Is Linux a superior forensics platform?

Yeah, the lawyer who was doing our training just left it at 'keep it as long as you can'. Doesn't have to be forever per se, just as long as it's financially and technically viable for your company, and if you got rid of it you had better have good reason (preferably documented). Of course he was talking about more than just forensics, he was talking about any data that could be used in any kind of legal proceedings ever. Basically so you don't pull an Arthur Anderson (think enron accounting) and start shredding docs or ditching data in some suspicious manner.

As for the md5 +sha-1 thing, the advice I got was to use both. This is to remove doubt about the file integrity and the possibility of hash-collisions. Just getting rid of more lawyer doubt about your evidence.

I'm curious about that test on EXT3 and ReiserFS. Was the change made due to the mount count increasing(as it does with EXT3/Reiser)? Did he mount the disk noexec,nodev,noatime? Mounting a disk/partition just read only is not suggested.

the md5/sha1 thing..yep I agree, that's why tripwire uses 4 hashes by default.

Well I don't know what kind of legal system you guys run, but:

Quote:

---

the md5/sha1 thing..yep I agree, that's why tripwire uses 4 hashes by default.

---

The trouble with that is that there will be twelve people on the jury who do not, and NEVER will

They will be curious as to why you use "free" rather than pay for....................can't you afford it?...........if "free" is better, how come commercial organisations have not taken it up and done better?

Also taxpayers like myself are going to ask who is accepting collateral responsibility for any defects in the tool. Lawyerscum can only write so much B/S into the EULA..............and dealing with serious, people they can write virtually nothing..................."the State of XYZ rejected that forensics tool because its vendors would not accept responsibility for its fitness for purpose?"............the stock would be suspended immediately?

If you want people to accept responsibility, you have to pay, if only so they can buy insurance?

And to cover your own a$$ you are better off paying.

Ask yourself: "what is the point of forensics if no-one will pay you for it?"

See you in court


:D :eek:

It's not only accountability but percieved value also. Something that is free, is by and large considered to be of little value compared to something that costs. The greater the cost the greater the value.

Why do people spend X amount for goods services, when it is possible to to purchase those goods services else where at half X. We all see this every day, with every day items. I don't think software is any different in this respect than any other consumer goods and service.

For every forensics specialist who considers OSS as an alternative to Microsoft, I bet there is one that thinks, OSS must be crap, or else they would not give it away.

of course. Both of you are correct. My main issue is with NIST I suppose for not pushing open source testing. If LE & Gov is so damn broke, isn't it in their best interest to use something with little to no cost?

Quote:

---

Granted, the windows tools have been heavily refined to automate the tasks involved in investigations, but the principal issue I struggle with, is why use a single minded, inferior operating system to do forensics? Why are programs like encase and FTK made only for windows, when the core operating system does nothing but hamper an investigation?

---

Because Windows is still in widespread use in the corperate network (and the government which is huge cash as well). When people switch over they'll have to switch right? Basic economics ^_^.

i pick linux and Windows Nt. because. one the Nt. is hardest to use. because its the main one being hacked. and linux because its old and its still way usefull.. heh. thats my reason.

A step aside.

I was on a forensics intro course yesterday. The chap speaking was a seasoned investigator with a lot of high profile cases under his belt.

I asked him about Helix and his reply was that basically it didn't matter if it was better then Encase or not. Encase was court proven and accepted and the Encase developers were prepaired to be put on the stand to defend the integrity of results produced by their product.

There was too much of a risk associated with switching to any other product.