I find myself doing more and more of my forensic analysis in Linux. It seems to me that the forensic packages such as SMART, TSK etc are a lot less prone to crashing than the Windows equivalents. My biggest frustration is the lack of tools to do specific tasks which I suppose is down to Microsoft being reluctant to give the full specs of various file formats. I was just wandering, what people feel are the"essential" tools are missing from Linux forensics?
For me the ability to reliably carve internet history (suitable for piping out into pasco) from unallocated space and a reliable tool for dealing with all versions of .dbx files are badly needed. What else?
My biggest frustration is the lack of tools to do specific tasks which I suppose is down to Microsoft being reluctant to give the full specs of various file formats.
Besides what you've mentioned, what else are you interested in? PyFlag provides a great deal of useful tools and functionality, and I've written Perl scripts that are easily ported to the Linux platform…
h
Besides what you've mentioned, what else are you interested in?
My preference would be to do all of my cases in Linux, the issues with .dbx files and carving internet history from unallocated are the main things I find myself switching over to a Windows platform for. I was wandering what other main issues people find themselves having to switch over to Windows for.
PyFlag provides a great deal of useful tools and functionality, and I've written Perl scripts that are easily ported to the Linux platform…
I have used PyFlag, but I need to spend more time understand sql databases and how to search them effectively to get the most out of it. My main issue with PyFlag is that it is not scriptable. That whole unix and scripting ethos of taking a big task and breaking it down into simple components and doing those individually is one of the strengths of Linux (IMHO). On most child abuse investigations I do, I know that there are certain tasks that I will need to perform on each analysis (internet history, link files, virus scan, file carving from unallocated etc). Obviously in Linux I can script these things out and let it run overnight if necessary. On the Windows side it tends to be a case of each process requiring user intervention to get to where you want to be. Do any of your perl scripts deal specifically with the two main problems that I have (.dbx files and internet history in unallocated space)?
–Please excuse my lack of experience with the situation but…I was under the impression that the court systems frown upon analysis with Linux tools and tools like EnCase or FTK are more respected.
Stumpy- you mention CP cases which I assume head to some sort of trial and you use Linux for examinations, so it looks like you haven't had this problem.
Could someone shed some light here? again my experience with forensics involves non-criminal cases and anytime we do stumble on criminal activity we turn the case over to law enforcement.
My main issue with PyFlag is that it is not scriptable.
That doesn't seem to be entirely true - http//
–Please excuse my lack of experience with the situation but…I was under the impression that the court systems frown upon analysis with Linux tools and tools like EnCase or FTK are more respected.
I've always been curious about where this originates. Can someone (anyone) provide some insight into cases where this preference was established in court? In my experience, it does not exist. It seems to be propagated by an ignorant academic community passing this stuff off as fact to students, or simple FUDD.
Stumpy- you mention CP cases which I assume head to some sort of trial and you use Linux for examinations, so it looks like you haven't had this problem.
I'm in federal LE, and we use Linux and other OSS tools on a daily basis. I know of a number of agencies that do the same. We test, we validate, and we cross verify. Which beats the heck out of someone using a "commonly accepted tool" and relying on the fact that "it's good 'cause everyone else uses it".
So, here's a question… Who HAS had a problem with OSS in court? Can we get a case site, please?
It seems to be propagated by an ignorant academic community passing this stuff off as fact to students, or simple FUDD.
… or a stunning marketing campaign from a commercial software developer … twisted
So, here's a question… Who HAS had a problem with OSS in court? Can we get a case site, please?
The only "problem" I ever have with OSS tools is explaining what they are and what they do. EnCase has the advantage of name recognition. However this is really no different than qualifying myself. The first time you appear before the Court you have to qualify yourself. Subsequent appearances not as lengthy a qualification explanation. Same with tools. When I first used FTK, maybe 5 years ago, both judges and attorneys were only familiar with EnCase, so FTK took some explaining. Same thing on the first case with ProDiscover. Same thing the first time I used one of Harlan's tools. I am sure that in more progressive courts there is more familiarity with different tools. Out here in the sticks we have a couple of very progressive judges that are very receptive and some that are not so. However none have shot down a tool just because it does not have a big name. Just takes more splainin' sometimes.
<snip>
Just takes more splainin' sometimes.
Well said, and exactly my point. that's why we validate and cross verify. I would postulate that a good, well prepared examiner would have no problem using most any tool to accomplish what was needed, as long as due diligence is followed and steps are documented. Pretty basic stuff.
Hi,
Just in answer to Barry's question about whether anyone has encountered problems using Linux and other open source tools for criminal cases.
We frequently use open source tools and wouldn't do if we believed their suitability were to be called into question.
Essentially it shouldn't matter what analysis tools I use as long as I come to the right conclusion and someone else using (possibly) different tools were to come to the same conclusion.
As Barry says, as long as we verify the tools are working correctly and document what we are doing then we shouldn't have a problem.
Just my two pence worth.
Steve