The high cost of co...
 
Notifications
Clear all

The high cost of computer forensics software....

32 Posts
13 Users
0 Reactions
2,878 Views
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

So Harlan has a genuine interest in the registry so he does great work with RR, but if I asked him to give me linux live disk with a hex editor which displays MFT records with colour coding for different type attributes, he'd probably look at me like I'm an idiot and tell me to write my own.

Not sure why you're saying something like that, to be honest…

I'm saying it because you are an example of someone who does contribute a lot to the forensic community in terms of free software, but your contributions are driven by what you are interested in, not by consumer demand, which was my general point about FOSS. It's great if there's something that does what you want, but if you want a different feature set that the authors aren't interest in, you're SooL.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

> …your contributions are driven by what you are interested in, not by consumer demand

You're right, because when the software is free, what obligation is there to a consumer?

In my case, I've said this from the beginning…my tools have largely come out of my own need.

> …but if you want a different feature set that the authors aren't interest in, you're SooL.

Not necessarily.

One of the things that I have seen about commercial products is some vendors have listened too much to what users want…one example is a commercial product that focused considerable effort on developing the ability to parse one specific file type, and the app did not even include the ability to perform a grep() search through an image.

I've had folks ask me for XML output for RegRipper…but when I ask for a style sheet recommendation, I don't hear back. In fact, I've had a couple of requests like that…when asking for more detail or specifics, I do not hear back from the requester.

Most folks who know my stuff know that I focus on Windows systems, so asking for anything having to do with a Linux hex editor just doesn't make sense; however, that doesn't mean that you're SooL…all you need to do is ask someone who *is* interested. Dave Kovar wrote analyzemft.py for Linux systems (works fine on Windows), so he may be someone to ask.

Another aspect of feature requests that often isn't very well thought out is, is there a cost associated with it, or the target app? If so, who pays this? The requester? Never! I've written ProScripts for ProDiscover, but I have access to that application. When I submitted my proposal to write a book on Registry analysis, all 11 reviewers suggested that I also cover/address commercial tools, but not one of them offered me a license for any of those tools…


   
ReplyQuote
(@rrwashing)
Active Member
Joined: 19 years ago
Posts: 12
 

The issue I have with "free tools" is that often times, they do one thing. Maybe one thing REALLY well…but one thing, nonetheless.

If "Investigator A" bids a job at 50 hours using free tools, "Investigator B" might be able to complete the job in 10 hours with pay tools. You just have to have a large tool box and know how to use the tools, which ones work best for which projects.

I have worked on a case where a company charged $70,000(yes, seventy thousand dollars) to mount a DD and run "perl scripts" on it. The report was a 7 page ASCII printout (from aforementioned "perl scripts") indicating that the hard drive was infected with the Ramen worm–this was in 2006, by the way. After I loaded the DD in a pay tool, I was able to do some magical pushbutton forensics(in about 4 seconds) and discovered that the company paid $70,000(yes, seventy thousand dollars) to be ill-advised on the fact that they were "hacked" by an anti-virus update.

Just know the tools.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

rrwashing,

The issue you presented has more to do with the company and, in my view, nothing at all to do with the tools used.

I would offer to you that I've seen similar reports…yes, I've been asked to review competitors reports…where the analyst used commercial tools and did a poor job, and others were able to take the same data and do a much better job in less time using only FOSS tools.

What you've raised is not an issue of tools or their use, it's an issue of the analyst and their employer.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

I have worked on a case where a company charged $70,000(yes, seventy thousand dollars) to mount a DD and run "perl scripts" on it.

I don't want to know the name of the company that charged the $70,000, but I guess that knowing the name of the *morons* company that actually payed them could be a very good resource for any of the members in need of some easy money. wink

I mean, you are telling the story of a rip-off, no matter if it was performed through using free tools or Commercial ones, the same dishonest company/consultants would have produced an equally inaccurate report and extorted the same (or a bigger) awful amount of money from their unknowledgeable clients even if they used a reknown Commercial tool. 😯

Tools are tools, there are good ones and bad ones, better ones and worse ones, but what (at least till today) actually counts is the knowledge, and intelligence, and moral integrity of the people that use them.

jaclaz


   
ReplyQuote
hogfly
(@hogfly)
Reputable Member
Joined: 21 years ago
Posts: 287
 

David,
I have a bit of a problem with your post.

Many grants have requirements, and some times those requirements state that the developer must commercialize the tool they originally wrote for the government or law enforcement(SBIR grants are one type). Other grants allow the companies to commercialize their tools. Some grants are won and the resulting tools are specifically for use by the government/LE/military.

Your tax dollars are at work..by those employed to protect the city, state and country you live in. Law enforcement doesn't make a profit like you do, and they're collaring "bad guys" with tools like Mac Marshal. That's your tax dollars at work.

