Tuesday, April 3, 2012

A Few Worthwhile Updates

Okay, so I just need to post a couple (or maybe a few) quick updates. These are important, at least to me. :)

First up is ... wait for it ... wait for it ...

Forensic4cast Awards! There are some great folks in here, all very well-deserving. I'm not about to tell you who to vote for, as political discussions can be touchy. Oh wait, this isn't politics, so I guess I'll go ahead and get dirty. ;)

Not really, except to say, vote for log2timeline in the "Computer Forensic Software Tool of the Year" section. L2T's a great tool that I use on a regular basis, probably every case I work. Hands down, it's just awesome!

If for whatever reason (maybe you don't like perl) you can't bring yourself to vote for L2T, then there's another offering I can support. That's Registry Decoder, in the same category. RD is another great utility (in python, for you perl-haters) that can do for the Windows registry what L2T does for the file-system - parses the heck out of it! This bad boy is also proving extremely useful to me.

Yes, it's true, I'm in a quandary, a conflict, a conundrum. Now, where's my lucky coin?

Now that I'm all neurotic aboaut the choices to be made, I'll move on to the next part. Oh, but first ... GO VOTE!

My next topic is ForensicArtifacts. This is a community-driven site that has a very catchy name: ForensicArtifacts.com. What, you've never heard of it?! Well, shame on me if I haven't mentioned it before. ;-(

Taken from the About page, here's a description of the site:

"ForensicArtifacts.com was built to become a repository for useful information forensic examiners may need to reference during the course of their analysis. Requests for artifacts of system files, programs, and malware are very common to see on computer forensic mailing lists and forums. This site strives to take the place of those requests and become a one-stop shop when it comes to forensic artifacts.

This site was designed for the digital forensic community, but it also relies on the community to become stronger. Please consider submitting any artifacts you have documented that may be of use to other examiners. As an added incentive, Rob Lee and SANS have graciously offered up a SANS Lethal Forensicator Coin for anyone submitting six or more artifacts or IOCs in any given year. For more details on this, please read here

This is important, because we need more community involvement. A site like this only benefits the community if the community uses it. And if you're using it, you should be contributing to it. I don't want to sound all legalistic, but you should contribute. This doesn't just mean to send in artifacts; you can post links, follow @4n6artifacts on twitter and retweet, and recently we've even talked about having a "suggestions box" so people can submit ideas for artifacts, and anyone who's interested (and has time) can do some research to share with the community.

When it boils down to the crux of the biscuit (just mixing up various metaphors), ForensicArtifacts needs you! Only you can provide artifacts. It's low pressure, no time-table, do it as you can, just write it up and submit in the easy-to-follow form. It doesn't get much better than that! Basically, if you've found something in your work or research, even if it's perhaps incomplete, submit it.

We need your artifacts. We need your IOCs. And by "we" I mean the community as a whole, not just this site. When we all share the fruits of our labors, we all benefit. Pitch in! Recycle your artifacts and IOCs; it's good for the environment, and you get to make a difference!



  1. I'm curious as to why sites such as the ForensicsWiki.org, which already exists, aren't used more often. What is the need to stand up another site, when folks are already complaining that we have too many sites with information?

    Also, I noticed that on 5 Jan, the offer was made that for anyone who posted 6 artifacts or IOCs, they'd get a SANS RMO. Did anyone cash in on that?

  2. I applaud all the efforts towards consolidating the mass of information generated by the digital forensics community. While blogs can be very informative, they tend to have a short shelf life for the examiner. Forensic Artifacts is a great idea and nicely implemented, but I personally believe that the wiki format is the best long-term solution for maintaining a centralized store of information. Our understanding of the various forensic artifacts improves with time and in some cases, the artifacts themselves change. A wiki provides the best means for the community to update and police the veracity of submitted data.

    One solution might be to broker some sort of collaboration and data sharing between Forensic Artifacts and the Forensic Wiki.

  3. Matt and the others may have a different viewpoint, but here's how I see it. ForensicArtifacts exists just like a Linux tool - a focused tool with one job that it does very well (hopefully). I think in that respect it differs from ForensicsWiki, as that is much broader in scope.

    There are some cons to a wiki approach as well. At this point, the fact is that ForensicsWiki is underutilized as well, so it may boil down to community involvement, which is what drove my post.