I think the key here is the word INNOVATION. There is a big difference between advances in current technology, software, hardware and methods and innovation. I nnovation is the discovery of NEW and unimagined instances of the above.
I love wikis, and use them regulary, but thats looking for an answer that already exists with the current framework of tools.
And innovation doesn't come from just discovering the abilities of your tools, but that is a very important first step for any examiner. In fact its scary to think people are taking the stand and wouldn't be able to address simple questions about HOW tehir tools work beneath the GUI.
Harlan is looking I believe for new creations of methodology and tools. like ssdeep. Yes, the bad guys have already pirated away VISTA and will be releasing their compromises as soon as there is an installed base for them to attack.
A good start would be for all major software mfgs to make available to the TRUE CF and IR community copies of their upcoming issuances, and perhaps even to hold and financially support workshops to get us ahead of the curve for once.
It would benefit all concerned.
deckard,
Great post. Let me say, though, that what I'm looking for is anything new and different from what we currently do. Advances in technology pose a huge issue as the good guys fail to keep up…the gap is widening. You're right about Vista, the bad guys are already digging into it, and we don't seem to have many folks on this side of the fence who are doing something similar…at least, if they are, they aren't telling anyone.
> A good start would be…
Yes, it would be, but what I'm talking about here is reality, not wishful thinking. Yeah, having MS cough up stuff would be great, but hey, it ain't gonna happen, not without a subpeona. So let's deal in reality.
P2P applications abound, and are part of investigations all the time…I see it on the LEO lists. The thing is, there is no central repository for P2P information. So each time a new LE gets a case, she has to ask, and may potentially miss things. Valuable info like where do the upload/downloads go by default, what Registry keys are created, what's the default path for installation (and where along the way are you allowed to make choices), etc.
There are other things, as well…like artifacts from exploits.
I agree with the early statement that there needs to be innovation in training and communications, basically developing and sharing knowledge. As I've said, the bad guys do it, and do it efficiently. The difference is that they have a motivation for doing so…money. There's none of that on the other side of the fence.
> There's none of that on the other side of the fence.
Okay, I take that last part back…b/c that's what holds us back.
There *is* money on this side of the fence, and it's called "competitive advantage".
Here's what we're up against…bad guy develops a 0-day vulnerability, infects thousands of systems, and then has (a) personal info that he can extract and sell, and (b) zombies available for spamming, DDoS, etc. So, there's a financial motivation there…potentially a great deal.
For the good guys, there isn't that sort of motivation…not a material one, and therefore, no business case for dedicating resources to it. Unless the research is done and held as a competitive advantage.
I think that's where the difference is…the bad guys innovate and share b/c it makes them money. The good guys don't share, b/c it makes them money.
money…. nuff said
this could be a history repeating itself. It took a World War and the desire to end it to really kick off nuclear research and the wide spread sharing of ideas and methids.
Its probably going to take a terrorist or major financial hit from the bad guys to get serious attention to IR and CF.
If you can't show a positive growth to the bottom line it's hard to get corporate backing for anything, much less IT expenditures especially IR and CF
this has been a good thread, maybe we need to break it up into mini threads about diff issues we see in IR and CF and get deeper into the individual challenges. We could have our own think tank here <G>
How many people entered the DC3 challenge? They are specifically looking for innovative methods and tools.
Decard Define the TRUE CF and IR community for me please, because that sounds awfully exclusive and elitist to me.
As far as sharing our methods openly..how many people do that? Almost none. Why is that?
Is it because the methods used don't follow best practices? Are the companies/agencies embarrased that there might be a flaw? Is it a state secret? Is it because there is no channel for these communications to take place? If we are truly a "science" shouldn't these things be shared?
As a "science" methods should be published in journals for peer review and to be (in)validated by other scientists. Granted a few journals have popped up but how many people can afford them?
Why is the LE and gov side of forensics kept from the corporate/edu side of the world except under crisis situations? How much information sharing takes place? Infragard is a bit of a lame duck in terms of sharing information. We as digital forensic scientists/investigators all claim that "I could tell you, but then I'd have to kill you" because of the sensitive nature of our field. How then are we supposed to talk to one another openly when the very nature of our industry is based on a "need to know" policy? When was the last time you were able to have a conversation with another practicioner about an incident or investigation that you didn't have to choose your words carefully in?
