Just been trying to do node sweep for dll and process hash, to do some presence control it turns out in v7 you can't do normal check for list of hashes without enscript programming. Very frustrating since in v6 it was possible at least to find end nodes with required hash trough conditions.
In version 7 there are no conditions in sweep snapshot results also in case analyzer part restraints are so dumb organised that you can't do a list of hashes but one by one trough immensely dumb interface. It is frustrating since user interface is lame worst of it data are there but you can't get to it.. kinky and masohiticly perverted. Before I've been able to access data from infozoom but test licence is long gone so we are back on Enacse functionality. Other patch was to print hash in console and do unix fgrep on the console output, it worked but is was awkward also.
Since I mentioned enscripting to solve my issue, examples which are provided in manuals are not complete. It is easy to do a sweep, and get dll and process hashes, but what is missing completely is how to compare it with existing hash sets in hash library.That will be the elegant solution, to create a has set add it into has lib and that find if collected process hash or dll hash belongs to set ... if you can find example :) :)
Also the idea of enscript programming is very outdated in sense of what kind of programming language enscript is, It is so low level access to encase internals, like using C code to do ls and cd command each time. Putting a "script" into name is also a bit perverted, it is en-script .. encase scripting language, but as far from concept of scripting as can be. To be efficient and useful powerful simple scripting command is needed not C++/java language concepts. Instead of endless low level object and classes meddling simple high level construct should be used.
Something like this, it is easy to read even for someone who does not know programming, if he is familiar with enacse enterprise concepts
do sweep on node1, node2 use systeminfo, snapshot
when node in sweep
if node process hash is in hashlib bookmark node, process, hash
if node dll hash is in hashlib bookmark node dll hash
or whatever else familiar syntax , I've put a bit of this thoughts about standardization and basic case handling testing, comparing results in other earlier posts and forensic language issues.
Modern languages python, ruby, even perl or forgotten tclsh are powerful languages easy to extend and use, almost platform independent. Python is the star at the moment so why not python .. don't know but there is a lot of work, oddly to communicate with python tools outside of encase and collect results, what is again a bit against the idea since scritping language is mentioned to be a glue layer among other modules exactly the opposite :) as it is used here.
Ages ago in late 1990s during my phd I was doing almost the same concept to merge two different tools, snmp and fuzzy data expert to interpret data collected from snmp. It was before python and shell was simple tcl functional extension able to code fuzzy rules into code as simple human readable statements. It can be done even for much more fuzzy concepts than forensics
When we are mentioning using programming in digital forensics it is very good idea to study in detail concepts and implementations of coroner toolkit and sleuthkit, since it depends on known and forensically sound system level library's and system calls, If we are talking of using scripting language in digital forensics some checking on implementations on different platforms should be done or even better, creating a new forensically sound libraries or classes. It is illustrated in earlier article about python scripting "Python training for forensics" where some issues in ordinary IO mechanism is mentioned, which if we are strictly speaking about forensic (in sense of its rules and requests) should be done in basic IO level. Almost similar discussion exists in V.Wenema book about digital forensics taking great care about cache issues on unix file system.
In version 7 there are no conditions in sweep snapshot results also in case analyzer part restraints are so dumb organised that you can't do a list of hashes but one by one trough immensely dumb interface. It is frustrating since user interface is lame worst of it data are there but you can't get to it.. kinky and masohiticly perverted. Before I've been able to access data from infozoom but test licence is long gone so we are back on Enacse functionality. Other patch was to print hash in console and do unix fgrep on the console output, it worked but is was awkward also.
Since I mentioned enscripting to solve my issue, examples which are provided in manuals are not complete. It is easy to do a sweep, and get dll and process hashes, but what is missing completely is how to compare it with existing hash sets in hash library.That will be the elegant solution, to create a has set add it into has lib and that find if collected process hash or dll hash belongs to set ... if you can find example :) :)
Also the idea of enscript programming is very outdated in sense of what kind of programming language enscript is, It is so low level access to encase internals, like using C code to do ls and cd command each time. Putting a "script" into name is also a bit perverted, it is en-script .. encase scripting language, but as far from concept of scripting as can be. To be efficient and useful powerful simple scripting command is needed not C++/java language concepts. Instead of endless low level object and classes meddling simple high level construct should be used.
Something like this, it is easy to read even for someone who does not know programming, if he is familiar with enacse enterprise concepts
do sweep on node1, node2 use systeminfo, snapshot
when node in sweep
if node process hash is in hashlib bookmark node, process, hash
if node dll hash is in hashlib bookmark node dll hash
or whatever else familiar syntax , I've put a bit of this thoughts about standardization and basic case handling testing, comparing results in other earlier posts and forensic language issues.
Modern languages python, ruby, even perl or forgotten tclsh are powerful languages easy to extend and use, almost platform independent. Python is the star at the moment so why not python .. don't know but there is a lot of work, oddly to communicate with python tools outside of encase and collect results, what is again a bit against the idea since scritping language is mentioned to be a glue layer among other modules exactly the opposite :) as it is used here.
Ages ago in late 1990s during my phd I was doing almost the same concept to merge two different tools, snmp and fuzzy data expert to interpret data collected from snmp. It was before python and shell was simple tcl functional extension able to code fuzzy rules into code as simple human readable statements. It can be done even for much more fuzzy concepts than forensics
When we are mentioning using programming in digital forensics it is very good idea to study in detail concepts and implementations of coroner toolkit and sleuthkit, since it depends on known and forensically sound system level library's and system calls, If we are talking of using scripting language in digital forensics some checking on implementations on different platforms should be done or even better, creating a new forensically sound libraries or classes. It is illustrated in earlier article about python scripting "Python training for forensics" where some issues in ordinary IO mechanism is mentioned, which if we are strictly speaking about forensic (in sense of its rules and requests) should be done in basic IO level. Almost similar discussion exists in V.Wenema book about digital forensics taking great care about cache issues on unix file system.
No comments:
Post a Comment