|
Replies:
17
-
Last Post:
Jan 12, 2008 1:18 AM
by: gentry
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
PROPOSAL: Open Solaris Fotrensics Tools Project
Posted:
Nov 21, 2007 8:29 AM
|
|
Hello All,
With the following mail I would like kindly to ask this community on
their opinion on the topic in Subject!
A little bit of background:
During the month September I presented Solaris Life Kernel Dissection
for Forensics Purposes during TERENA CSIRT meeting in University Of
Oporto Portugal.
There were about 120 attendees representing CSIRTs from all over the
world and the interest was quite high.
http://www.terena.org/activities/tf-csirt/meeting22/
The consequence of this talk were a lot of contacts namely from USA, UK,
Germany and other places in EMEA requesting the scripts, asking for
further information and bouncing ideas.
So the main outcome is that an idea for creation of Open Solaris
Forensics Tools Project might have some popularity and support from this
community.
Another concern was the lack of ZFS specific forensics tools and the
believe that this topic should become top priority. Also given the ZFS
capabilities I personally think it is about time to look into this.
Proposed "Charter" of the Open Solaris Forensic Tools Project:
The main idea behind such a project is to create or adapt tools and
develop methodologies which will help the forensic research and incident
response on the Solaris Platform. This tools and methodologies should
take in consideration the specifics of the Open Solaris OE (such as
kernel, file systems, audit and logging facilities just to name a few).
The main "product outcomes" from such a project might be (few examples):
- Live system dissection tools based on mdb and dtrace (some work done
here by yours truly)
- ZFS forensics tool set (Mark Furner <mark dot furner at gmx dot net> is doing
some work on that, Others?)
- Live system monitoring and active data gathering tool sets
- Proper malware detection tool sets especially for LKM rootkits ( some
work already started by Casper ***)
- Open Solaris Forensics bootable DVD/CD/PenDriveIso including properly
configured live gathering scripts ( Existing CD for Sol 9 which can be
reused. It was started by Pedro Inacio/Brad Powell and maintained by me
now)
- Tight integration of Solaris fingerprint database (I heard of some
work going on that particular matter so that might be just some
automated wrappers)
- Eventual creation/compilation of known malware database
Any ideas of other tool sets will be highly appreciated.
Looking forward for your comments!
as general Good Think To Do [TM].
Cheers
Efi-
PS: This is my first post to security-discuss at opensolaris dot org but I am
sure that I've crossed paths with many of you at some point.
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
Darren J Moffat
darrenm@opensolaris....
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 21, 2007 8:58 AM
in response to: Evtim Batchev
|
|
I think a project to create new tools and enhance existing ones for
forensics is a great idea. The project output need not just be tools
but also documentation.
A big +1 from me.
Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
up to in my filesystems :-)
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
C. Bergström
cbergstrom@netsyncro...
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics
Tools Project
Posted:
Nov 21, 2007 9:06 AM
in response to: Darren J Moffat
|
|
On Wed, 2007-11-21 at 16:58 +0000, Darren J Moffat wrote:
> I think a project to create new tools and enhance existing ones for
> forensics is a great idea. The project output need not just be tools
> but also documentation.
>
> A big +1 from me.
>
> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
> up to in my filesystems :-)
I've been playing with the hacked up gnu version of opensolaris. I
think in the near future it may be possible to create a livecd and put
some interesting tools on there like what has been done with BackTrack
or Auditor.. If anyone is interested in progress or results let me know
and I'll drop a link when I get something usable. What tools would
people want to see? How small?
Thanks
./C
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
Re: PROPOSAL: Open Solaris
Fotrensics Tools Project
Posted:
Nov 21, 2007 9:17 AM
in response to: C. Bergström
|
|
> I've been playing with the hacked up gnu version of opensolaris. I
> think in the near future it may be possible to create a livecd and put
> some interesting tools on there like what has been done with BackTrack
> or Auditor.. If anyone is interested in progress or results let me know
> and I'll drop a link when I get something usable. What tools would
> people want to see? How small?
A USB Pen size bootable image containing all tools for live data
gathering and dead disk imaging should be more than enough! Nowadays
pens go to 4GB right so I would say:
Minimal 1 CD
Mid term 2-4 GB Pen Image
MAX term DVD 4.7 (no dual layer ...)
Even here I have my reserves for a DVD too many variables in play. Some
machines will not mount [+/-][RO][RW] combination and such a tool set
should be all rounder reliable beast.
