Everyone has a blog … to blog or not to blog? obviously to blog :)
The plan is to post some observations and ideas, not to forget and maybe turn them it into papers after some research, comments and polishing.
These are just thoughts and observations based on training and teaching digital forensics since 2008. Part of this blog will be in English and other parts will be in other languages, mostly Balkan.
Who am I? I’m a professional trainer for digital forensics’ tools, i.e. EnCase, Ufed, FTK and others, and have been in the DF (Digital Forensics) business since 2008.
Most of my professional interests are in enterprise class forensic tools, especially incident response. Digital forensics tools are extremely interesting, especially when you look at it from the development side, since these tools are still considered to be in their infancy stages.
There is a huge gap in current commercial tools and what could be done, which seems to be more of a cultural issue than a technical one. There are plenty of questions to ask, my favourites have to do with having windows as the basic forensic platform, and the lack of standardisation.
From the technical perspective, digital forensics is the processing of huge volumes of data in order to find and carve evidence related data and structures. Therefore, data throughput is the first and most important issue, in my opinion, that needs addressing when talking about digital forensics.
Standardisation is also a crucial issue, because adding results from one tool into another is almost always a miracle making process. Even though evidence file formats are standardised, case structures and reports are not. The ability to correlate data from various cases (gathered using different tools) is extremely important when actionable intelligence is required.
There is also the issue regarding the language used in describing digital forensic tasks and results. To do the same analyses in different tools you have to do a lot of tool specific configuration and programming. All that tool specific work makes finding and comparing the information very hard. Some common languages - made available in all forensic tools, as in the case of sql for databases- can reduce this problem to nil.
No comments:
Post a Comment