Before you claim the developers have not returned to the public domain what they have written I would ask that you first do some research. Rob Joyce has contributed to Sleuthkit and the HFS+ capabilities of the toolkit. Other developers at the company participate heavily in DFRWS (somewhat responsible for it really) and have contributed to the "community" in several other ways. Have you made queries about becoming a beta tester? Many companies in this space have become adopters of viral marketing and they need beta testers.

Would it surprise you to know that many private companies receive government money to develop for the government, and then they make a profit off of that? Did you know that Wetstone Technologies is one such company? I see their tools mentioned a lot. How do you suppose many of their tools came in to existence?

$995, while a lot of money, is what..maybe half a day's work at the rate computer forensic examiners charge? And when we make thousands of dollars or more per case, it's pretty hard to claim that we are the ones being exploited by having to pay for expensive tools…


   
ReplyQuote
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
Topic starter  

Greetings,

I principle, I hear and agree with most of what you say. Your comment about the tax dollars at work by LE starts me down a path I intentionally was avoiding.

1) If you cannot articulate a monetary value of some fairly large amount, the FBI and LE often will tell you flat out they can't do anything for you. So you're forced to turn to the private sector, who is also working for you.

2) LE, throughout the US, is backlogged enormously on digital investigations. A number of private sector people I've talked to would be happy to help out, at cost, pro bono, or as a volunteer reserve.

3) Many of us aren't making much profit at the moment because we choose to work for smaller firms and individuals. I've done several cases for private citizens who couldn't get support from LE because LE didn't have the resources to assist them.

The whole "LE is working for the public and everyone else isn't" simply doesn't wash with me.

Last week I approached two well known companies who have what I consider over priced products with an offer to beta test the product and, if I could generate billable work with it, pay them at that point. I was rejected by both, despite having found issues with both products and having expressed an interest in those products over many months.

I wrote to the MacMarshal folk asking for a copy of META (the funded project) and asking for an updated copy of vfcrack, the public domain source code they'd improved on. I received a one line response - you already have a demo copy of MacMarshal, which is the same as META, and vfcrack is in it.

I beta tested FTK 2.0 heavily and was pretty well abused by Access Data. I invested a *lot* of time in that, the product continued to suffer serious issues that should have never made it out the door, and I still had to pay upgrade fees.

One reason we charge high fees is because we need to pay $1000 for MacMarshall, $3,500 for EnCase, $3,500 for FTK, $N for hardware imagers (I've lost track), $500 for a PI license (plus annual renewal), E&O insurance fees, amazingly expensive hardware because FTK+Oracle needs screaming disk and gobs of memory, $2,000 per conference, travel expenses, bare drives, etc etc etc.

And going back to my LE comment, I'm not making always making $2,000 a day in part because I *am* trying to do pro bono and at cost work.

I stand by my opinion that MacMarshal is priced way too high for something that was funded in part by the US govt' and that used public domain source code without putting the updates back into the public domain. Price it at $500 and I'd never have written the article.

-David


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

There is also the minor 'feast and famine' issue, being a 'consultant'.

Yes, I can bring in $500 in a few hours, when I am hired; except, I am not hired 48 weeks a year, 5 days a week.


   
ReplyQuote
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
 

I skimmed the posts in this thread of discussion and saw no mention of some of the better Linux distributions for forensic examinations. In particular, I saw no mention of either CAINE Ubuntu or DEFT Xubuntu. These omissions surprise me.

I am also inclined to agree that X-ways Forensics (XWF) tends to fill the gap. My understanding is that XWF costs but $1,100, which is less than one-third of the cost of Encase.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

You're not suggesting sending a hive from a live job, are you?

I've been thinking about this one…and I thought I'd share my thoughts…

I've worked on teams where someone will have a question about an exam…it may be about a specific item, or it may be more along the lines of a general "what should I be looking for" approach.

Many times, these questions simply aren't asked.

Bringing this around to Ben's question…let's say you have a question about a specific Registry key or value. Some…not most and not all…of us are aware that the specific version of Windows (2000, XP, Vista, etc.) can and does play an extremely important role in what you're looking for, at, and the context of what you're seeing…but we also know that a LOT of folks post to forums without ever mentioning that Windows is used, what version, etc.

What I've been seeing, through my professional experience, is that someone will have a question, and either not provide enough information, or simply not ask that question. Sometimes the only way to answer a question involving a Registry key or value is to (a) engage with someone and provide them with the information they need to answer the question, or (b) do it yourself. However, most often I'm seeing that the questions simply are not asked. This can lead to very valuable information/evidence going unacknowledged/undiscovered.

So, maybe in response to Ben's question, the question of "how else would you go about getting your answers?" should be asked…


   
ReplyQuote
Page 3 / 4
Share: