Harlan,
I'm curious what you mean by support? I suspect, given my own experiences, you mean feedback, bug reports, and feature requests, but I could be wrong.
I use quite a few tools, but I've also left an enormous number of them behind when they weren't updated to handle a new problem in the area they supposedly covered. Or when they were too specific.
For example, there were a lot of tools that addressed one, maybe two browsers. But I rarely if ever found a system that only had those two browsers on it, so I had to reach for another tool as well. It was easier - less steps, integrated reports, one interface - to use one tool that covered the whole spectrum.
-David
Dave,
I'm curious what you mean by support? I suspect, given my own experiences, you mean feedback, bug reports, and feature requests, but I could be wrong.
Something along those lines.
I find a lot of great tools…like analyzeMFT.py…and try them out. If I find something that may be wrong, or I don't understand, or I would like something added (data runs is one…but I know someone else already asked you about that), then I'll reach to the author. Most times, I'll reach to the author anyway, just to say thanks.
From my perspective, I've posted time and again, that if someone wants an update to RegRipper, or wants a plugin, send me a concise description and a sample hive. Most times, I've received a request and no hive…in one instance, I received a request and a statement that the requester was not going to send a hive!
Another means of support is that I've mentioned tools that I have used but perhaps not released, and I'll get requests for those tools. However, when I send them, I don't get so much as an acknowledgment, let alone someone saying, "hey it worked great…thanks".
I guess when I see comments about the high cost of tools, I look around at what some folks provide for free, and I realize that a lot of times this community seems like a black hole…tools and research go in, but very little actually comes back out in some cases. If the cost of a tool is the time and effort put forth by the author and nothing more than feedback from the user…is that really too high a cost?
In fact, there've been a number of times where someone has posted here or in another forum with a question about a tool, and the first response has been, "did you contact the vendor/author?"
I use quite a few tools, but I've also left an enormous number of them behind when they weren't updated to handle a new problem in the area they supposedly covered. Or when they were too specific.
For example, there were a lot of tools that addressed one, maybe two browsers. But I rarely if ever found a system that only had those two browsers on it, so I had to reach for another tool as well. It was easier - less steps, integrated reports, one interface - to use one tool that covered the whole spectrum.
Right, but why would someone produce such a tool, particularly for free? Something like that…covers IE, Firefox, Chrome, Opera, Safari, etc…would be well worth a couple of bucks.
I think it has something to do with ease of use too.
Most open source/freeware tends to lack a sophisticated and user friendly installation, and interface.
Commercial products tend to spend a bit more time on those two…
This is changing, but still much to grow.
I think it has something to do with ease of use too.
I can understand that.
However, when there's a free or open source tool that provides me with a capability that does not exist in a commercial tool, as an analyst, if I need that capability because it makes my work more efficient, faster, more accurate and easier to present to a customer/jury, then I'm going to go after it. For me, I don't need a button to push…if it's CLI, as long as the switch works the same every time, I'm good.
Most open source/freeware tends to lack a sophisticated and user friendly installation, and interface.
That's something I don't understand, really. There's a lot of open source and free software that is just an EXE that you copy to a folder…no other impact on the system. No MSI file, no Registry keys created by or required for use, no dongle.
I should have further qualified my comment.
Personally, and I think most of us old dogs love just a simple EXE, or a single script file without installation and such.
But, those who are only used to the pretty click-here-to-install, want that install method, irrelevant of what it really does under it.
I used to write tons of code, and even squeezed them into .COM sized programs. They all died because people wanted graphics interface, install/uninstall features, etc. despite that as a .COM they loaded "instantly" and ran exponentially faster.
Perception is often reality. And "ease" will almost always beat functionality when it comes to the mediocre majority.
Again, just my opinion.
Installation ease doesn't bother me at all, but interface does. When I'm billing my client by the hour, I want my tools to be both responsive, and also to present the data in the most effective way for me to process in the minimal amount of time/steps. That's why despite being very comfortable at a command prompt, be it DOS, Linux or Unix (and formerly Vax and Basic) I still gravitate to the tool that presents the data in the best way.
And whilst I agree generally that forensic tools are expensive, as a former commercial programmer I also know the cost of development and can see where the price point comes from. Forensics is not a huge industry, so it's not like making an accounting package with a potential user base of millions, it's making a much more complex tool with a potential user base of thousands.
