Is Linux a superior forensics platform? - Page 2

View Poll Results: Which do you prefer??

Voters
11. You may not vote on this poll
  • KDE

    6 54.55%
  • Gnome

    3 27.27%
  • I love both

    2 18.18%
  • Other (please specify!)

    0 0%
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: Is Linux a superior forensics platform?

  1. #11
    Aren't you required to use reviewed software? You can't just run around using any old software you want for a sensitive task like forensics.

    I'm assuming the biz behind $$ software took the route to have their software approved/reviewed for work in the industry, where as the open source solutions don't have that sort of intiative?

    I guess what I'm asking is that unless the costs of learning/operating/documenting the free solutions are more that their $$ counterparts, what's stopping you? Do regulations exist that keep investigators from switching?

  2. #12
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    In my very limited experience and training, linux is the better and cheaper choice. Even more, alot of the basic tools I've had recommended to me for doing things on windows are just ports of linux tools anyways (tho these are all the non-commercial tool recommendations).
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  3. #13
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Soda, I honestly think the problem is the CFTT (computer forensics tool testing) group at NIST just hasn't gotten around to looking in to open source tools. I don't know if it costs money to have your tools reviewed or not, but that would certainly limit whether or not something is "approved".

    What's stopping me personally? Absolutely nothing. I can document all of my procedures in linux just as well as I could using an automated windows tool.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #14
    Just out of curiosity, what would happen to a closed case if it was discovered that one of your tools was severely flawed?

    Would you have a chance to re-investigate using proper procedures, or would someone go free until the case was proven again?

  5. #15
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    That's actually a really good question. Unfortunately I don't know the law well enough to tell you what would happen. I would imagine that just like any other case though, if there was enough compelling evidence (take a murder case for example where DNA evidence proved 10 yrs later that someone was innocent) the courts would re-examine the case and perhaps let the person go. And in a trial..just like any other trial, you can't be tried for the same crime twice.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #16
    It'd be interesting when someone leverages a bugfix in forensic software to delay an investigation or trial.

    /me flees

  7. #17
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    hmm interesting idea. We should hide your post lest a criminal defense attorney get any ideas
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  8. #18
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    It's my understanding that you are generally pushed to gather evidence from multiple sources and to use multiple tools to verify the data integrity. So you don't just MD5 something you MD5 and SHA-1 it.

    You don't just gather evidence off the drives, you grab it off your router logs, ips/ids, firewall logs, backup log server, etc.

    The multiple tools/sources combined with the documented and consistent techniques for gathering/handling evidence 'should' build a fairly decent case. That and if you keep a copy of the drive in question you can always go over it with better tools later if you really needed to.

    Most of the training I've had has basically said that you should basically keep whatever data you need for as long as it's financially viable to keep and use it (so barring it no longer being usable with current technology or it simply costs waay too much money for someone to keep it going) for legality purposes.

    I can't see it being different than any other case if the better tools proves the person didn't do it or casts enough doubt to do damage to your case against them.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  9. #19
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    In the work I'm doing now we've got evidence from Routers, event logs, Disk Forensics, and a network analysis tool. It's roughly equated to:
    2TB of disk data
    well over 100,000 flow records with 64bytes of content/flow
    router flow totals
    and whatever the eventlogs have.

    I typically md5 and sha1 my files, but there isn't anything that says you have to. MD5 is still accepted but on the way out.

    The major problem, like you point out is documentation..of EVERYTHING. Reporting is major, as is placing a copy of the software used in with the evidence collected. Everything and anything will get called in to question.

    It's funny you mentioned keeping the data around.. Initially the lawyers said keep it forever. The secret service said keep it only as long as you need to to practice due diligence. Storing 2TB per case gets a bit costly.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  10. #20
    Here's what prompted my concern, a post I made a long time ago. I love the response (lack thereof) considering it's an active forum, I lost some trust in open source.

    You'd think they'd jump on me to defend it, but it was passed up.

    http://www.knoppix.net/forum/viewtop...201&highlight=

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides