RE: [oscfmanual-discuss] OSCFManual sketch release
Status: Planning
Brought to you by:
mbevilacqua2
Menu
▾
▴
RE: [oscfmanual-discuss] OSCFManual sketch release
|
From: <mat...@us...> - 2003-06-11 18:39:38
|
Folks
First, I'd like to mention that I like the direction and format o=
f
the manual and the idea of starting with this basic outline.
I wanted to get the ball rolling on the TERMS section of the
document. I believe it is important at this point to use terms we can l=
ive
with. One approach I hope to the table is the use of terms already
recognized by the court. While the idea of developing an open source
methodology with what is currently being done in the field is appealing=
and
why I'm getting involved, it is important to understand where we can an=
d
can not make change easily. U.S. courts already have a language for
referencing computer forensics. Terms like "Image" already have deep ro=
ots
and attempting to us another term may result in a conflict between the =
open
source methodology and the legal world. It is possible that the ability=
to
entertain acceptance of such a doctrine might hinge on such details. Af=
ter
all some court systems, including the U.S., value precedent and precede=
nt
includes such digital forensics terminology. So let's look to what is b=
eing
used by the legal community before making decisions in terminology and
usage of that terminology.
Reference: Open-Source Computer Forensics Manual
Discussion 1. The name of the manual: Computer Forensics Vs. Digital
Forensics (General)
For those of you with the word "Cyber" in your credentials and
college degrees it is obvious that the life expectancy of some terms
systems jargon is short lived. There is also the issue of scope in the
differences between "Computer" and "Digital" in this case. Since the sc=
ope
of this manual is to encompass PCs, server, PDAs, networks, routers,
firewalls, laptops, removable storage items, image analysis, sound
analysis, data streams, alternate data streams, CDs, DVDs it is obvious=
if
we are to design the manual for longevity, we must label it and use ter=
ms
that will cover the inevitable new generations of systems and storage
devices. I would suggest that we name the manual, the "Open-Source Digi=
tal
Forensics Manual".
Discussion 2. Terms section: "forensic image, forensic copy, forensic=
acquisition" (page 3)
It looks there has been an attempt here to include the various te=
rms
used for what I know as an "Image Copy". While I consider "Image" or "I=
mage
Copy" I would suggest that we start a discussion to decide on one that
would represent one term to give us a globally usable term that, as of =
yet,
is called something different by as every tool and practice I've run
across. Sometimes the term is the same, but the usage of the term is
different. I have asked one of the founders of NTI (at an ISSA presenta=
tion
in Portland OR) and an high level engineer that work on an earlier vers=
ion
of EnCase if there was any interest in developing a common definition o=
f
terms. In both cases the representative was either not interested or di=
dn't
think it would fly with their organization. Each considered their
definition of terms to stand as an industry standard. We need a common
definition of terms, not just a list of terms. I would suggest we discu=
ss
this matter before we attempt to address the list of terms and their
definitions themselves. Reference the email thread below to see a samp=
le
of a term and it's definition that started these two discussions.
I have more items to discuss, but wanted to see how much of a tem=
pest
these two discussions would create. Involvement is encouraged.
Thanks,
Matthew Brown, CISSP, SSCP, MCP
U.S. Bancorp
Information Security Services
Threat & Vuln Mgmt (Security Consultant)
Alt: mb...@ci...
----- Forwarded by Matthew T Brown/OR/USB on 06/11/2003 08:14 AM -----
=
=20
"Matias =
=20
Bevilacqua" To: matthew.brown1@=
usbank.com =20
<mbevilacqua@cyb cc: =
=20
ex.info> Subject: RE: [oscfmanual=
-discuss] OSCFManual sketch release =20
=
=20
06/11/2003 12:12 =
=20
AM =
=20
=
=20
=
=20
I would totaly agree if we were talking ONLY about imaging todays compu=
ter
drives but...
What about imaging a Palm? or Flash Card? or any other kind of device t=
o
store digital data.
I feel the need to make this document as "open" as possible to any kind=
of
digital data at all. Once we get down to the level of SOPs of Technical=
guidelines I agree the need to use more apropiate terms for the technol=
ogy
involved.
I'll try to figure out some rephrasing to avoid the "bit-by-bit" term t=
here
though.
