I have just offered/shared a free tool clearly that doesn't count?
No one took that away from you, Paul. I had asked if the tool addresses updates to Windows 8 Prefetch files, and you responded with, "…I have an idea from reading a few blogs…"; however, you seemed rather reticent to discuss what you'd seen or read in those blogs.
If/when I do my research I may post if I find something new, if I don't I won't. I can't post anything prior to that because as I said above I haven't done the work - struggling to see why you think this makes me reticent to post.
Yes, everyone gets that. I was hoping to raise awareness of new artifacts, as well as the fact that when someone comes to a site such as this to ask questions about Windows systems, the version of Windows that they're addressing is critically important.
You'll have to excuse me for going off-topic from this thread, but it really illustrates to me one of the biggest short-comings of the DFIR "community" is that it's anything but a community.
Don't get me wrong…I completely support anyone who wants to write a tool and release it for others to use…I'm all about that. But to do so in complete isolation from the rest of the community…that's what's missing. When someone like you, Paul, releases a tool, the vast majority of those who come and download that tool (most won't ever actually use it) will think that because you wrote it, it's complete, and there's no reason to look any further to understand exactly what they're doing.
We need to start acting like a "community", even if it means that the only contribution we make is to ask a question. Why is that important? So that we can start to see trends and needs of the community as a whole.
To chastise Paul for not doing forensic research for you is the height of silliness. Paul has released a tool, he stated that he will do research when he has time, that he'll update that tool at a time of his choosing - plain and simple. Your comments could be read as if just because someone has done some research, that they must take their time to answer any question that you have on the topic they investigated. These forums are for the sharing of knowledge - yes, but it is not a requirement that just because you ask a question that someone answer it. You are being overly hard on an individual that wrote a piece of software and then freely shared it with the forensics community for them to use if they desire. There is no requirement for you to use his software, nor is there any requirement that he do your research for you on Windows 8 Prefetch files, but here -
Harlan - you are completely missing the point. I haven't done any new research so I have nothing share. I can't be reticient about sharing something that I haven't got to share.
Agree with what you say re communities - but I have shared a hell of a lot over the years and even have a certificate from HTCC staring at me from the office wall in appreciation of the help I have given to people on there, so possibly I am a mis-placed target for your ire.
At the end of the day though I am happy with what I have put into the community so I'll leave discussions of sharing at that and get back to doing some work.
To chastise Paul for not doing forensic research for you is the height of silliness.
I wasn't chastising Paul for anything other than simply keeping himself isolated within the community.
Also, I wasn't asking him to do anything for me…I've already written my own tool to parse Windows 8/8.1 Prefetch files and put all of the available time stamps into a timeline.
Paul,
Harlan - you are completely missing the point. I haven't done any new research so I have nothing share. I can't be reticient about sharing something that I haven't got to share.
I don't think I'm missing the point at all.
I'm not chastizing you for anything…particularly not sharing. I commend you for making your tools available.
What I am saying is that information has been available on the Internet for some time now regarding new information available in Windows 8 Prefetch files.
I find it unfortunate that you choose to keep yourself isolated in the manner that you do. There are too many smart people such as yourself, that if you were willing to work together, correspond, and engage, greater things might be available to the community.
I am losing the will to live here
I have seen a little information on a freely available blog about windows 8 prefetch files and I am being accused of keeping myself isolated by not sharing what I know at the moment - but I dont know anything that isn't all ready in the public domain because I havent had time to do any research.
I am not having a discussion about windows 8 prefetch files because - err I am not going to repeat myself - oh OK I will just to mak eit clear, I havent looked at them yet.
When I do do some research and I can talk with a bit of knowledge as to what the changes are then that would be the time to engage. Or I could just withdraw into the hole that you think I live in and keep myself to myself (the latter seems a more attractive idea every time I look at this thread).
For someone who tries to get people to engage you sure have a way of rubbing them up the wrong way.
I'm sorry you view things that way, Paul. I'm not accusing anyone of anything…if anything, I'm simply lamenting an observation with respect to the community as a whole.
I commend you for releasing/sharing the tool you've written, and I completely understand that you've written it to meet your own needs.
I seem to be unable to clearly express myself in an environment where every comment seems to be internalized and taken personally.
I seem to be unable to clearly express myself in an environment where every comment seems to be internalized and taken personally.
The quotes below sort of make me take things personally - they were directed at me by you after all
But what an answer. Eesh. I have to wonder if everyone's as reticent to share as this…
however, you seemed rather reticent to discuss what you'd seen or read in those blogs
I wasn't chastising Paul for anything other than simply keeping himself isolated within the community.
I find it unfortunate that you choose to keep yourself isolated in the manner that you do.
Enough of this now - it's not going anywhere, I'm off to bed.
Paul,
Thank you very much for all you've done over the years. It is very much appreciated.
-David
I think the forensics world is far keener to share than the data recovery world.
My theory for this is many forensic practitioners are LE, while data recovery is commercial. For the commercial side making money is important, and being able to do something new can be valuable.
IMO Paul is happy to share info - but also needs to make money. Back him up.