Sunday, September 16, 2012

What is Digital Forensics?

Digital Forensics is nothing more than using Problem-Solving Strategies and Mathematical Reasoning to explain a digital events from the past that were labeled as incidents by policy or law.

Problem-Solving Strategies like
         1. UNDERSTAND          - scope / tool capability / indicators of [compromise / event* ]  / law / policy
         2. PLAN                          - look for patterns
         3. SOLVE & CHECK      -  solve a simpler problem
         4. EXPLAIN                    - simplify / report / present
* Every incident is subset of events and since we are obligated to identify inculpatory and excuplatory evidence, we can not label an investigation an incident.  We can only look at the case as a sequence of events that are recorded on systems and might not be permitted by law or policy.  Especially in civil cases, a personal feel is not considered an indicator, but a log record is.

is nothing new to the scientific process where inductive reasoning is utilized to identify an educated prediction ( or hypothesis ), so in investigations, we can use a deductive process to solve cases based on the identified hypothesis.

- Inductive reasoning is also known as hypothesis construction because any conclusions made are based on educated predictions.
i.e.
There are 20 balls—either black or white—in an urn. To estimate their respective numbers, you draw a sample of four balls and find that three are black and one is white. A good inductive generalization would be that there are 15 black, and five white, balls in the urn.

- Deductive reasoning, also called deductive logic, is the process of reasoning from one or more general statements regarding what is known to reach a logically certain conclusion.

i.e.
    All men are mortal.
    Socrates is a man.
    Therefore, Socrates is mortal.

The following is an example of an argument that is valid, but not sound:

    Everyone who eats steak is a quarterback.
    John eats steak.
    Therefore, John is a quarterback.

Wednesday, September 12, 2012

Timed Commands

 Before Windows Vista and Windows 7called timeit.exe was a great tools to use in performance testing for tools.  I've used it to measure effective transfer rates of command line tools.  In Windows 7, the powershell command measure-command works great in some cases.  I've written this script to aid this time monitoring that should work in all Windows versions.

PoweShell Example output

PS C:\> measure-command { notepad }
Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 3
Ticks             : 34410
TotalDays         : 3.98263888888889E-08
TotalHours        : 9.55833333333333E-07
TotalMinutes      : 5.735E-05
TotalSeconds      : 0.003441
TotalMilliseconds : 3.441

DOS Script that will measure how long notepad.exe will run.  Replace the command to fit your needs.

@echo off
set i=0
:start
:: Get the time
FOR /f "tokens=1-4 delims=:. " %%G in ('echo %time%') do call :s_setvar %%G-%%H-%%I-%%J
IF %i% == 0 goto process
IF %i% == 1 goto last
goto last

:s_setvar
SET _mstime=%10
goto :eof

:last
::Arithmetic Operations
SET /a e_h=%_mstime:~0,2% * 3600000
SET /a e_m=%_mstime:~3,2% * 60000
SET /a e_s=%_mstime:~6,2% * 1000
SET /a e_ms=%_mstime:~9,3%
SET /a e_result = %e_h%+%e_m%+%e_s%+%e_ms%-%s_result%

SET /a r_h=%e_result% / 3600000
SET /a r_m=(%e_result% %% 3600000) / 60000
SET /a r_s=((%e_result% %% 3600000 ) %% 60000 ) / 1000
SET /a r_ms=((%e_result% %% 3600000 ) %% 60000 ) %% 1000
ECHO This Process Took: %r_h% Hours %r_m% Minutes %r_s% Seconds %r_ms% milliseconds!!! %e_result%
goto EOF

:process
:: Process the commands and output the start time
set i=1
ECHO Start time is:   [%_mstime%]
SET /a s_h=%_mstime:~0,2% * 3600000
SET /a s_m=%_mstime:~3,2% * 60000
SET /a s_s=%_mstime:~6,2% * 1000
SET /a s_ms=%_mstime:~9,3%
SET /a s_result = %s_h%+%s_m%+%s_s%+%s_ms%
::Commands to run ******************************

notepad

::Command list end *****************************

goto start
:EOF