The communication practices in information security and the subset of forensics and incident response are abysmal at best. To have innovation in our communication methods we need to subvert the core of our industry and I just don't see that happening any time soon.
Now for some ideas…
How about some agencies and corporations open their incident reponse teams to other incident response teams. ie; let a visitor come spend a week with your team to work with you, learn your methods etc. How about forensics labs open themselves to others? How about the federal and local governments offer method reviews for companies and educational institutions so that the methods can be reviewed so as to be in accordance with the law? How about an increase in shadow programs and forensic internships(not just for students).
Honestly, we all need to stop staring at eachother from across the table as if we are waiting for the other person to say something.
> As far as sharing our methods openly..how many people do that? Almost none.
I do, when I can. I know others…Jesse Kornblum. Andreas Schuster. Others.
> Why is that?
Most folks seem to follow the "observe and imitate" path…nothing wrong with that, considering the amount of work that needs to be done.
However, I think that the reasons why there isn't a great deal of sharing are
1. Some folks don't want others to know that they're in a position of responsibility and don't know something.
2. LEOs in particular don't post (unless it's to exclusive lists that aren't archived or cached) b/c they don't want a defense attorney coming back and saying "you posted this question b/c you didn't know the answer" at trial.
3. Competitive advantage.
With the rest of your post, I have the same questions you do, but from the LE/govvie side of things, I still feel that it's largely due to an embarrassment factor. I don't say that b/c I want to get someone riled up enough to talk…I'm not goading anyone. I'm simply saying that from presentations I've seen and folks I've talked to, they just don't seem to be up to snuff on much beyond the basics that they've been taught…and that's limited by training budgets, time, etc.
I agree that communication is key…but I also don't think that you're going to get agencies to open up their IR teams…fiefdoms and rice bowls are the order of the day. And again, from personal experience…embarrassment.
I think this is good stuff, and I don't want this thread to end on that note. How about this…rather than saying "someone else should…", why don't we start sharing on our own? How many posts right here in FF do you see every week that put stuff out there…here's an issue, here's how I solved it, or here's what I found? How many times do you see someone post, "hey, I ran into a sticky wicket, so I ran these tests with these tools, and here's what I found."
There's no way that we're going to get MS to open up on file formats. There's no way we're going to get our wish list of having LEOs joyfully sharing with non-LEOs on a regular basis…not anytime soon. However, *we*, as members of the community can do this. I'm more than willing to post things (and I have) and answer questions or get criticqued.
So…rather than saying "they should", I'm saying "we should".
Hogfly;
By true CF and IR community I mean those actually doing work, research, and development in those areas.
CF/Ir seems to be THAT area that has been chosen to be the next BIG THING in the IT world, just look at the number of posts claiming this unioversity or this college or school is adding CF majors or studies. I have been approached by three diff colleges in last two months to either instruct in class or online. One college is preparing a MS in CF and Fraud Examination, and they don;t even offer a BS in any IT field. They are targeting Accounting BS students. One of their prereq's to admission is an A+ cert. But I wasn't narrowing the focus, BUT part of good communicatio is only trying to communicate to and framing the communicatiion for the parties that use and need it most.
It's hard to communicate to audiences with a wide range of technical ability so yes, in a way you do have to narrow the field and exlude some to be effective. And that's part of the problem, open forum's gain a audience of WIDE abilities. Heck, one of the problems with Forensic Forums is sometimes it's the bad guys asking the questions just so they can find out how WE work. How many questions do you see with a response of " as your instructor" , "school must be in", or along the lines of "you must be trying to find out what the cops have on you". We all must be on guard. It's a fine line that I'm not sure how to draw, and it's going to take a combination of all of us coming together somehow to build each others barns.
deckard,
> I have been approached…
Dude, how do you get that kind of gig? I've approached different schools and been told by them, 'uh…we'll be in touch', only to never hear from them.
well you know… I'm ugly and my momma dresses me funny so I get a lot of attention
actually one school has me looking for some people who would be willing to conduct some online masters courses, should take between 3-4 hours a week, no classroom ever