Much of this argument about closed forum or open forum is self-defeating.
If people want a closed forum - why did they come to an open forum in the first place?
If people think they are contributing to the knowledge of the bandits, why on earth are they contributing (and have previously contributed) in an open forum in the first place?
The truth of the matter is most are in open forum to learn something or hopefully someone posts a signpost as to where to go and find out about something. Others are in the open forum promotiing themsleves, their services or products. Put another way, if they hadn't gone into the open forum market, it is possible no one would have heard about them at all.
There are closed forums for forensics and I find some most useful and some of them are very interesting. Other closed forums I have found can be cleeky (our gang against you) and run little sniggering groups. With adults, who have that life problem, it is a worry that they are even permitted to touch evidence in the first place. I would be more concerned about those people and what they are doing to the evidence than I would the bandits. So not all closed forum do produce what they say they do. In an open forum like FF, I have found people conduct themselves with better behaviour because they are on open show.
Probably time I chipped in here.
Getting quickly to the point, I don't plan to open a restricted forum. Main reasons as follows
- I don't have the resources (mainly time) to do any effective vetting
- We've had one before, it wasn't particularly popular or useful
- The "dangers" of open discussion are mostly mitigated by using common sense
- It tends to go against the general ethos of the site (more below)
I need to state clearly that I'm not against restricted access forums in principle - in fact, quite the opposite. Those calling for a restricted section are making a perfectly valid request. For mainly practical reasons, though, it's not a direction Forensic Focus is going to move in. I'm aware that this means there will be discussions which just can't take place here but I believe there are enough alternative channels for people to use when something sensitive crops up.
There is always a danger, of course, that knowledge might be passed on to those with the worst of intentions. This is certainly a real risk, not just theoretical, and I don't mean to downplay it. Overall though, I think the benefits of open discussion outweigh these risks and the danger itself is often best addressed by using a bit of common sense. Most, if not all, members are savvy enough to pick up on something which doesn't feel right and act accordingly.
As well as being a forum for experienced practitioners I hope we can also be seen as a useful resource for newcomers to the field. With that in mind I continue to think there are benefits for everyone concerned in allowing people of all backgrounds to mix in the same environment.
In the end it's a balancing act, and I'm aware that it won't meet everyone's needs all the time. Overall though, I hope Forensic Focus remains a useful resource and I firmly believe that a supportive community remains central to that goal.
Cheers,
Jamie
In my experience 99% of the suspects in the cases I deal with have absolutely no idea of the traces of activity they are leaving on their hard disks. Even those who consider themselves 'IT experts' have are evidently clueless of the techniques and tools of forensic practitioners.
I agree but the actual challenge for the smartest good guys is to catch that dangerous 1%, don't you agree? And that's possible collaborating like open-source has showed us imho.
Do I want to make it even a little bit easier for them to hide and continue their crimes? Nope!
I don't want make it too but if they see that good guys are separated by walls they feel more confortable (an enemy with not coordinated-forces is easier to beat) and I think that nobody here wants it.
If they see an enemy moving coordinated forces, they feel to be under pressure and people under pressure make mistakes… always imho.
Rob
I assume that all the people that post here are in fact malicious attackers. Whos single purpose for being here is ultimately destructive and evil. One to expose all techniques through which they may be caught so that they may remain, not caught. I suspect this of the admins and the first time posters alike.
Ok, now what….? *crickets*
That being said, I thoroughly enjoy this forum.
And I think it needs to be said, making a private forum would be dumb (quite literly) http//
skip
> - We've had one before, it wasn't particularly popular or useful
I've been part of closed, restricted forums before…and they came across the same way. Most are LEO-based or LEO-only, and you'd see one person post a request, followed by dozens of "me, too" emails.
The fact remains that "we don't want to teach the bad guys" is an excuse, and nothing more. I think that the real reason a lot of folks don't contribute to forums comes right out of some emails I've received…"I don't want to appear stupid". What most folks don't understand is this…it's asking those simple questions that lead to the answers. If you do a search and can't find the answer to your question…ask it. If the question is seen often enough, someone's gonna write a FAQ.
I think that the real issue is lack of knowledge. Most LEOs that do forensic analysis are LE's first, and need to keep doing LE things to get promoted. They don't have a lot of time to learn new things, so when something new does come up, they have to decide…pursue it, or go with what we have.
