Monday, December 24, 2007

Merry Christmas!

A very merry Christmas to all!

Hope you have a great time over the festive period.

Drive carefully, stay safe and see you after Boxing Day...

Monday, December 17, 2007

Document & Media Exploitation - more interesting than it sounds!

There's an article from Simson Garfinkel at the ACM Queue website here which I think many will find interesting (don't let the rather dull title put you off, it's a great read). It covers something called DOMEX which we're told is defined by the US Intelligence community as "the processing, translation, analysis, and dissemination of collected hard-copy documents and electronic media, which are under the U.S. government's physical control and are not publicly available". Essentially it's about the challenge of bringing relevant information or evidence to light in the face of various obstructions (large disk sizes, encryption, time constraints etc.) Simson calls for more work to be done with a view to improving or automating many of the processes currently carried out by forensic examiners and ends by discussing the wider implications of such improvements.

Oh, and there's another good article at the same website here about hard disk reliability. Both articles are well worth a read!

Monday, December 10, 2007

Forensic workstation recommendations

Just a quick note to highlight this thread in the forums where we're trying to put together a list of hardware suggestions/recommendations for anyone considering building or buying a forensic workstation for imaging and analysis.

Do please chime in with any thoughts, not just for the main components (motherboard, chip etc.) but also for the less "sexy" items. Can you recommend a particular case, for example, which you've found has worked well - perhaps due to it's connection possibilities or some ergonomic feature which you particularly liked? What about a particular brand or type of hard drives - are some more reliable than others in your experience?

The focus of the recommendations is on hardware which gets the job done but also represents value for money. Hopefully once complete it will serve as a useful reference for new practitioners entering the field or anyone upgrading from an older system.

Thursday, December 06, 2007

Sharing knowledge (part three)

All good things come in threes (apart from Star Wars, of course, as I may have mentioned previously) so here's the last part of this "sharing knowledge" trilogy.

We talked earlier about asking and responding to questions as they arise, the type of situation you see in the forums or our - very quiet! - email discussion list. I'd like to wrap up by encouraging everyone to share their knowledge in a more proactive fashion, either in the form of articles or papers (which I'm very happy to publish at the Forensic Focus site and in the monthly newsletter) or by contributing to one of the forensic wikis which are out there.

Let me be the first to admit - if it isn't already blindingly obvious - I'm not a great writer. I also find it hard going at times. I don't always find it particularly easy to express myself and the process of editing and revising what I do put together can be time consuming (I'm not just referring to contributing to the this site, I'm speaking more generally in this case). With that being said, though, with a little bit of planning and enough effort to actually get started I have found that it is possible to put something together which has some value.

It's clear to anyone who browses the Forensic Focus forums, or those of other computer forensics sites, that there are many very experienced members and there are also those who can write very well (some of the more lengthy and detailed posts are almost full articles in their own right). There are also some who have the ability to share their knowledge by putting pen to paper but don't do so, often through lack of time but also because they're concerned about how what they've written will be received - the fear of criticism holds back many people I've spoken to privately over the past few years. This latter point is a great pity, many of those same people are those with very useful information and interesting perspectives. Whether held back by lack of time or lack of confidence, I really do want to encourage everyone to think again about writing something for the wider forensic community.

The obvious question which remains is what to write? The answer, I think, is simply anything which might be useful to someone else (and I often think the easiest way to judge that is to ask yourself if you would find it useful, or would have done so at some stage in the past). I also want to stress that, at Forensic Focus at least, basic forensics or discussion of fundamental principles is also very much on topic, just as much as advanced techniques. In addition, aspects of computer forensic work outside the purely technical are very welcome - examples might be professional challenges, career development, legal issues, even just personal thoughts and reflections. In essence, if it's a topic which interests you then it will probably be of interest to someone else.

If you'd like to share your knowledge and experience then I encourage you to write something and send it through either to me, for Forensic Focus, or consider submitting to one of the wikis. The ultimate goal is to expand the list of useful resources available to anyone with an interest in this field, from those just thinking about it as a career to those who've seen and done almost (but not quite) everything. I hope you'll decide to help.