tag:blogger.com,1999:blog-2456910508235577340.post4338442724420397093..comments2024-03-03T22:38:30.152-07:00Comments on Another Forensics Blog: Dude, Where's My Data?Mari DeGraziahttp://www.blogger.com/profile/07035429062451749639noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-2456910508235577340.post-54075943035767806212013-02-08T07:28:20.237-07:002013-02-08T07:28:20.237-07:00Maria,
I've been doing some digging into data...Maria,<br /><br />I've been doing some digging into data structures and database specifications, and what really amazes me is the information that's available, but not necessarily visible to analysts who rely on tools. Tools provide a layer of abstraction over the data itself, often hiding the data from the analyst who is not curious.<br /><br />Here's an example...take the Firefox 3 places.sqlite database. The moz_historyvisits table includes a visit_type value, ranging 1-7, which essentially describes how the browser got directed to the URL. Like other analysts, I get questions about whether or not the user was at the keyboard at the time...and this value can provide significant context in answering that question. A brief look at the history database specification for Chrome indicates that there are 10 possible values...and yet of the tools that do illustrate this information, none that I've seen really help the analyst understand what they're looking at.<br /><br /><br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-2717382126403670172012-12-30T05:20:43.740-07:002012-12-30T05:20:43.740-07:00Part of the reason I wrote that tweet is because I...Part of the reason I wrote that tweet is because I regularly see analysts who have an issue or analysis goal they are working toward, and they often seem to be trying to fit the tool they use to the problem, rather than focusing on solving the problem. For example, if a log on a system illustrates during your dead-box analysis that some unusual activity occurred at a certain time, or that anomalous activity occurred at regular intervals for a brief period of time, then generating a timeline of system and user activity would be a great way to nail down what was happening on the system at the time. However, the tool or process you use may not get all of the data you need...much like the example you provided where some tools parse voice mail databases, and other do not. So, is the tool you're using getting the data you need, and if not, how can you go about getting that data?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-62458807458178414682012-12-30T05:07:41.117-07:002012-12-30T05:07:41.117-07:00Great post, Maria! I really liked not only how yo...Great post, Maria! I really liked not only how you approached the problem, but the fact that you willing shared this case study. I don't think that most analysts really understand how valuable this can be, even though they may thoroughly enjoy reading what you posted.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-2456910508235577340.post-46882092496503427532012-12-30T02:55:31.561-07:002012-12-30T02:55:31.561-07:00Great article! Added a link to the Digital Forensi...Great article! Added a link to the Digital Forensics Google Currents feed at http://iadfi.org/go<br />Anonymoushttps://www.blogger.com/profile/02935422961392066671noreply@blogger.com