I also don't mind paying for updates so much after the BS that MS pulls with Windows, where you had to pay full price (upgrade price) for Windows 7 which introduces very little in feature set, and is realistically a fix for the bugs and counterintuitiveness of Vista. Compare that to X-Ways where there are new features being added consistently and a $1k pricetag with a few hundred a year for updates doesn't seem bad at all.
Again, having worked as a programmer, I don't begrudge Stephan for his price point on XWF, neither do I begrudge Accessdata for the price of FTK. I do feel that they could offer a better pricepoint on subsequent copies for the same company, but I see the potential for abuse there if they did.
I've never bought a forensic tool that didn't pay for itself on the first job anyway.
As for FOSS tools, I like quite a few of them, and I have some in my toolkit. I find them particularly good for limited field preview and high speed data acquisition. Of course I'm now waiting for my prefered tool to update to full ICH10R support so I don't have to change the BIOS from IDE to AHCI to read SATA drives, and haven't even heard any suggestion from the author as to when that will happen. The problem with FOSS is that the tools only contain what the developers are interested in. So Harlan has a genuine interest in the registry so he does great work with RR, but if I asked him to give me linux live disk with a hex editor which displays MFT records with colour coding for different type attributes, he'd probably look at me like I'm an idiot and tell me to write my own. Or in the broader Linux context, people have been suggesting for years that Linux should have a similar level of simplicity for the user as Windows, and every year we hear how linux on the desktop will take off, but it still hasn't happened because of lack of interest from the FOSS developers, and because they'd rather fork the desktop development than standardise the look and feel.
By contrast, people ask Stephan to add features into XWF and whilst he does often say that there's not sufficient interest to warrant the time/effort, he also does often add features when you can show a good business case. That adds value to his product which keeps the subscriptions coming in, and makes the product more attractive to potential new clients.
Dave,
From my perspective, I've posted time and again, that if someone wants an update to RegRipper, or wants a plugin, send me a concise description and a sample hive. Most times, I've received a request and no hive…in one instance, I received a request and a statement that the requester was not going to send a hive!
You're not suggesting sending a hive from a live job, are you?
I know what you mean about the rest of it though. There are a lot of excellent low-cost and free tools out there. In an ideal world I like to follow the olde Unix ethos of 'many little tools that each do one job very well', but practically the daily grind consists of getting jobs out of the door as quickly as possible, and most of the time Encase with a bit of help from one or two apps will provide a workflow that's conducive to that. I know it's not the best way to work, but certainly all the LE agencies I know of are in the same boat backlogs are creeping up on you and most of our jobs are stupid perverts who make no attempt to cover their tracks.
There are a few little dedicated apps that I love and use on every job, and I'll often contact the authors for support or just to tip my hat. It's a shame that in many offices everything's geared towards maximising throughput and there just isn't the time to verify and test all of the new tools coming out, until you desperately need them. That's why Encase and FTK win - you've paid for the training, they can do most of what you need adequately, and they help you bang the jobs out.
Oh, and single-file tools FTW!
So Harlan has a genuine interest in the registry so he does great work with RR, but if I asked him to give me linux live disk with a hex editor which displays MFT records with colour coding for different type attributes, he'd probably look at me like I'm an idiot and tell me to write my own.
Not sure why you're saying something like that, to be honest…
Dave,
From my perspective, I've posted time and again, that if someone wants an update to RegRipper, or wants a plugin, send me a concise description and a sample hive. Most times, I've received a request and no hive…in one instance, I received a request and a statement that the requester was not going to send a hive!
You're not suggesting sending a hive from a live job, are you?
I'm pretty sure that what I said was sample hive.
The requester who refused, in his request, to provide a sample hive said that he did so because he felt that the request was for a common enough key, that I should already have sample hives available.
Besides, there are plenty of ways to provide the needed data without exposing hive files from live jobs. One is to recreate the hive file in a VM…install the app in question if you need to. Another is to export the necessary keys from the hive in .reg file format, then import them into an innocuous hive.
So, there's no need to expose data from a live job, which is why I never suggested doing so.
OK, I thought you wouldn't be - just checking D