The other excuse that I've seen for not contributing…and this one has only come out of one person from Australia…is that they didn't want to contribute because they felt that I'd (me, personally) would take that contribution, abscond with it, put it in a book and benefit from it. There are several major holes in this one…one being that they obviously have a misconception about "benefitting" from publishing a book, another being that they could write a paper or book themselves…but the point is that its simply an excuse and nothing more.
It's clear to me that there are certain expectations for a public forum, and to expect something else is to invite frustration.
> - We've had one before, it wasn't particularly popular or useful
[snip]
I think that the real reason a lot of folks don't contribute to forums comes right out of some emails I've received…"I don't want to appear stupid".
[/snip]
Never a problem for me. p
For me this is cross-training. I contribute where I can…with no regard for my appearance. One of the liberating parts of the "internet."
I'm glad there is no private forum and I'm glad to try to contribute to the public when those rare occasions pop up where CF crosses over my talents.
Now…as for threads like this, where a lot of subjective comments are made, a-la the ol'two cents….well, I EXCELL at giving my $0.02 on anything.
)
Thanks for keeping the forum public,
Skip
The fact remains that "we don't want to teach the bad guys" is an excuse, and nothing more.
Your excuse, my reason. We'll beg to differ.
Are UK CF professionals happy discussing the finer details of grading pictures showing child pornograhpy using the Sentencing Advisory Panel guidelines in an open forum?
Jonathan,
After reading your last post I think I finally understand what you are talking about (although it probably wasn't that complex to begin with!), and I think it comes down to the type of investigations you do/user you are. Allow me to explain the types as I see them
1. Students - They are just starting out in the field or looking to start taking courses and degrees in the subject. They are likely to want to learn everything they can.
2. Practitioners specialising in investigating computer crime (like me) - The targets of their investigation would be more concerned with hiding their activities on a machine and are already likely to know how to subvert the forensic process, or can easily find out in books and online. Their suspects are likely to have a developed interest in computing and may be able to understand and use advanced techniques to prevent them from being caught. Topics that these practitioners would discuss on forums (the internals of file systems, advanced registry analysis, memory forensics) wouldn't benefit an advanced adversary much, but would certainly help advance knowledge of other practitioners.
3. Practitioners that specialise in computer-enabled crime (like LEO), such as investigating fraud activities on company computers, CP and the like. The suspects in these investigations are much more likely to be using the computer as a tool rather than a means to an end (I'd imagine its easier to acquire CP online than it is to reach out to others personally and receive it in the mail) and are probably less likely to have researched anti-forensic techniques. However, because of this, if they were able to come across a some information on a forum it might help them considerably - for example, starting to use "privacy tools" and the like or modifying the images they store. This makes the practitioners job harder, and it would be better for them if this information wasn't available.
I know I'm grossly generalising here and some people wear all three hats, and I'm certainly not saying that the suspects of the 2nd catagory are smart and the suspects of the 3rd are stupid. However, I do think that a person's opinion on this matter is strongly influenced but the sort of suspects they come up against on a daily basis. To that end, it might be worth investigating some of the established LE-only forums and gaining membership there, as it seems that the topics of discussion here seem to strongly revolve around the interests of the first two catagories.
Just my rambling thoughts.
Regards,
Tom
Are UK CF professionals happy discussing the finer details of grading pictures showing child pornograhpy using the Sentencing Advisory Panel guidelines in an open forum?
The UK Government released the SAP sentencing guidelines in the public domain. Can't see how a closed forum would have stopped that..
Self-moderating the content is the price a professional is required to pay when commenting in open forums. I get the impression from FF that there is a huge array of technical matters regarding forensics in which people have an interest, such that matters like SAP could usefully be confined to other forums that are closed.
Just to give a different perspective here, Jonathan, had FF not been an open forum the industry might not have an the opportunity to try out your excellent Forensic CaseNotes program wink
Much as I'd love to take credit for CaseNotes, it ws the work of my colleague here at QCC, John Douglas!
Forensic Focus is probably my favourite CF forum, I've learnt a lot from it and hopefully I've managed to point a few others in that direction. And all that while it was an open forum! I can see the benefit of both types and forum to be honest, but I do like to play devil's advocate sometimes! twisted wink