As a side note is this Msc by any chance done in De Montford?
Nope Edinburgh Napier (just posted that in my last post, you might have missed it P )
I'm just surprised courses like this can get away with this mentality.
I can be very critical of 'push button' mentality, the operator must know what the tool is doing, and be able to verify the results.
Open Source is meant to give transparency - having spent many years looking at other programmers code, this path is very over rated. Even good source code is very difficult to understand, and it is often the odd small tweak that can then kill everything, or produce an incorrect result. (I've spent 35 years programming, and written lots of unintentional features).
I think a very good reason to use Encase, FTK etc is that they are industry standards. Hopefully one can explain what processes you used, and what results you got. Someone else knowing the software can reflect if it was the correct process or not.
If every user had their own tool kit of possibly very good tools, their knowledge becomes less shareable. I don't know if it is the case, but can it be harder to explain results in court if an unknown, but good tool is used?
From an employment side, even if one hates Encase etc, knowing how to use it, and it's limitations must be an employment bonus.
Unfortunately, main stream programs cannot be ignored. A few years ago there was an attempt to sell PCs/laptops with Linux, rather than Windows. This I think largely failed.
As an instructor and someone who hires entry level forensic examiners, it's not just the open source vs commercial argument.
Educational licenses for products like EnCase, while discounted, are still not cheap. It also creates headaches in a lab environment, you need to make sure the network license/dongle is secured, EnCase requires admin rights (which is often not allowed), and if you create assignments for students, they need to be physically in the lab (with the software and the license) to work on them. It also does not work well with distance learning.
Personally… I don't think any forensic class should be tool/software specific. The classes should be teaching students about what kind of forensic artifacts exist, why they exist, what they mean, and how to recover and interpret them.
Having any push button tool (commercial or open source) only teaches someone how to process that specific artifact with that specific tool. Students need the knowledge of how things work and be able use that knowledge when new artifacts and operating systems are updated.
As a side note is this Msc by any chance done in De Montford?
Haha.
Do many disk maps on A4 these days? wink
As a side note is this Msc by any chance done in De Montford?
Haha.
Do many disk maps on A4 these days? wink
I was thinking more about being taught Turnpike on an Internet course…. that was from one of our guys this year! And no SQLite…..
I once had a course professor argue that you can't trust EnCase because it doesn't show you it's workings. He put forward that his own methods, written in Pascal and C, were the best because he wrote the code and so he knows what happens. But in reality he doesn't know what is happening, because he is still using a "black box" - his compiler.
That is not the same thing. When you're depending on a tool that someone else wrote, you are dependent on the documentation that they provide to understand what the tool is doing but you can't see how they parse things, what algorithms they use, how they interpret internal formats, etc. You can compare the output to other tools and run experiments with known data, but it's a black box.
When you write the code yourself, you know exactly what the program is doing. That's not to say it won't have bugs, that you won't do a terrible job, or that the libraries you use won't do something unexpected, but you have much more control than with an off-the-shelf tool. C is also a pretty low level language so there isn't a lot of abstraction between what you write and what the code turns into. Unless your threat model includes someone modifying the compiler to sabotage your forensic efforts, it's really a non-issue.
I'm not arguing against using off-the-shelf tools but comparing closed source tools to self-written tools that you have to compile/interpret is not a fair comparison.
As a side note is this Msc by any chance done in De Montford?
Haha.
Do many disk maps on A4 these days? wink
I was thinking more about being taught Turnpike on an Internet course…. that was from one of our guys this year! And no SQLite…..
Haha! Amazing.
I can weigh in on this a little bit, as a college digital forensics instructor. I teach EnCase…I just left my EnCase class. We had a really fun, educational lab on remote acquisitions using EnCase. We also have FTK/UTK, Prodiscover, Autopsy, OS Forensics, etc in our curriculum. They are all great products, and sometimes it just comes down to personal preference. I also teach open source tools, and they are great, tried and true products as well. I also use the term "push button" forensics occasionally.
When I use that term, it is not to be arrogant or that the commercial tools are bad, linux tools are better blah blah. What the conversation includes is that you shouldn't be pushing the button in EnCase or FTK without having an understanding of what that tool is doing, forensically. It is equally important that the student be able to explain and verify what EnCase finds without using it. Ultimately, the goal is to produce a person that understands and is educated in digital forensics, not just someone trained to use a single digital forensics product. That person can use any tool.
Jason
Interesting thread. I can confirm that my MSc leader (2008-9) who shall remain nameless as he or she is still at the University definitely subscribed to the 'Open Source = better' model of digital forensic teaching, and naturally wouldn't countenance anything but Linux as a worthwhile OS.
I recall them referring to Microsoft as 'that Redmond lot', as if MS was just some fly-by-night little operation barely worth knowing about. That said I thoroughly enjoyed learning (and arguing) with this particular Doctor and we are still in contact. Even though I went to the darkside working for a commercial software provider (for shame!)
Personally… I don't think any forensic class should be tool/software specific. The classes should be teaching students about what kind of forensic artifacts exist, why they exist, what they mean, and how to recover and interpret them.
Having any push button tool (commercial or open source) only teaches someone how to process that specific artifact with that specific tool. Students need the knowledge of how things work and be able use that knowledge when new artifacts and operating systems are updated.
I agree 100%.
IMO, If someone focuses their skills on learning a product instead of the actual concept, they will be dead in the water if the product goes away. I'm not saying people should not use product X, but for educational purposes - and in the long (professional) run, you should try to be as vendor neutral as possible. This is also why i prefer the SANS training over any vendor specific training.
Imagine investing in product X and basing your entire organisation it, then realising that it is complete crap which does not solve even 20% of the job - what do you do then?