I think we’re long past the point as a community where we should be pushing the vendors of our GUI forensic tools to provide us with the $FILE_NAME time values inside of an NTFS $MFT record. Every tool parses the $STANDARD_INFORMATION time values, but that should no longer be considered the bare minimum for a GUI forensic tool. Most tools do not provide the $FILE_NAME time values as part of their standard file system navigation experience. The concern that has been expressed in the past was that adding this information would be confusing to the user. While I can certainly understand that it might be confusing to an inexperienced or poorly trained examiner, that’s not a good reason for not presenting the information. If an examiner doesn’t understand how an $MFT record works, then this confusion is a teachable moment that will hopefully prompt the examiner to learn more about the inner workings of an $MFT record. The information is out there and it’s easily accessible on the Web, through training courses and books.
Yes, I can parse the data manually or by scripting with the various vendor tools. However, it’s much more useful to me if I can have these data stamps parsed automatically and presented to me as part of the main user interface experience.
I’m not familiar with all of the forensic tools that are available so I’ll have to rely on other people to let me know what tools might be doing this already. I’ve been using Sleuth Kit more and more these days and it parses everything (istat) because it’s Brian Carrier’s awesome tool. I heard a long time ago that Pro Discover might present some of this information to the user also, but I’d be curious if someone could verify that for me. Any other tools that are doing this?
What do you think? Am I missing something? Why wouldn’t we want this information presented to us up front in our GUI tools?
Forensic 4cast Awards Voting Has Opened
The nominations have closed for the upcoming Forensic 4cast awards and the voting has started. SANS announce this week that the awards will be open to everyone so if you are in the DC area and aren’t attending the SANS Forensic and Incident Response Summit, you can still attend the awards.
I’ve been made aware of a couple new forensic tools that I’d like to share with everyone.
The first one is Defraser which is a tool by the Netherlands Forensic Institute. I learned about this tool when I was taking SEC563 at SANSFIRE recently. This is a carving tool that will recover full and partial video data. I have just started it so I can’t yet speak to how well it works yet, but I’m excited about the possibilities.
The second tool is called raw2vdmk. It looks like it’s an alternative to LiveView. I use LiveView quite a bit and I’m quite fond of it. I haven’t tried raw2vdmk, but I would potentially give it a spin if it could do something that LiveView couldn’t do for me.