Please feel free send this thread to the list! We need to sparkle up
discussion :)
Sincerely,
Mat=EDas Bevilacqua Trabado
CYBEX
___________________________________________________________________
PGP-ID: 0x40A4869F
PGP Fingerprint: 2052 98A0 F0F0 2914 D7FA 4E7C 0488 7E8C 40A4 869F
___________________________________________________________________
CYBEX
Grupo Intelligence Bureau
Rambla de Catalunya, 32 4=BA-2=AA
08007 Barcelona
Tel. 93 215 53 23
Fax. 93 215 50 72
http://www.cybex.info
> -----Mensaje original-----
> De: mat...@us... [mailto:mat...@us...]
> Enviado el: mi=E9rcoles, 11 de junio de 2003 0:25
> Para: Matias Bevilacqua
> Asunto: Re: [oscfmanual-discuss] OSCFManual sketch release
>
>
>
> Matias
>
> I didn't know if it was appropriate to email you directly on th=
is
> matter or the list. I decided to err by sending it to you directly.
>
> In reference to: oscfm.en.0.1.0 Initial release
>
> I wanted to address the use of bit-by-bit in the TERMS
> section of the
> document. While all the bits are copied, thus creating a bit-for-bit=
> image/copy, there is no bit-by-bit copy function. There are
> sector-by-sector and block-by-block copies, which read entire sectors=
or
> blocks before writing the entire sector or block to the image/copy. =
It
> makes me wince when I hear people in this industry discuss this matte=
r at
> the bit level. We can't even do a byte-by-byte copy without reading a=
nd
> writing an entire sector/block. Now would seem to be the time to
> spell this
> out or clarify it. Otherwise we will be stuck with bit-by-bit and
> sooner or
> later an export for the defense in court will point out that the mach=
ines
> can not perform a bit-by-bit copy. Again, the result of a
> block-by-block or
> sector-by-sector copy is a bit-for-bit mirror or image.
>
> Let me know what you think...
>
> Thanks,
> Matthew Brown, CISSP, SSCP, MCP
> U.S. Bancorp
> Information Security Services
> Threat & Vuln Mgmt (Security Consultant)
> (503) 401-4224 Office
> (503) 869-8382 Cell
> (888) 789-6162 Pager
> 888...@my...
> (Short text messages only)
>
>
> |---------+---------------------------------------------->
> | | "Matias Bevilacqua" |
> | | <mbe...@cy...> |
> | | Sent by: |
> | | osc...@li...ur|
> | | ceforge.net |
> | | |
> | | |
> | | 06/10/2003 08:36 AM |
> | | |
> |---------+---------------------------------------------->
>
> >-----------------------------------------------------------------
> ------------------------------|
> |
> |
> | To: osc...@li...
> |
> | cc:
> |
> | Subject: [oscfmanual-discuss] OSCFManual sketch
> release |
>
> >-----------------------------------------------------------------
> ------------------------------|
>
>
>
>
> Hi everybody,
>
> Seems the initiative has almost too much support :) As I told you in =
my
> last
> email there have been several contributions with personal or regional=
> methodologies and SOPs from the beginning. We have been trying to
> integrate
> them into the initial release but it has proven to be a daunting task=
.
> Instead we are releasing the initial sketch of the document so that
> everyone
> can start collaborating into the effort and will slowly dissect the
> contributed documentation to get the best out of them and into the
> OSCFManual.
> This list will be initially used for all coordination and discussion
> related
> to the development of the project, other lists will be opened as the =
need
> arises.
> I encourage everyone to download the sketch read it and get back to m=
e
> and/or the list with improvements, collaboration offers, comments,
> pitfalls,
> anything!
> Everyone's invited :)
>
> You will find the initial documentation in:
> https://sourceforge.net/projects/oscfmanual/
>
> Sincerely,
> Mat=EDas Bevilacqua Trabado
> CYBEX
> ___________________________________________________________________
> PGP-ID: 0x40A4869F
> PGP Fingerprint: 2052 98A0 F0F0 2914 D7FA 4E7C 0488 7E8C 40A4 869F
> ___________________________________________________________________
>
> CYBEX
> Grupo Intelligence Bureau
> Rambla de Catalunya, 32 4=BA-2=AA
> 08007 Barcelona
> Tel. 93 215 53 23
> Fax. 93 215 50 72
> http://www.cybex.info
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The b=
est
> thread debugger on the planet. Designed with thread debugging feature=
s
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> oscfmanual-discuss mailing list
> osc...@li...
> https://lists.sourceforge.net/lists/listinfo/oscfmanual-discuss
>
>
>
>
>
>
>
=
|
