Sunday, July 20, 2008

Challenges

As I sit here behind my keyboard, looking at my desktop, I have a couple of items on my plate...things to do...some short-term, some long-term.

One short-term item I keep in mind is, how can I do what I do better? What were some of the challenges I had to overcome on a recent (or several recent) engagement? How could I prepare myself better in the future? This usually results in an update to my own personal IR toolkit, either through a tool (something I've downloaded, or something I've written), or a methodology/process.

One long-term item is preparing to update Windows Forensic Analysis for its second edition. Lots of opportunity there...with tools like RegRipper, a lot of the smaller scripts just go away, and their functionality gets incorporated into a plugin of some kind.

When thinking about these things and actually beginning work on any/all of them, I find myself thinking, what challenges do others face? I'm a consultant by day, and a forensics nerd by...well, all the time. I do primarily corporate work, but I know that folks who hold FTE (full-time employment) positions within organizations doing what I do have a different set of challenges that they face. Throw LE into the mix, and you can see that based on the direction from which you approach IR/CF, and how you're involved in either (or both), you're going to have a different perspective, and a different set of challenges.

What are your challenges? Are they technical? Political?

2 comments:

Anonymous said...

My big challenge is getting you to try Windows FE. Surely you must have to image a RAID array of SOny Vio from time to time.

H. Carvey said...

Many times when we encounter a RAID array, if its in a Windows system, the system either can't come down, or we don't have the capability to ensure the Windows FE has the right drivers. A live acquisition is usually the best option, considering that in legacy systems in particular, there would be issues with USB 1.1 or no USB at all, requiring the appropriate network drivers, etc.

I'd love to try out Windows FE...and I'd also like Microsoft to recognize the work I do, and I'd like a pony, and I want to be big and strong like you when I grow up! ;-)

Seriously, though, I may have the bandwidth here in the future to work w/ WinFE in a lab environment.