Okay, this is one thing that will NEVER fly, particularly w/ LEs. Most LEs won't even talk about a case in general, sanitized terms. If a SETI-type project were set up to say, decrypt documents, then that would mean releasing the document itself. The same with passwords. That stuff can't be allowed out into the public while a case is under investigation
Yeah! I realize about the need for secret squirrel. If the tool was designed right independent communities could be established. The administrator could control what machines were allowed to connect or establish their particular community. So, LE could keep the distribution as limited as they wanted. Only use certain computers - but share in all the departments assets. This could apply to everyone else, also. You advertise that you want to start a distributed processing group - people wanting to join - submit a request and are allowed to connect to server for units.
Next! work units. I feel you assumed that case information needed to be revealed – not the case. The work units would be posted (sections of a encrypted file or password protected file), the workstation munch at the work unit for say X hours and return results. Yes, there is the potential that any type of file or partial data can be transmitted as an encrypted work unit - meaning that the unencrypted data could be returned. In order to minimize this – the work unit could have it's on AES key assisgned as part of the data units. This key would be used to encrypt the data when temporary stored on the workstation. This would mean that the decrypted data would only be available in the computers memory.
As for wiki, I initially consider it.. I was thinking that the document context needed to be dynamic. Sort of along the lines of dynamic html; basic command structure but data can be changed with each use. The data context is referenced by keywords and data classes (notes, procedures, factoids, etc). A search string is input with reference keywords and command instructions yeilding an doucment in outline or indexed link format. The viewer could follow the links for content or switch between index and content views.
Knowledge and tools can be used unwisely my the trained or untrained equally. However, I've found that providing knowledge freely yields greater benefits than dealing information out on a piece by piece basis - IMHO.
I believe some sort of standardization should be part of the innovation of both IR and CF. There are very many places to get training (in lieu of a formal education…) in computer forensics making a nice profit teaching a topic that hasn't fully developed into a science. I only say that because there isn't one regulatory body that oversees this field. Actually, there seem to be many regulatory bodies that oversee this field, each requiring a membership fee.
Lots of programs doing the same, achieving near same results, but the interpretation and presentation of those results…not much training or standards in that area.
Maybe I'm over thinking it, but this is a serious field, with serious ramifications if it is done wrong (millions of dollars in lawsuits, incarceration of criminals, etc…).
> work units
Look, I'm not trying to shoot down your contribution to this conversation…not at all…but what LEO is going to have time to break a case down into work units? Even one password…what LEO is going to have the time or inclination to break up several passwords into one and dole them out for decryption? The same would be true with documents.
> I feel you assumed that case information needed to be revealed
I never said that…perhaps I should have been more clear. Sorry. When I said "that stuff can't be allowed out into the public while a case is under investigation", I wasn't really referring to the names of people involved…I was referring to the data itself. You can't post a document to be decrypted, as when it's encrypted, you don't know what's in it. Say that after 4 hrs on someone else's machine, it gets decrypted…that information will be in the memory of that system. There will be questions from the defense about information being let out, possibly modified by others, etc. It will be like Carnivore all over again.
Along the lines of what Brett is saying, one thing I've seen is a need for standardization of terminology. Doctors and lawyers have entire vocabularies that are specific to the profession…take "stat" for example. We don't have that as a profession…not yet, it seems.
Great comments guys. Really. Don't think I'm trying to shoot anyone's ideas down…I think that all of this needs to be discussed. Well, as the first step, anyway… 😉
You know, part of the problem is good old USA is turning into a society of reciters not thinkers. I can tell by looking at the questions that are posted and reposted in these forums, i.e. do you pull the plug, how do you image, and so forth, and see that what we have going into CF and IR are people who need to be fed a formula for investigation, work that formula, and when something DOESN'T work, find someone else with an answer. I womder just how much time people are spending in a makeshift lab, creating intrusion or crime scenarios and discovering an answer for themselves? How much code do they learn to write to pull out evidence faster and cleaner. Do they REALLY spend time verifying and getting to know their tools to the level they can explain exactly what that tools does? Have they ever imaged a drive, refired Windows on the original, imaged it again and compared the two? Do they know what regisrty files change etc?
True innovation can only spring from curiosity, experimentation, and the knowledge that it brings. Have we lost the desire to LEARN? Not memorize, or gain third hand knowledge, but truly LEARN?
I don't know, but I know theres lots of late nights I'd rather be home with my wife or at least out drinking a few beers instead of learning new ways to identify a rootkit in memory, or how to deal with live previews and live system images and examinations, but for me to be innovative I have to work on these things. I have to find time in my day or night to install systems with beta software and learn to abuse it so I can at least stay only 5 steps behind the bad guys. But no one, company that is, is going to develop new innovative CF or IR software until WE, the examiners force them by hasseling them to solve problems we have indetified and had to develop our own procs for.
I'll somewhat gracefully leave my soapbox now.
Bill
Bill,
Great post!
> …by looking at the questions that are posted and reposted in these forums…
How many times do you see the same or very similar post, with a similar title, posted in the same forum?
