Memory and Swap files, and other things haven't been utilized is THEY ARE HARD and take knowledge of things beyond how to use your off the shelf forensics progam.
Take Mandia's Blackhat presentation on The State of Incident Responses and Kornblums Rootkit paper, and I you can see how the majority of folks with EnCase, FTK and such could easily rely on them rather than long after business hours staying educated in a fast changing world, it's a load of work.
But lazy forensics is bad forensics.
Innovative Forensics and IR is going to be knowledge, at least knowledge of what is possible and what the threats are.
and BTW, people that don't communicate are simply not part of a community. I think a lot of newbies find the "experts" intimidating and somewhat hard to get to. Some folks go out of their way to contribute and enlarge the body of knowledge, and some want to keep it all for themselves.
Harlan,
regarding gaming consoles we have new generations of consoles to worry about and handheld gaming devices. They are all moving targets.
Speaking of training, I'd like to see IR "capture the flag" contests. Most IR teams have to practice under fire because they don't have time for drills. I have yet to see a contest like this. I'd liken it to the SWAT team contests and "best ranger" contests that the military holds. It would be nice if FIRST could sponsor something like this.
This might sound a bite trite!
I think their is the need for an innovated means to store and access the various mountains of technical data and procedures required by the current technology. Something similiar to an expert knowledge system. I find it difficult to reference and access all my notes, technical notes, manuals and procedures in a timely manner.
Additionally, I thing their needs to be an innovated but standard concept to documenting, linking and storing all the information in a forensic case. Sort alongs the lines of a revision control system for soruce code but geared to forensic evidence (along the lines of an hypertext evidence document).
Plus, I would like to see - a SETI or GNOME type project (Forensic Community and participants could share unused computer resources to break encrypted documents and passwords in a distributed manner. I think LE would be the biggest winner.
> THEY ARE HARD
…and…
> …hours staying educated…
Yes, it is hard. And there's the issue of analysts working multiple cases and the bad guys focusing on just one thing. However, there are opportunities out there. I've put training together, and even given it to the local HTCIA folks for free, but I guess there are issues with making folks aware of it, then getting the time/money for it.
Re communicating. I know you're right, and it's just too sad/bad. Over on the WFA Yahoo group, there are almost 300 members, many of whom joined saying that they want to contribute, but there are less than half a dozen contributors.
Re training under fire…interesting idea, but that will only apply to certain teams. To be honest, many of the teams out there need to crawl before they walk, so "Best Ranger" is out of the question. They need the tools and training first.
> …share unused computer resources to break encrypted documents and passwords in a distributed manner
Okay, this is one thing that will NEVER fly, particularly w/ LEs. Most LEs won't even talk about a case in general, sanitized terms. If a SETI-type project were set up to say, decrypt documents, then that would mean releasing the document itself. The same with passwords. That stuff can't be allowed out into the public while a case is under investigation.
Great ideas, guys…really. Thanks.
> Something similiar to an expert knowledge system
Wiki?