I would like to know from all of you out there…
What should we focus on ?
where most of you are having difficulties ?
What should we improve?
I would like to know from all of you out there…
What should we focus on ?
where most of you are having difficulties ?
What should we improve?
In regard to what? Am I missing something?
Pretty open questions.
What should we focus on ?
We as in the community of investigators? We as in your company providing something? The global we? Should we focus on something in investigations? Developing something? Building relationships? Something else?
where most of you are having difficulties ?
In recruiting? In training? In investigations? In not spending all our time at the office with our noses buried in a monitor?
What should we improve?
Again "we" who? Is your company developing a product that you want to improve? Should the global "we" improve something in technique? Reporting? Getting better benefits from our employers?
Can you narrow the scope of your questions?
Bithead you are totally right
I am really sorry about my vague questions…
What should we focus on ?
The global we…as forensic techniques
where most of you are having difficulties ?
In investigations… in which forensics categories ( email forensics . mobil forensics, data carving, reverse eng , stegnography, ect…)
What should we improve?
Should the global "we" improve something in techniques…
I have one that crosses over the focus on/improve category
My work involves collaborating with CPAs/CFEs. For accountants in the US the AICPA has guidelines for how an audit report is published. Not the exact wording but the order in which things appear, what must be included, what is optional, etc. I would like to see similar for forensic reports. ie section 1 is an overview of the case, 2.1 is a list of the computers/devices involved, 2.2 is the drives and memory devices, 2.3 is peripherals, 3.1 is the people involved, etc.
From prior experience I can assure you that lawyers, CPAs, etc. would be thrilled for similar standards.
BitHead,
I'm sure I remember you bringing this up before when we were putting together one or two resources for the report writing section. What would it take, in your opinion, to get something like this off the ground and accepted? Who are the key players who would have to buy into it?
Jamie
Jamie,
I am sure there would have to be some groups, much like the AICPA, that would have to agree on a format. ISFCE, IASIS, perhaps CESG & F3 in the UK.
The other option would be to agree on one format and get as many users on the various CF forums to start using that model. It might take some time (especially in LE and corporate circles where formats have already been established), but I think standardization is one key to legitimize computer forensics and set it apart from private detectives.
Greetings,
Using LE formats for reports could result in quicker adoption. We built our templates on reports taken from the NIJ publications and our clients are pretty happy with the results. The important information gets captured *AND* information that isn't relevant, such as speculation, doesn't fit into the report and so doesn't (shouldn't) appear.
By the by, I am also a private detective and a big fan of standardization. Standardization, used properly can
- Help you accomplish tasks more efficiently
- Help improve your accuracy when you're distracted, tired, bored, etc.
- Help you hand off projects and tasks more effectively
- Help you communicate accurately with clients, partners, lawyers, and courts.
Bottom line, it is a tool that can help you run your business more profitably.
-David
By the by, I am also a private detective and a big fan of standardization. Standardization, used properly can
- Help you accomplish tasks more efficiently
- Help improve your accuracy when you're distracted, tired, bored, etc.
- Help you hand off projects and tasks more effectively
- Help you communicate accurately with clients, partners, lawyers, and courts.Bottom line, it is a tool that can help you run your business more profitably.
Not to change the subject, but that was impetus behind the RegRipper. I originally started developing it for my own use, and saw very few (re none) other analysts doing Registry analysis. Most didn't even think to extract the hive files, PGP them, and send them to me. So I thought…what's a good way to standardize a tool, and to some degree, data extraction and analysis?
h
Greetings,
And to follow that thread, Harlan's suite of tools and a number of open source Linux tools enable us to do more thorough registry analysis, automate the analysis to some extent, and extend our own tools. Once an image is uploaded to the file server, we kick off a series of tools against it to tear it apart and produce various reports that we then use to guide further analysis.
Also, the ability to cooperate with analysts from other organizations is important - sharing common tools, procedures, and reports will facilitate this cooperation, and everyone should benefit in the long run.
Tools like RegRipper are very welcome.
-David