Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
|
From: Theodore P. <te...@gm...> - 2009-11-22 19:49:44
|
I think there is room for both. Good tools that automate tedious, error prone tasks and are at least somewhat transparent as to what they are doing to achieve a given output are desirable. But at the same time, there are fundamentals that a good forensic analyst should understand independent of what tools they choose to use. If you don't at least expose beginners to the fundamentals of file systems, inodes, and data blocks, then I believe their overall ability to reason and interpret the output of higher level tools is reduced. Especially if the higher level tool has a bug and is lying to you or basing its output on an assumption which may be incorrect in your situation. I'm not arguing that they need to master all the nuances down to assembly language, they just need to be aware of where the limit of their knowledge is so that if they find themselves in a situation where they are not specialized enough, they know to seek out help from someone who is if necessary. Think about doctors. Someone may end up specializing in orthodontics, but they are still forced to do general medical school so they have the proper exposure and understanding of how problems with your teeth may manifest as other symptoms throughout your body. Our field is changing so rapidly that a solid understanding of the fundamentals will do you immense benefit as what is old becomes new again. Then again I went down the SANS path which teaches the fundamentals before showing you the higher level tools so maybe I'm biased. On Sun, Nov 22, 2009 at 1:34 PM, Simson Garfinkel <si...@ac...> wrote: > > On Nov 21, 2009, at 11:00 AM, Al Grant wrote: > >> >> Sure I would love it thanks Simson. >> >> I still however want to do it the manual way a few times first, else there >> is no learning :-) > > Al, > > I would politely disagree with this statement. I do not think that there is much value in everyone's learning the low-level details of SleuthKit, just as there is no reason to learn the low-level details of assembly language or RTL (resistor transistor logic). Forensics is so complicated that people must specialize --- there is simply too much to learn. We need higher-level tools for creating forensic tools, so that it is easier to automate tasks and pass along each other's knowledge. > > Guidance Software's scripting language (escript) is a good first step. Unfortunately, the language is quite inefficient, poorly documented outside of the company's manuals (which are not freely available), and the only implementation is inside EnCase. The main problem with EnCase is that, as a GUI application, it is hard to use in a forensics pipeline. Because it only runs from a Windows GUI, you can't use EnCase on a cluster, even if you have thousands of disk images that you want to analyze in parallel. > > Simson > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
