Friday, December 3, 2010

Computer Forensics: Thoughts on sharing & forensic nuggets

This is just a quick late Friday afternoon entry to my blog. A common denominator and recurring theme, that seems to be the focal point of many presentations/meetings that I've had the opportunity to attend recently, is sharing and collaboration amongst practitioners in the digital forensics community.
As I discussed here, Harlan Carvey delivered an excellent keynote during the WACCI Conference on this very topic. I also see a solid trend in the law enforcement community to share more information with trusted partners outside of the law enforcement community.
Personally, I like the idea that Harlan brought up and that was discussed at the WACCI Conference this year. Whatever means is used to exchange and share information, it has to be a two-way street. If you are taking information from the well of knowledge, but not delivering anything to further the community or the knowledge-base than you should not to be allowed to continue to participate in the exchange of information within that group.
Sharing information and intel is good, but as we've seen with the WikiLeaks controversy recently, a physical security mentality has to be applied to information security. Do we know who has accessed file.xyz across the entire organization? Are the credentials to access file.xyz being controlled and monitored at all times? Do we know where file.xyz is located at all times and its route of travel across the computer/network infrastructure?
Yesterday, I had the opportunity to sit down with some great practitioners from law enforcement, corporate IR, small business executives, consultants, and e-disco folks at the Indy Digital Forensics Association meeting. We had a great turnout yesterday and will be proceeding in forming an ASDFED chapter. One of the positive things I seen regarding ASDFED is its transparency and not just limited to one side of our adversarial system. I'm looking forward to it, as it will bring law enforcement, attorneys, examiners, incident responders, corporate investigators, small businesses, etc. together to contribute and share information.

* Updating log2timelime on SIFT workstation in this week's SANS Digital Forensics Case Leads
on the SANS Computer Forensics Blog. Speaking of the SANS Digital Forensics Blog and if you missed my last blog post, you should check out the new & improved SANS Computer Forensics Blog.

* Windows 7 Recycle Bin EnScript

* A Bit More On Timelines and Stuff- Harlan discusses noise & data reduction in timeline analysis. Of interest when dealing with truncated timelines, checkout Go-OO, which was mentioned on Ken Pryor's blog here.

Here are a few historical items that I've bookmarked through the years and came across this afternoon while doing some research:

*Bypassing a Windows login password in order to boot a virtual machine
*Windows Oddities
*ShellBags Registry Forensics

Thank you for those of you that follow and continue to read my blog (much appreciated). Traffic up over 54% for the last 30 days. Drop me a comment, email, or follow me on Twitter. My twitter feed is set to private so if you send me a follow request and I don't approve, drop me an e-mail info-at-computerforensicsource-dot-com.
Post a Comment