Part of what you're seeing is due to the fact that what you're describing (a) isn't required, (b) isn't supported, and © simply may not be feasible. Take the LE guys who roll into work, but 10-12 hr shifts and roll on home to their families…do they have time to investigate? Probably not. But others do…although few seem willing to learn.
Another issue is communications…the bad guys are great at it. Some have been found to communicate via online games, b/c they aren't logged. So what happens is they communicate…and the good guys who are at home learning to identify rootkits in memory never bother to share that information, so everyone coming into the community has to learn the same things, all on their own.
Don't leave your soapbox, Bill. Get back on it, and share your thoughts, and your findings.
Harlan
I am not upset or put off about the comments concerning my ideas (distributed processing). H, I do not think you fully understand my concept. The concept is based around distributed processing in user defined workgroups. Enough said – PM if you wish to discuss it more!
I hear what you are saying about what LEO will want to divide a case or create work units? Well all I can say is nothing ventured nothing gained! LEO's need to start working smarter – as I do not see any new funding sources available to them and the number of computer crimes is just going to continually increase. What other options to they have?
I would like to comment on Bill's and H's observation of a society of reciters versus thinkers. Bull pucky! Any learning process is composed of observation, emulation, repeation and validation. Yes, the forensic community is still in it's infancy and being so new a lot of folks are testing the waters.
I just ask that the veterans do not become to critical of the novices. The reason I make that suggestion is that there is no one single correct answer. Ask 5 veteran forensic analysts what tool they use to image a hard drive and I can safely bet you will get at least 3 different answers, maybe 4 and possibly 5 different answers.
I will agree with you guys concerning the apathy toward research and personal initiative. I think the problem is the attitude "just do the bare minimum". This attitude seems to be spreading like a virus in our nations work envirnoment. That was the primary reason I retired - employee/contractor apathy and failure to take responsibility or pride in a job.
Bill, I do agree with H's comments concerning your soap box. I think it is OK to voice your opinion or thoughts. I might find some inspiration or insight and then again I may just totally disagree. Keep posting!
> Any learning process is composed of observation, emulation, repeation and validation.
At some point, there needs to be a way to engage, to ask questions about those observations…how does one seek validation? Given the dispersed nature of the Internet, this seems like an excellent medium for that…yet, it's not being used to anywhere near it's capability by the community. How many folks are members of FF that actually post? And I don't mean post something new, or post "me, too", but ask a question, offer up a response or a novel approach? Perhaps it's part of that "bare minimum approach" you were talking about.
There are lots of ways to contribute. You don't have to come up with something new, or write a software program. I see threads every week asking for ideas, input, thoughts, communication, or even simply evaluation of freely provided software/code.
> I just ask that the veterans do not become to critical of the novices.
That has to happen to some degree. I completely understand about there being no single correct answer, but someone has to be critical of the novices and get them to justify their thinking (and ultimately their actions) in the face of those choices. It's no different from any other profession…take the Marine Corps rifle qualification; new folks being given information, the opportunity to act, and having their performance critiqued and improved.
Another thing that keeps coming to mind…MS's Vista. While Vista imposes new technologies on us (and the need for new knowledge and approaches), I believe that the single largest deficiency we face as a community <b><i>isn't</i></b> a lack of folks wanting to research it…not at all. I firmly believe that the biggest problem we face going forward is a lack of folks who'll come forward and voice a concern or specify a need. This is why I believe that one major area of innovation (or perhaps "renovation") is knowledge, training and communication. Folks research these things all the time and post what they find…there's no question about that. However, what does NOT happen is that the consumers of that information do not respond with feedback, nor do they go back and say, "hey, I understand that, and it's useful, but the issue I'm having is slightly different…can you help me with that?"
In the face of your comments, though, what recommendations would you, or anyone else, have with regards to the topic of "innovation"? The bad guys do it…they innovate all the time. What about the good guys?
hey Az,
I'm critical of everyone, vets and newbies. Vets because they habg out and refuse to share what they know, they see questions or hear them at meetings and just go on their merry way.
Newbies because they ask "does FTK do this? Can you find this with ProDiscover? How do you convert a dd back to a disk?". Ok, if it is technically new, or something no one has seen before, or NOT a Feature of a well DOCUMENTED package, ask away please. I'll go out of my way to research and test and find you an answer. But my golly, read your docs, reah the help files, STUDY and test your tools before you try to use them.
Thats all I'm asking, innovation in our methods, and how we share them.
> …innovation in our methods, and how we share them.
Okay, there you go!
I don't mind questions, not at all…I'm not an expert, and the Good Lord knows I've got questions of my own. However, I do know that I try to locate an answer first.
Anyway…any thoughts on how to innovate our methods and sharing?
I think one of things faced, particularly with Windows systems, is that the information is out there…not in one place, not easily found, nor easily interpretted.
Given where we are now, how do we go about innovating or progressing in these areas?
Interesting thread.
There are already atleast two wiki's out there
The latter is run by myself and Craig Wilson - I believe that the content of the second forensicwiki.com is of a much more technical nature than the first - but then i am biased )