RFOR is finishing at VISTE

Lecturing at this academic year is just about to  finish, it is exam time coming, time to wrap up and lessons learned not only for students but for teachers too.

As for the the first run of the Digital Forensics Basics (RFOR) on Vsite I have my doubts and fears if I done things as it is supposed to be.  Class was small 18 people, easy to work and enjoyable maybe a bit to much chance for lecturers ego trip sometimes.

Results are OK, but that can be misleading, I still feel we need more practical work with commercial tools. To add some practice work we added some python scripting, based on "Python Forensics" and some elements from "Violent Python", all trough SIFT workstation from SANS.

As we are at computer science and engineering school a lot of things are already known, so we'he been concentrated to general principles and ideas, not so much on the methods and tools.

My colleague  Darijo Puntarić was busy with laboratory exercises, as CCIE he added a lot of good stuff especially to network forensic part.

An article about law enforcement and high end computer skills

This one is posted at one of the sites I've read often, "Information Warfare: Scary Monsters Pursue The FBI"  title is a bit scary, actually shows the problem  if law enforcement has to  be about computer security issues. To be honest most of the organisation of any kind has this problem  if they are not from start based on computing technology.  Unfortunately even such powerful organizations as FBI or DOJ   somehow lack strategic approach and understanding of the problem. At first glance it is OK, found you re in trouble and there is someone who can help you .. cooperate use resources and prepare but for what and how,  results are showing this is missing. 

Digital Forensic Tools and parallelism - initial thoughts

Without going deep into any theoretical discussion it is quit obvious that digital forensic tasks are actually very well suited for parallel processing. The key issue is readonly access to data in most data intensive operations, but also in other parallelism can be applied too taking into account nature of digital forensic process and its dataprocessing steps:

• acquisition, 
• analyses and 
• reporting. 

If we discuss different each step in forensic process we can see how parallelism can be used.
First data processing step in any digital forensics task is acquisition of data from device or media .

Device acquisition is serial task, since  without live access we have only one channel  the devices. Parallelism here is more question of device itself than forensic tool. As for example if we have more than one access channel to  device data  and we are in read only mode acquisition can be parallel too.
Key element is readonly access to data.

In other steps  like during analyses,  situation is just slightly different.  It is usually data extraction and reconstruction which results finally in data size reduction, Data which we are using in this step is under read-only access, while results of processing are written and maybe again read back into process.  This two modes of data access are well separated in analyses process. Each analyses task can go  in parallel with other tasks without corrupting data. In most situation this new result are actually metadata. Such metadata is much smaller than original data, and can be put back into analyses cycle if it is necessary. As it is shown for most of the analyses step parallelism also  can be used.

To illustrate this in more details we can discuss important forensic tasks indexing and  raw search.
Indexing is specific since it can generate almost same volume of data as the original data. It is also highly repetitive task, since it depends new recovered or unlocked documents to be indexed and data added to existing index structure. Operations are very disk intensive  but again can be done effectively in parallel, especially if index structure is stored in database way. It maybe sound strange but raw search is very close to index process, especially in phase of building index structure, in fact it is the same, simply said we have to extract raw data from disk and in that data find words which are indexed. Exactly the same as raw search do.  Conclusion again is the same parallelism can be used too, also parallelism is important for indexing and search tasks since it requires processing  huge amount of data .

Forensic data processing  usually generates metadata which presents a new logical view on the original data. Good examples are bookmarks, so much loved in digital forensics.

As for report creating again the same approach works, from data and bookmarks report is compiled, data is not changed in that process, so it can be parallelised too.

So what is conclusion ?
Parallelism is highly desirable in digital forensics, but we don't have tools which are very effective in using parallelism, This is something what is happening just now with various level of success for different vendors.
My opinion is that vendors are landlocked in their tools and the real advantage of parallelism is in type of forensic tools which can be fully automated and  can freely and easily cooperate, being scripted and capable of working standardised on the highly parallel computing infrastructure:)

I'll elaborate on this later, while talking about what such tools and systems have to be able to do and which already existing knowledge we have.

MS Windows, Python and Digital Forensics woes

Since Vista comes it turns out that it is impossible to compile and add into Python on windows essential libraries like libewf  It is very frustrating and senseless , but this is MS way of things ..
It boils down to undocumented features and behaviour of required low level windows calls and instrumentation. My colleague Jakob spend a lot of time to try and test all available compiling procedures but nothing worked in the end. It all worked once in 2009 and earlier but not today.
This event troubles us a because of planned training propositions, since we have to introduce additional unix topics  where tools work as it is supposed to work.