There's isn't a person on these forums who don't use tools (open or commercial).
And some of these people have been quite vocal about the push-button analyst versus the manual-deconstruct-the-artifact type of analyst.
Silly people…. including your professor.
There's isn't a person on these forums who don't use tools (open or commercial).
And some of these people have been quite vocal about the push-button analyst versus the manual-deconstruct-the-artifact type of analyst.
Silly people…. including your professor.
I recall the term push-button forensics was the term related to purchasing a piece of kit and simply accepting the tool was and is responsible for acquiring the evidence without fault and if the output was faulty then its the tool's fault…the human being operating the tool had nothing to do with the evidence or explain why the tool was inaccurate.
Alternatively if we move to titles for human intervention - You could also take away any extreme views on automated-v-manual human intervention and say that there might be two-options to define an analyst
1) at one end of the scale the analyst who having pressed a button only looks at the output and leaves the tool to entirely decide on verification, validation and accuracy and so on
2) to the other end the scale where the analyst not only pushed the button but also considers the output data, knows what the tool is doing and why, and can independently manually check to verify, to valid, data accuracy and so on.
It's interesting that De Montfort comes up so regularly in this discussion. I studied for my MSc there a few years ago and while there was definitely a few lecturers who were very pro open source or pro linux, it wasn't exclusive across the whole faculty. Lab work included lots of work with EnCase but also supplemented with a range of open source tools and hand crank methods at the command line in Linux. Never had an issue with it myself as like you say, the best people will take a look at the whole landscape and make their own decisions as to which tool or method suits both the situation and the examiner best.
As an interesting side note on this, my dissertation at DMU was an in depth look at software testing and measuring techniques across open source and proprietary tools and for this, they did purchase additional proprietary software in specifically for me to use as part of my project.
Final note, EnCase is a great and powerful tool and there's a reason so many in the industry gravitate to it (same with XRY, same with NetAnalysis, etc. etc.) but at the same time, there are a host of very effective open source tools that get exactly the same results and for me, can sometimes be more fun. Using Pasco to parse out the data from an index.dat file is sometimes more rewarding that the two clicks it would take in NetAnalysis to get the same (albeit better presented) results. On occasion as well, you might not have access to proprietary software so open source can be incredibly valuable in those situations.
Great discussion though, really enjoying reading everyone's opinions D
Great discussion though, really enjoying reading everyone's opinions D
Well said ajcove.
You're right this is an interesting discussion because it does not end with a winner or loser, just great insight. We can all learn something from each other.
I hope more people will respond that have, as yet, remained silent.
As a side note is this Msc by any chance done in De Montford?
Haha.
Do many disk maps on A4 these days? wink
I was thinking more about being taught Turnpike on an Internet course…. that was from one of our guys this year! And no SQLite…..
I attended both the Advanced and Internet courses myself at DMU this year, and found them to be excellent courses. For the record, Turnpike was one program of several which was highlighted, and the investigative methodologies which were taught were directly transferrable to other applications. I also studied SQLite in significant depth, so I'm not sure where you are getting the information that there is no SQLite covered. Maybe your colleague slept trough the 2 whole days spend on it! wink
As for the issue of disc maps; this again is a skill which is still most definitely relevant. Whilst I admit that I wouldn't do it on A4 paper - having been taught it this way enables me to confidently and easily check disc layouts in ANY forensic program I care to use.
I also can't say that I noticed any bias towards open source tools - I left with the definite impression that they recommend using any tool which gets the job done, but definitely favour the tools which give you low level access to the data you are examining. And again for the record, I couldn't agree with them more.
There is an interesting dichotomy that I have experienced. Most of the academics and in the legal field only acknowledge commercial products. They are convinced that F/OSS is the devil reincarnate. They are convinced it is a step away from malware. I believe most have this position because vendors have sold them this implicitly (sort of like Microsoft attempted to do it Linux early on).
The ones who use F/OSS are the younger students of mine and tend to be vehemently anti-commercial for some reason.
Go figure. I just look at it like various types of pliers. Sometimes I need a needle-nose, a high-leverage, slip joint, locking, or even a combination plier. Sometimes I cannot find the right one, and just use whatever is handy.
