Tuesday, August 9, 2011

A Computer Forensics Story without a Computer

I spent a little time at the Outer Banks last week, enjoying the surf and the fishing. One night standing on the Avon Pier, I discovered something about Digital Forensics. No, no one walked up to me with a netbook they wanted examined, this was about fishing, but it applied to forensics.

Now, I lived in eastern NC most of my life, and grew up fishing the banks inshore and offshore. So here I was leaning on the pier watching an enormous group of large skates go past. As I stood there I kept watching these sun burnt tourists go past me to the very end of the pier carrying brand new expensive shiny rods and reels purchased at the pier store, hands full of one of every kind of bait they sold, a 5 day NC fishing license that gave them the RIGHT to fish, and for the most part not even a tickle in their brain cells of exactly how to catch fish.

As I watched them go to the end of the pier, deeper is better they thought, and flop their lines in the water right next to the pilings, I knew what was going to happen. And it did, time after times. Their rod would bend almost in half, the crowd would hoot and holler at the enormous fish that must be on the end of the line. The more they would reel (paying no attention to the drag) the more the rod would bend. Finally some old salt would take pity and go over and tell them the tide had wrapped them around the pier and they had caught basically a big telephone pole. This would be followed by a long period of pulling, twisting and a lot of cussing as they tried to get their lines from the pier. Usually it ended with cut lines, and once in a broken rod.

Exactly what you are asking did this situation have to do with forensics? No, I wasn't drinking mass quantities on the pier. It made me think like this. Their shiny new techno rods and reels were great tools, but only if the hands that held them knew what to do with them. The pier is a great vehicle for getting out to the fish, If you understand where the fish could be. And then the water, ah, you have to be able to see below it! Here the light bulb flashes. Forensics is all about whats under the water, how the tide and currents are moving, where you will to use your tools and how.

FTK's, EnCases. ProDiscovers and all the other commercial tools are like those rods and reels, in the hands of someone who knows what is or has happened under the water (network, file system, malware etc) they are powerful. I you don't know the water, you can't use the tool. In the various forums and boards I always see "I am a newbie to CF, what tools should I get"?

My answer : Go to Walmart get a cheap rod and reel (free and/or Open Source tools, images) and spend countless hours learning the water (read, study and PRACTICE).

2 comments:

  1. Man, I thought this was going to amount to "sometimes it good just to step away from technical modes of thought and enjoy life"

    ...but then it didn't and I got really upset.

    ReplyDelete
  2. I've been using Kaspersky Anti virus for a couple of years now, and I'd recommend this product to all of you.

    ReplyDelete