Chris Taylor's Presentation was VERY good. Sharing that pdf would be a good thing. I have a copy and I was at the seminar and I learned a lot and realized that there is much more to learn.
I think the argument runs a little deeper than that. You’re correct in saying that a software tool isn’t inherently flawed because it allows unqualified or less able examiners to get results, it could only be accused of being intuitive and comprehensive. The flaw, or rather the problem stems from the fact that some examiners rely more on the tool and less on their knowledge of the underlying concepts. This gives rise to a situation where a sizeable number of analysts within the community could be missing artefacts etc because their tool doesn’t look for them or fails to report adequate information about them.
Also, somebody please post that .pdf!
PM me with your email address and I'll send.
PM sent, thank you.
> missing artefacts etc because their tool doesn’t look for them
Or, as I've seen, the tool does show them (ie, most tools like EnCase and ProDiscover will show ADSs) but the analyst has no idea of the significance of the artifact in relation to the case.
In my write up of the "russiantopz" bot (available in the SecurityFocus archive), I wrote about how the administrator of the infected system looked at the Task Manager display and had no clue that a process called "statistics.exe" was in any way "unusual" or "suspicious" on systems. This same phenomenon is why lots of malware uses the name "svchost.exe".
Harlan
Indeed, preying on the weakest link in the computer security chain, human ignorance.
I wouldn't call someone ignorant because they didn't know about a particular process.
Ignorant meaning lacking education or knowledge or a general state of unawareness. I don’t mean to be sarcastic because you obviously know the definition, but how else would you describe such a person?
I was going off of the first definition.
uneducated in general
Point taken. I didn't mean for lack of education to imply a sub-average intellect in general, I was referring to a lack of computer or computer forensics knowledge specifically.