Thursday, September 8, 2011

Explosions Explosions

A couple of nights ago I did something rare, I actually watched a television program. I had heard an interview on NPR with an author of "Top Secret America", and it was mentioned a documentary of the same name would be on Frontline on PBS that night. So, since the topic had been interesting I "tuned in".
The basic premise of the documentary and the book was that since 9/11 much of our intelligence effort has been given over to and is being performed by contractors. That in itself was interesting, but my real interest was piqued because digital forensics in many forms kept being alluded to.
Another important fact to the authors was that the "War on Terror" is not anywhere near a conventional war, but is a war fought over and with information. Hence the constant allusion to DFIR. At one point they talked about how the amount of hardware containing information was so vast, traditional intelligence agencies couldn't come close to examining it all, and this further added to the amount of contractors needed. Too much information in a war of information.

This made me consider my own practice of DFIR. In the "old" days of 40 or 80gb HDs, I could comfortably and within budget of most clients conduct a full comprehensive examination in every case. No sweat. Now, with most corporate desktops having 300gb to 1TB HDs, that is rapidly become a budget and time constraint. That explosion of information has hit down at the simplest CF levels.

More and more of my most efficient time is being used at the case planning stage. The sheer size of Hds I am getting requires me to adopt a new methodology, and to plan and "storyboard" examinations before I mount the first image. I spend more time with the client up front determining what I am looking for and what processes and applications could have been utilized.

I ask myself questions, determining ahead of time what type and location of artifacts I will be looking for, or looking for the absence. I no longer have the luxury of researching and investigating software, the registry entries, the artifacts, after I have found uses or traces, I now do this BEFORE I begin the actual examination.

Information has exploded right in our faces, and triage and planning have become one of the most important parts of our jobs. Narrowly focused forensics training is no longer enough, we truly must know everything from the hardware, the OS, the applications, the networks, and on and on.

And if the government wishes to throw me some of that burden of work, feel free!

No comments:

Post a Comment