Thursday, February 08, 2007

Live System Forensics

I have been spending more time recently preparing myself and my skills set for what I believe is a coming change in Computer Forensics, the increase in Live System Forensics and Acquisitions.

I feel this is going to happen for several reasons such as the increased use of whole disk encryption, larger and larger hard drives, and the increased need to capture and analyze the contents of memory.

As the discussion of live system forensics has come up in various venues, there seems to be a real fear that evidence obtained from a running system would not be allowed into a court of law. This was undoubtedly true once for fingerprints, DNA, and other scientific evidence. I can remember 35 or so years ago when even breathalyzer results had to be fought into evidence in the courts of North Carolina. It’s going to take some Attorney’s who see the value of such evidence, and can see that the only way to obtain it will be live system, and are willing to fight to get it accepted to make this happen.

But it’s also is going to take us, the practitioners to go out and number one leanr how to properly do these exams, number two, to develop the tools and methodologies to properly handle the evidence, and number three, to “sell” this to Attorneys and other investigators as a necessary move.

People like Harlan Carvey and Jesse Kornblum are doing a good job at leading the way researching and developing tools and methodologies for this kind of work. We all need to get on this wagon and help, whether it’s developing, asking questions, bringing up concerns, or getting out and using what is already there.

The forensics forums are full of people asking questions, but we need the right kind of questions. There are enough answers archived about entry into the field, the basics of images etc, what we need is people to experiment, to practice and when you hit a wall or find a new way, share it.

As Harlan told me recently, the bad guys do a great job at sharing their methods without a formal structured group, why can’t we?


Post a Comment

<< Home