Posts

A New Live Triage Tool Taking Shape, Part 2

Image
I last left off describing what led to my ideas regarding a comprehensive digital forensic platform named Carnivore and the live triage tool CarnivoreLE (Live Edition). The first two incarnations of Carnivore were what is now termed Carnivore Portable. That's an external drive partitioned and loaded with tools useful to both livebox and deadbox triage and forensic preview. It tends to follow in Dell's footsteps regarding processing and evidence capture at the scene in a manner easily brought back to the lab for further processing using an integrated systems approach. These first two iterations were miles from the ideal, but were a positive and critical step in the right direction. Both Version 1 and Version 2 have seen extensive use in the field and the feedback has been overwhelmingly favorable.

Carnivore Portable now still benefits from the ability to make use of other third party tools loaded onto it before deployment, but the two main tools are CarnivoreLE and CarnivorePM. …

A New Live Triage Tool Taking Shape, Part 1

The Carnivore Digital Forensic System... doesn't actually exist... yet. Rather, the vision I have in my head that represents what the platform is supposed to be hasn't yet become reality. What has become reality is the first step toward that goal... CarnivoreLE.

What is now CarnivoreLE started a few years ago as a way to address live and volatile data on a suspect machine without losing it when the power was eventually pulled away. To better explain why this was of interest to me, I'll take you back to 2001.

In 2001, I was assigned as a task force officer to one of the FBI's field division offices participating in their Innocent Images National Initiative - an investigative task force focused on Internet crimes against children and technology-facilitated child exploitation. We were trained in the common practice of pulling the plug on suspect computers that were found running during a search and transporting those computers to an FBI digital forensic lab for analysis. To…

Forensic Review with Notepad++

Image
For those of you using a Windows workstation for digital forensics, you've most likely found a better text editor than notepad. A good text editor can help make short work of parsing log files or RegRipper reports from Autopsy. If you haven't found one yet or are looking to make a change, I highly recommend Notepad++. It's much more useful right out of the box than what you're likely to find shipping natively with Windows. Adding the Plugin Manager makes it very extensible, but there's a caveat...
The Plugin Manager is itself a third party plugin and used to be included with the 32-bit version of Notepad++. Many who jumped on-board the 64-bit version when it was first released were a bit disappointed that it didn't come with a plugin manager at all. The inclusion never happened as far as I'm aware, however, and it has even been removed from the 32-bit version. Don't worry as there's nothing wrong with Program Manager and it's still a well maintai…

And just when you thought...

...that the Chronikal was dead, alas, it lives!

I've been busy lately sprucing up all the places where Positronikal might be found, to include a new home on the interwebs: https://positronikal.github.io/. I'm still in the process of populating projects, getting things moved around, and such as that. There will definitely be new digital forensic tools added there in the coming weeks, not the least of which will be installments that make up what I've named the Carnivore Digital Forensic System. I won't spend too much time on that now as I have an entire blog post in mind that will explain it all in detail.

For the time being, I have two placeholder projects there that I'll move to my personal repository soon. I just needed something in place until I get some of these forensic tools up.

I will say that I'm looking for sponsors to help promote these new tools. I'll be formally approaching those the entities that I have initially in mind with a proposal soon. I'…

Data or Drivel?

Image
Digital forensics is, without question, all about the data. Our tools, especially FOSS (Free or Open Source Software), get better all the time with regard to identifying and extracting artifacts. The premise itself is simple - human behavior during the course of computer interaction tends to result in new or changed artifacts. For the sake of discussion, artifacts that have been removed or otherwise deleted are changed artifacts. It's those new/changed artifacts that our tools dig up for us. As a simple example, a user downloads a file that did not exist on that system before the download will itself be an artifact, along with potential metadata about the file (i.e. MAC dates/times), data about the download (i.e. zone information), and the user account under which the download was carried out. There may likely be many more artifacts than these, but it's easy to see from this example that artifacts tend to result from human/computer interaction. Our tools are generally very goo…

Positronikal Chronikal Reanimated!

Sounds like the title to a 60’s-era Hammer film, doesn’t it? Reanimating this old blog may not be as scary to you as it is to me actually. It’s been quite a while since I’ve posted here and the previous things I did post, well, they don’t appear to have been all that interesting. The Positronikal Chronikal started out as a tech blog covering all things tech that interested me – Web technologies, Free and Open Source Software (FOSS), GNU/Linux, digital forensics, 3D graphics and animation, vector/raster graphics design, digital music creation, digital video editing, etc, etc. To be honest, blogging about things I liked instead of doing or even reading about those things turned out less appealing to me than it did to those for whom I might have been writing. Oh well…
So by now, if you’re reading this, those old posts are gone (I hope) and the Positronikal Chronikal is heading in a more focused direction. Positronikal is still my catch-all project moniker, but these days I’m more narrowly…