fatrabbit,
Do the major forensic software developers have a standard framework they follow for fully developing and testing their tools, not just testing that the source code does what's expected, but that they operate in a forensically sound way, don't taint the evidence etc.
In short, there is no such standard, they just use normal development lif cycle and what you call "dont taint evidence" becomes just part of a requirement, maybe with a higher importance, but it is just a requirement that the software needs to fullfil and therefore this requierment needs to be designed, developed and tested by the devleoper and passed on to the QA team to assure that it doesnt what it supose to do.
what you get as the ned product is full dependent on the competence of the devleoper and the QA througness (the best QA for me are forensic practitioners on the field using the product).
I am also interested what you and harlan said about scientific methods and market needs. in a sense it echoes the same sentiment raised by Brian Carrier in his article about open source and legal argument.
Personnaly, I would like to see the scientific method used to be full documented and open to scrutiny by anyone who is interested. The market value of the tool, or its competitivness, should be geared towards what it offers on top of that, i.e presentation is the key.
While I greatly appreciate everyone's thoughts on this topic, this is something that's been discussed before…and we're no closer to a solution.
Harlan
Just out of curiosity, I was reading something a while back about using a firewire ipod device to read the ram via DMA. Would it be worth having a look into if there is a usb device which is capable of the same, and being able to dump that to the device?
DarkNeon
Without knowing more for sure (ie, you didn't provide a link) I went looking and found this
There isn't much to go on there, so it's hard to tell. Maybe if you could provide more information, that would be helpful.
Harlan
whoops sorry about no link, not used to using forums. That was the device which I was talking about, and I was wondering about whether the same could be coded into a modified usb flashdrive, or a usb pda (palmone lifedrive for example). A quick google resulted in me coming to the conclusion that usb does have dma access, but I wouldnt be too sure where to go from there, possibly code a C program and run linux on the pda, to dump the memory. What do you think to that? If you think it might be a good idea, ill see what else I can find and might have a go, tho my pda only has 512Mb storage space, and cant run linux (garux) unfortunately.
DarkNeon
At the risk of double posting something similar, Ive just found this, which is sort of the idea which I was going for
http//
That could possibly be modified to work, but its just a thought
D
DarkNeon
> …and run linux on the pda, to dump the memory.
Plug in a USB-connected device running Linux to a Windows box, and use that to retrieve memory via DMA? Hhhmmm…interesting approach.
Plugging the device into the system would require that it at least be recognized by the system, and therefore you'd have a footprint (ie, some sort of artifacts) created on the system. At that point, why not simply run dd.exe to "image" memory?
Harlan
I was wondering (and I might email the person who did it with the firewire Ipod) whether if it can just be recognised on the motherboard, but not by the OS. Could be difficult, but it could be worthwhile if it works? Because you could code something into the chip, or write a program that can image the memory, and it doesnt change the live system, it could be useful.
DarkNeon
> I was wondering (and I might email the person who did it with the firewire
> Ipod) whether if it can just be recognised on the motherboard, but not by
> the OS.
Hhhhmmm…interesting question. I hope to see what you get back from the author of the presentation.
> Could be difficult, but it could be worthwhile if it works?
Most things that are difficult are usually worthwhile.
> Because you could code something into the chip, or write a program that
> can image the memory, and it doesnt change the live system, it could be
> useful.
Perhaps with the chip coding, but by definition, *any* program is going to change the live system. In order to use a program on a system, you have to introduce it to the system via some media, and then run it. The loader will load the program into memory…and you've altered the contents of physical memory at that point.
It seems to me that in many cases, there's really way too much focus on not altering a system in any way. By definition, a live, running system is changing all the time. If you can document and quantify the changes that you make to a system during live response, then that should be enough. After all, the cops don't kill a stabbing victim…the victim gets treated by medics and may even have only a scar by the time the trial occurs, and the cops are still able to convict the attacker.
Harlan
Perhaps with the chip coding, but by definition, *any* program is going to change the live system.
I was actually meaning running a program on the acquisition device, say a C program on a pda or other compatible device. Similar to the firewire version.
Hmm, it might be worth a shot having a tinker with ) tho I have got exams to revise for in a few weeks lol, it might be something as well I could ask and try at uni when I get there this september.
What did you think to the usb data recorder, if that could be modified to accept commands from an acquisition computer to read memory as is from the system?
DarkNeon