I attended both the Advanced and Internet courses myself at DMU this year, and found them to be excellent courses. For the record, Turnpike was one program of several which was highlighted, and the investigative methodologies which were taught were directly transferrable to other applications. I also studied SQLite in significant depth, so I'm not sure where you are getting the information that there is no SQLite covered. Maybe your colleague slept trough the 2 whole days spend on it! wink
That's good to hear, although I talked to a guy in person last week who said the same regarding the Internet course (regarding the lack of SQLite). So maybe they're still developing the material - in which case *big thumbs up*
As for the issue of disc maps; this again is a skill which is still most definitely relevant. Whilst I admit that I wouldn't do it on A4 paper - having been taught it this way enables me to confidently and easily check disc layouts in ANY forensic program I care to use.
While I absolutely agree that learning about how MBRs are structured is an important (potentially critical) skill, I don't agree that manually drawing a disk map is relevant. In the foundation course it was always held in unusually high regard (if I recall it was always on the final exam and held a significant chunk of the final marks).
I guess I see it in the same way as scientists see the periodic table of elements; yes you must be aware of how it functions and what it is for, and yes it is the foundation of a percentage of what we do, but do I need to know it off by heart? ?
That's good to hear, although I talked to a guy in person last week who said the same regarding the Internet course (regarding the lack of SQLite). So maybe they're still developing the material - in which case *big thumbs up*[
I've just checked my course manuals - the SQLite material is covered in the Advanced course, and not the Internet one. I do recall discussions at the end of both courses regarding the respective courses' content. The Internet course is simply too full of other relevant material for SQLite to be included there - network topology, browser forensics, numerous email programs, RDP to name some. the Advanced course is similarly brimming with relevant material, to the point where they may need to consider delivering a second Advanced course or some other additional course.
Also, since SQLite is not restricted to Internet applications, and given the manner and context in which they teach SQLite, I would suggest it is most definitely better placed in the Advanced course.
While I absolutely agree that learning about how MBRs are structured is an important (potentially critical) skill, I don't agree that manually drawing a disk map is relevant. In the foundation course it was always held in unusually high regard (if I recall it was always on the final exam and held a significant chunk of the final marks).
I guess I see it in the same way as scientists see the periodic table of elements; yes you must be aware of how it functions and what it is for, and yes it is the foundation of a percentage of what we do, but do I need to know it off by heart? ?
I certainly wouldn't suggest being able to do it "off by heart" - I would always refer to guidance to jog my memory for something "potentially critical" as you put it. Nor do I think it necessarily needs to be drawn manually. However the fact is that the method taught on the foundations course is easy to achieve in a classroom environment, without requiring any specialist resources to deliver the training, and it is effective.
I've just checked my course manuals - the SQLite material is covered in the Advanced course, and not the Internet one. I do recall discussions at the end of both courses regarding the respective courses' content. The Internet course is simply too full of other relevant material for SQLite to be included there - network topology, browser forensics, numerous email programs, RDP to name some. the Advanced course is similarly brimming with relevant material, to the point where they may need to consider delivering a second Advanced course or some other additional course.
Interesting, which browsers did you do forensics for? AFAIK of the 'big 3' browsers, both Firefox and Chrome both store their history in a Sqlite file, as do other browsers such as Safari. I know you can do some other work around the cache etc but how do you recover the Internet history without using SQLite?
Obviously the other big one is Internet Explorer, which I'm guessing you covered, but probably covered Index.dat files which haven't been used in that browser since IE 10 in 2011.
Honestly IMHO I cannot imagine how an Internet forensics course can be run without at least some coverage of SQLite.
There's isn't a person on these forums who don't use tools (open or commercial).
And some of these people have been quite vocal about the push-button analyst versus the manual-deconstruct-the-artifact type of analyst.
Silly people…. including your professor.
Believe me I certainly don't advocate doing all investigations manually to recover everything only using a hex editor and a lot of reference material, but I just believe that at a University level they should be teaching the underlying principles of how the tools work and how you could manually verify the results of such tools.
Using something like Internet Evidence Finder or any other "mainstream" forensics tool is a great way of getting back lots of artifacts very quickly, but you still need the underlying knowledge if you are going to use it in evidence and that's what they should be teaching at a University.
Honestly IMHO I cannot imagine how an Internet forensics course can be run without at least some coverage of SQLite.
Because the courses are not updated to keep pace with the current state of forensics.
Many programs are still trying to get by with the "free" version of FTK 1.7. Or telling students that only Open Source or free programs are the "real" way to learn forensics.
Schools are happy to take money from students with a promise of high placements upon completion of the program, but that is simply not the case anymore. I think some of these programs should be investigated for their claims and promises. If the program is not keeping up, it is doing a disservice to the students.