Opinions on Linux Based Tools?

Just an thought. Aat HOPE this weekend and one of the speakers brought up a good point that I have to start doing myself - speak their language. I think as infosec folks we have blinders on at times and have to do a better job to understand the business decisions and risk analysis in a way that other departments do.

A book that IMO has some nice ways to do this is
Techno Security's Guide to E-Discovery and Digital Forensics
http//www.amazon.com/Techno-Securitys-E-Discovery-Digital-Forensics/dp/159749223X

Chapter 6 in particular.

You have to sell your ideas - maybe its the delivery and not just the message.

But I am also trying to educate at the same time…I am simply attempting to broaden their understanding of the field but thank you for the advice.

There is a reason why statements like "you can lead a horse to water but you can't make it drink" become aphorisms.

And I neither mean to discourage you nor to trivialize your frustration but look at your job description. It may not include educating your superiors.

Never assume that everyone in the work place is interested or capable of being innovative or posesses curiosity. I have known more than one person who has been perfectly happy with what he or she knew and had a stable job and no chance of losing it and took pride in the fact that they were an old dog uninterested in new tricks (there goes another one).

If I were you I'd let sleeping dogs lie and focus on what you can do to improve your situation. Part of the job is always getting along with your co-workers and superiors even when you are smarter, more educated or more curious than they so, "when in Rome…"

Funny discussion since most *nix based forensic tools have been developed out of some LE or government department somewhere.

I know this is a bit late but thought I would give you my two cents

I am a contractor currently and a retired federal employee as well. In my experience with corporate america they understand numbers and results. You not only have to educate them on the tools that you use but you must show them that they do a better job and still maintain the forensic standard. In other words they do not change data or alter evidence. So in order to go from Windows to Linux my office had to conduct validation test of all software to ensure they were forensically sound and did what they claimed. This might be tedious and a pain but it provides two results First it educates yourself on what the tools are capable of and that will go along way in helping you when testifying and it will educate your managers as well.

Hope this helps even if it is a little late.

Mark Morgan

The big question though Mark, is did your office do validation testing on all your windows tools before this?

Anyone remember when EnCase used to offer to fly out an expert to testify if your use of it was challenged in court?

Yes we did. The laboratory I was working in was ASCLAD certified and validation is one of the requirements.

Mark

I believe EnCase still offer to fly an expert to your courtroom.

Regarding linux tools, what about simple things like "strings"… depends how one wants to investigate, approach / timeframe, not positive if anyone mentioned yet "foremost"…

Ofcourse one could later "validate" the evidence findings with EnCase.

1) What Linux Distro's do you use and how so? I use BackTrack frequently, but have also had success with Raptor and FCCU. Standard Ubuntu distributions can also be loaded with open source forensic tools.

2) What do you see as the future of these freeware Forensic applications?
Since the days of Knoppix-STD and the Penguin Sleuth Kit, forensic Linux distros and open source tools have gained in popularity. But of course, Windows based software is dominant and will remain so.

3) Have there been any cases you know of where the use of these systems has been applicable in court (I realize helix 3 pro is used often but others) This sounds like an excellent research topic for students (thanks for this question). One area to start looking at What Government agencies are conducting forensic training with open source software? Answering this question may point you in the direction of case data. In short, however, open source tools have not received the same court scrutiny as proprietary tools. That is not to say, however, these tools have not been successfully used in cases that did not make it to court.

Above all, remember, everything in this field is a situation. Avoid getting into a holy war between open source and proprietary software, and Linux vs. Windows for that matter. Each has its pros and cons depending on the situation. As a forensic examiner, you cannot let your personal preference impact on objective forensic examinations or the specific goals of any case.

Speaking of Holy Wars, might I suggest the following as good reading

http//www.bcs.org/server.php?show=conWebDoc.36428

Important note, please read both the article and the first comment. The comment is important ( not to mention better written than the article )!

Speaking of Holy Wars, might I suggest the following as good reading

http//www.bcs.org/server.php?show=conWebDoc.36428

Important note, please read both the article and the first comment. The comment is important ( not to mention better written than the article )!

)

The full version, including swearwords and witticism edited from the original reply
http//www.advogato.org/article/1044.html

jaclaz