Is Linux a superior forensics platform? - Page 3

View Poll Results: Which do you prefer??

Voters
11. You may not vote on this poll
  • KDE

    6 54.55%
  • Gnome

    3 27.27%
  • I love both

    2 18.18%
  • Other (please specify!)

    0 0%
Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Is Linux a superior forensics platform?

  1. #21
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Yeah, the lawyer who was doing our training just left it at 'keep it as long as you can'. Doesn't have to be forever per se, just as long as it's financially and technically viable for your company, and if you got rid of it you had better have good reason (preferably documented). Of course he was talking about more than just forensics, he was talking about any data that could be used in any kind of legal proceedings ever. Basically so you don't pull an Arthur Anderson (think enron accounting) and start shredding docs or ditching data in some suspicious manner.

    As for the md5 +sha-1 thing, the advice I got was to use both. This is to remove doubt about the file integrity and the possibility of hash-collisions. Just getting rid of more lawyer doubt about your evidence.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  2. #22
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I'm curious about that test on EXT3 and ReiserFS. Was the change made due to the mount count increasing(as it does with EXT3/Reiser)? Did he mount the disk noexec,nodev,noatime? Mounting a disk/partition just read only is not suggested.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #23
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    the md5/sha1 thing..yep I agree, that's why tripwire uses 4 hashes by default.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #24
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Well I don't know what kind of legal system you guys run, but:

    the md5/sha1 thing..yep I agree, that's why tripwire uses 4 hashes by default.
    The trouble with that is that there will be twelve people on the jury who do not, and NEVER will

    They will be curious as to why you use "free" rather than pay for....................can't you afford it?...........if "free" is better, how come commercial organisations have not taken it up and done better?

    Also taxpayers like myself are going to ask who is accepting collateral responsibility for any defects in the tool. Lawyerscum can only write so much B/S into the EULA..............and dealing with serious, people they can write virtually nothing..................."the State of XYZ rejected that forensics tool because its vendors would not accept responsibility for its fitness for purpose?"............the stock would be suspended immediately?

    If you want people to accept responsibility, you have to pay, if only so they can buy insurance?

    And to cover your own a$$ you are better off paying.

    Ask yourself: "what is the point of forensics if no-one will pay you for it?"

    See you in court


    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #25
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    It's not only accountability but percieved value also. Something that is free, is by and large considered to be of little value compared to something that costs. The greater the cost the greater the value.

    Why do people spend X amount for goods services, when it is possible to to purchase those goods services else where at half X. We all see this every day, with every day items. I don't think software is any different in this respect than any other consumer goods and service.

    For every forensics specialist who considers OSS as an alternative to Microsoft, I bet there is one that thinks, OSS must be crap, or else they would not give it away.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #26
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    of course. Both of you are correct. My main issue is with NIST I suppose for not pushing open source testing. If LE & Gov is so damn broke, isn't it in their best interest to use something with little to no cost?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  7. #27
    Banned
    Join Date
    Jun 2005
    Posts
    36
    Granted, the windows tools have been heavily refined to automate the tasks involved in investigations, but the principal issue I struggle with, is why use a single minded, inferior operating system to do forensics? Why are programs like encase and FTK made only for windows, when the core operating system does nothing but hamper an investigation?
    Because Windows is still in widespread use in the corperate network (and the government which is huge cash as well). When people switch over they'll have to switch right? Basic economics ^_^.

  8. #28
    Banned
    Join Date
    Sep 2005
    Posts
    12
    i pick linux and Windows Nt. because. one the Nt. is hardest to use. because its the main one being hacked. and linux because its old and its still way usefull.. heh. thats my reason.

  9. #29
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    A step aside.

    I was on a forensics intro course yesterday. The chap speaking was a seasoned investigator with a lot of high profile cases under his belt.

    I asked him about Helix and his reply was that basically it didn't matter if it was better then Encase or not. Encase was court proven and accepted and the Encase developers were prepaired to be put on the stand to defend the integrity of results produced by their product.

    There was too much of a risk associated with switching to any other product.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •