Just again trying to get some courage and inspiration to write about programming and digital forensics, or even wider aspect of why introduction of purposely designed language can be a good idea.
It looks all not very important issue to have programming and specially defined language, but in my opinion and by experience from other computer fields purpose oriented language or dialect can be very beneficial.
Digital forensics is troubled from begining with it different sources and legal overlooking. As any forensic science it is partly forensic and partly computer science and engineering. Unfortunately tools and practices and not good as it should be and it suffers a lot from not using ideas like scripting, automation, parallelism which are in use for ages in computer engineering and computer science.
Depending on canned solutions which are powerful in its own world but very limiting in cooperation and performance is a mayor problem. This is again coupled with Microsoft Windows as mayor platform and not a lot of not enough educated and trained users. And are in most scenarios maybe well trained in using specific tool but usually missed understanding how to efficiently use modern computers or better to say missing the whole idea why computer is here and why it is programmable in more complex way than a washing machine.
Very often basic idea of what we are actually doing is missing, inadequate procedures, huge volume of data which should be processed which again overwhelms capacity of forensic workstation are common problems. Huge bottlenecks in processing is usual state of art, days long processing also.
Maybe most strange is inability to share results among tools (there are few exceptions to be honest). Impossible situation when something should be compared or reused and vendor tool simply does not allow that .. and everyone involved accept such state of affairs as normal, or when you know that data are already here but because of clumsy interface or any other reason you can't reach it without a lot of codding and using other non forensic tools.
So why all this and specific language ? Because language is a tool to describe tasks and data involved and result produced. When there is something like that tools are not so important since there is specification which gives clear idea what should be done. It also means using different tools are simple since all have common language and most of the tasks can be automated and parallelised.
create case caseone
add evidence evidence1-file with filesystem
do signature analyses
do hash analyses
do search raw by keyword list list1, bookmark finds
do image search by hashset hashone, bookmark finds
report from bookmark
close case
This looks like one small dedicated program ... and you have to learn additional syntax :)
so where are advantages ? Ok, lets imagine EnCase has module to process this code and FTK has same, or any other tool
I have to elaborate this more ... :)
It looks all not very important issue to have programming and specially defined language, but in my opinion and by experience from other computer fields purpose oriented language or dialect can be very beneficial.
Digital forensics is troubled from begining with it different sources and legal overlooking. As any forensic science it is partly forensic and partly computer science and engineering. Unfortunately tools and practices and not good as it should be and it suffers a lot from not using ideas like scripting, automation, parallelism which are in use for ages in computer engineering and computer science.
Depending on canned solutions which are powerful in its own world but very limiting in cooperation and performance is a mayor problem. This is again coupled with Microsoft Windows as mayor platform and not a lot of not enough educated and trained users. And are in most scenarios maybe well trained in using specific tool but usually missed understanding how to efficiently use modern computers or better to say missing the whole idea why computer is here and why it is programmable in more complex way than a washing machine.
Very often basic idea of what we are actually doing is missing, inadequate procedures, huge volume of data which should be processed which again overwhelms capacity of forensic workstation are common problems. Huge bottlenecks in processing is usual state of art, days long processing also.
Maybe most strange is inability to share results among tools (there are few exceptions to be honest). Impossible situation when something should be compared or reused and vendor tool simply does not allow that .. and everyone involved accept such state of affairs as normal, or when you know that data are already here but because of clumsy interface or any other reason you can't reach it without a lot of codding and using other non forensic tools.
So why all this and specific language ? Because language is a tool to describe tasks and data involved and result produced. When there is something like that tools are not so important since there is specification which gives clear idea what should be done. It also means using different tools are simple since all have common language and most of the tasks can be automated and parallelised.
create case caseone
add evidence evidence1-file with filesystem
do signature analyses
do hash analyses
do search raw by keyword list list1, bookmark finds
do image search by hashset hashone, bookmark finds
report from bookmark
close case
This looks like one small dedicated program ... and you have to learn additional syntax :)
so where are advantages ? Ok, lets imagine EnCase has module to process this code and FTK has same, or any other tool
I have to elaborate this more ... :)
No comments:
Post a Comment