tag:blogger.com,1999:blog-5905877434106273050.post8192057160959092666..comments2022-11-08T04:08:43.278-06:00Comments on Forensicaliente - because digital forensics is 'hot': Presenting DFIR, Shakespeare Style - DFIR Summit 2014Little Machttp://www.blogger.com/profile/16829704053692764714noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5905877434106273050.post-44443708745726813732014-03-24T05:58:25.353-05:002014-03-24T05:58:25.353-05:00Frank,
"My chief complaint, if you will, is ...Frank,<br /><br />"My chief complaint, if you will, is with those individuals who do not seem to think..."<br /><br />Such as? <br /><br />Honestly, I'm not aware of anyone who thinks this way. I do think that most analysts and responders have some idea of focusing on specific items for triage, and then based on findings and indicators, going back and getting a more detailed view of specific systems.<br /><br />However, I'd think that at this point, anyone who focused solely on, say, network traffic, would be in something of an awkward position when asked questions regarding what happened, their findings, etc.<br /><br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-5905877434106273050.post-53297578937464003542014-03-23T21:01:46.944-05:002014-03-23T21:01:46.944-05:00Harlan,
Thanks for the comments. I don't nec...Harlan,<br /><br />Thanks for the comments. I don't necessarily disagree, when it comes to host-based forensics. And as you've noted - whether you're acting as an external consultant or internal investigator - scope may define your role. However, just because someone (who may not want to know the truth) has defined the scope, doesn't mean that your findings will be complete and accurate. Staying within the defined scope may be a requirement of your job/role, and may protect you against legal action individually, and still leave facts behind.<br /><br />My chief complaint, if you will, is with those individuals who do not seem to think there is value in data that resides outside of their small area of expertise. They silo their skills, their knowledge, their abilities, refusing to acknowledge the fact that it's a narrow mindset, and in so doing, they are not well serving their employer (internal or external). And if the employer does not want to see or know about other data sources, at a minimum it becomes the investigator's job to document the fact that evidence might have been left behind.<br /><br />Take Target for example. We all know now that there were FireEye alerts that were not responded to, and people are shaking their heads. But just because there were FireEye alerts doesn't indicate a compromise; only the possibility/probability. That's a network alert; it needs correlation from other points of evidence to ascertain the validity. Now that there are assuredly external parties involved in the investigation, what if their scope doesn't state anything about FireEye? Or firewalls? Are they to ignore those because it's outside of scope? Even if they ultimately are not relevant, those things still are part of the bigger picture, and without considering them, you can't say you know what occurred, on the basis of facts at hand. <br /><br />Obviously there's a lot more to it all than just what has been mentioned here, twitter, etc. That's what the talk will flesh out; if you want more, be there or tune in... :)Little Machttps://www.blogger.com/profile/16829704053692764714noreply@blogger.comtag:blogger.com,1999:blog-5905877434106273050.post-52407197381479503072014-03-21T09:50:58.247-05:002014-03-21T09:50:58.247-05:00"These limitations show themselves through in..."These limitations show themselves through incomplete analysis and inaccurate conclusions."<br /><br />I would suggest that what's missing in this approach is the focus on the mission, on the goals of the exam. Given the particular goals of your exam, you may not need everything in order to answer the questions you were asked. Many of those who use memory and selected files have developed their approach based on an understanding of their goals, and what they need to answer those questions.<br /><br />"...incident response should be based on all of the information available..."<br /><br />Not always. Again, it depends on what you were asked to do, or determine. Why wait to acquire hard drives, or even logical acquisitions of system volumes, when you can collect memory and selected files, and narrow your focus to only the affected systems? Doing so enables a much quicker response, while at the same time reducing your customer's costs.<br /><br />"...these examples will show how each - by itself - falls short in painting the full picture of what happened..."<br /><br />I would still suggest that the approach a responder employs should be based on an understanding of the goals, as well as the available data.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com