Cheers
Efi-
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
3,793
From:
GB
Registered:
3/9/05
|
|
|
|
Re: PROPOSAL: Open Solaris
Fotrensics Tools Project
Posted:
Nov 21, 2007 9:20 AM
in response to: C. Bergström
|
|
C. Bergström wrote:
> On Wed, 2007-11-21 at 16:58 +0000, Darren J Moffat wrote:
>> I think a project to create new tools and enhance existing ones for
>> forensics is a great idea. The project output need not just be tools
>> but also documentation.
>>
>> A big +1 from me.
>>
>> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
>> up to in my filesystems :-)
>
> I've been playing with the hacked up gnu version of opensolaris. I
> think in the near future it may be possible to create a livecd and put
http://opensolaris.org/os/project/livemedia/
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
Re: PROPOSAL: Open Solaris Forensics
Tools Project
Posted:
Nov 21, 2007 9:06 AM
in response to: Darren J Moffat
|
|
On Wed, 2007-11-21 at 16:58 +0000, Darren J Moffat wrote:
> I think a project to create new tools and enhance existing ones for
> forensics is a great idea. The project output need not just be tools
> but also documentation.
>
> A big +1 from me.
>
> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
> up to in my filesystems :-)
Hmmm yes probably ZFS crypto will thwart filesystems analysis, but there
is still the life kernel to drink from, if we come on time :-)
Cheers
Efi-
PS: Unless of course, by some "divine" instruction, there is a
"key-recovery-institution" build in :-)
JUST KIDDING I am all against that! And of course we've seen that in the
past, right? But that is where open source kicks in - code stays naked
in front of teh world :-D
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
Re: PROPOSAL: Open Solaris
Forensics Tools Project
Posted:
Nov 21, 2007 9:10 AM
in response to: Darren J Moffat
|
|
On Wed, 2007-11-21 at 16:58 +0000, Darren J Moffat wrote:
> I think a project to create new tools and enhance existing ones for
> forensics is a great idea. The project output need not just be tools
> but also documentation.
That is where methodology comes in. It does not have to be specific to
Solaris but it certainly helps :-)
That is where I definitely am looking for help from CSIRTs, active
forensics investigators and the community in general.
> A big +1 from me.
Thanks
Cheers
E-
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
122
From:
US
Registered:
3/9/05
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics
Tools Project
Posted:
Nov 21, 2007 10:23 AM
in response to: Darren J Moffat
|
|
+1. I think that this is a great idea and a welcome addition
to the security community projects!
g
Darren J Moffat wrote:
> I think a project to create new tools and enhance existing ones for
> forensics is a great idea. The project output need not just be tools
> but also documentation.
>
> A big +1 from me.
>
> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
> up to in my filesystems :-)
>
> --
> Darren J Moffat
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
--
Glenn Brunette
Distinguished Engineer
Director, GSS Security Office
Sun Microsystems, Inc.
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
34
From:
Registered:
4/2/07
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 21, 2007 10:48 AM
in response to: Darren J Moffat
|
|
Hi Darren
On Wednesday 21 November 2007, Darren J Moffat (Darren J Moffat
<darrenm at opensolaris dot org>) may have written:
> I think a project to create new tools and enhance existing ones for
> forensics is a great idea. The project output need not just be tools
> but also documentation.
>
> A big +1 from me.
>
> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
> up to in my filesystems :-)
ha ha, I guess that depends on whether the ZFS crypto project a) implements an
admin key and b) it works!
Regards
M
>
> --
> Darren J Moffat
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
50
From:
Palo Alto
Registered:
5/10/06
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics
Tools Project
Posted:
Nov 21, 2007 11:30 AM
in response to: mark_
|
|
On Nov 21, 2007, at 10:48 AM, Mark Furner wrote:
> Hi Darren
>
> On Wednesday 21 November 2007, Darren J Moffat (Darren J Moffat
> <darrenm at opensolaris dot org>) may have written:
>> I think a project to create new tools and enhance existing ones for
>> forensics is a great idea. The project output need not just be
>> tools
>> but also documentation.
>>
>> A big +1 from me.
>>
>> Now hopefully ZFS Crypto will thwart your attempts and seeing what
>> I'm
>> up to in my filesystems :-)
>
> ha ha, I guess that depends on whether the ZFS crypto project a)
> implements an
> admin key and b) it works!
1) Key escrow in corporations and governments is a fact of life and an
"admin password" is not needed.
2) It will work.
>
> Regards
> M
>
>>
>> --
>> Darren J Moffat
>> _______________________________________________
>> security-discuss mailing list
>> security-discuss at opensolaris dot org
>
>
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Darren J Moffat
darrenm@opensolaris....
