Friday, June 26, 2009

The Temptation to Get Technical

Every now and then, I get tempted to write a technical post on this blog. The problem is, that would go against what my intentions were for this blog all along; To bring issues and news to the lay reader about digital forensics.

Then I get tempted to start another blog on technical subjects. But there are plenty of those out there already.

Since I already, and very sporadically, write reviews on my other blog, Digital Forensic Tool Reviews, I wonder if it would be worth the time to write a third blog considering the projects I already have on the table.

I have to admit that the temptation to write a blog on Encase Tips and Tricks is quite strong at the moment. My staff is calling me crazy.

But to limit a blog just to Encase seems too narrow, even though I can think of dozens of posts right off the top of my head for it.

By too narrow, I mean that would leave out cool stuff that I think would be helpful to other examiners that are not Encase specific.

For instance, did you know that Versa Check .vdf files are in Microsoft Jet (i.e. MS Access) format and you can open them in MS Access and review the entries without having access to the Versa Check software?

It is amazing the amount of knowledge "stuff" you accumulate over the years doing this kind of work.

I think as practicing examiners we tend to take a lot of that for granted. Just "stuff" we know how to do from spending the thousands of hours doing what we do.

Little things like that add up to a lot of useful knowledge that is hard to find since you don't need it until you need it. Then you may not encounter it again for a long time.

I remember a case not too long ago that required scraping the old Mozilla browser history out of unallocated space. Since it is in the mork file format, it is a bit of a challenge since it does not have a set "footer" you can look for. So you end up figuring out what the header looks like, searching for the header, then manually scraping out the database file by visually identifying the end of the file. Then you can take that recovered file into NetAnalysis or some other program to actually read it.

What you do realize over time in this practice is the sheer enormity of "stuff" there is to know, and how much of it is a discovery process considering the thousands of different software programs that can produce evidence, and the ever growing size of raw evidence to process.

As someone who loves to teach, the temptation to write and publish some of this information tends to nag at me from time to time.

Like everyone else, there is always the time constraint of "when would you get it done?" In the "post or die" world of blogging, you have to post on a regular basis, which can require a significant investment in time. After all that, there is no guarantee that anyone will find your blog, much less read it.

So I will continue to ponder whether or not I want to write yet another forensics blog that is more technical in nature.

For now, back to non-techical articles.
Reblog this post [with Zemanta]

No comments:

Post a Comment

I have moderated my comments due to spam.