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 26, 2007 2:16 AM
in response to: mark_
|
|
Mark Furner wrote:
> Hi Darren
>
> On Wednesday 21 November 2007, Darren J Moffat (Darren J Moffat
> <darrenm at opensolaris dot org>) may have written:
>> I think a project to create new tools and enhance existing ones for
>> forensics is a great idea. The project output need not just be tools
>> but also documentation.
>>
>> A big +1 from me.
>>
>> Now hopefully ZFS Crypto will thwart your attempts and seeing what I'm
>> up to in my filesystems :-)
>
> ha ha, I guess that depends on whether the ZFS crypto project a) implements an
> admin key and b) it works!
Define "admin key" in this context.
Why would I integrate something that doesn't work ?
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
50
From:
Palo Alto
Registered:
5/10/06
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 21, 2007 9:25 AM
in response to: Evtim Batchev
|
|
On Nov 21, 2007, at 8:29 AM, Evtim Batchev wrote:
> Proposed "Charter" of the Open Solaris Forensic Tools Project:
+1 also,
Tools like this will be valuable even with zfs crypto and xlofi (as
long as you have the keys :^) From a forensic point of view, I want to
be able to crack open encrypted storage using escrowed keys.
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 21, 2007 11:48 AM
in response to: Evtim Batchev
|
|
+1
Evtim, I would like to participate in this effort.
- Vijay
Evtim Batchev wrote:
>Hello All,
>
>With the following mail I would like kindly to ask this community on
>their opinion on the topic in Subject!
>
>A little bit of background:
>
>During the month September I presented Solaris Life Kernel Dissection
>for Forensics Purposes during TERENA CSIRT meeting in University Of
>Oporto Portugal.
>
>There were about 120 attendees representing CSIRTs from all over the
>world and the interest was quite high.
>
>http://www.terena.org/activities/tf-csirt/meeting22/
>
>The consequence of this talk were a lot of contacts namely from USA, UK,
>Germany and other places in EMEA requesting the scripts, asking for
>further information and bouncing ideas.
>
>So the main outcome is that an idea for creation of Open Solaris
>Forensics Tools Project might have some popularity and support from this
>community.
>
>Another concern was the lack of ZFS specific forensics tools and the
>believe that this topic should become top priority. Also given the ZFS
>capabilities I personally think it is about time to look into this.
>
>Proposed "Charter" of the Open Solaris Forensic Tools Project:
>
>The main idea behind such a project is to create or adapt tools and
>develop methodologies which will help the forensic research and incident
>response on the Solaris Platform. This tools and methodologies should
>take in consideration the specifics of the Open Solaris OE (such as
>kernel, file systems, audit and logging facilities just to name a few).
>
>
>The main "product outcomes" from such a project might be (few examples):
>
>- Live system dissection tools based on mdb and dtrace (some work done
>here by yours truly)
>
>- ZFS forensics tool set (Mark Furner <mark dot furner at gmx dot net> is doing
>some work on that, Others?)
>
>- Live system monitoring and active data gathering tool sets
>
>- Proper malware detection tool sets especially for LKM rootkits ( some
>work already started by Casper ***)
>
>- Open Solaris Forensics bootable DVD/CD/PenDriveIso including properly
>configured live gathering scripts ( Existing CD for Sol 9 which can be
>reused. It was started by Pedro Inacio/Brad Powell and maintained by me
>now)
>
>- Tight integration of Solaris fingerprint database (I heard of some
>work going on that particular matter so that might be just some
>automated wrappers)
>
>- Eventual creation/compilation of known malware database
>
>Any ideas of other tool sets will be highly appreciated.
>
>Looking forward for your comments!
>as general Good Think To Do [TM].
>Cheers
>Efi-
>
>PS: This is my first post to security-discuss at opensolaris dot org but I am
>sure that I've crossed paths with many of you at some point.
>
>_______________________________________________
>security-discuss mailing list
>security-discuss at opensolaris dot org
>
>
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
34
From:
Registered:
4/2/07
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools
Project
Posted:
Nov 21, 2007 11:50 AM
in response to: Evtim Batchev
|
|
On Wednesday 21 November 2007, Evtim Batchev (Evtim Batchev
<Evtim dot Petrov at sun dot com>) may have written:
> Another concern was the lack of ZFS specific forensics tools and the
> believe that this topic should become top priority. Also given the ZFS
> capabilities I personally think it is about time to look into this.
Hi Folks
Some random thoughts FWIW.
* Tools + Sleuthkit
As well as the BackTrack and Helix type CD Linux distros I'd like to see
Sleuthkit / Autopsy for file system analysis.[1] Sleuthkit is the premier OSS
toolkit for this type of analysis, *works independent of a given operating
system* (which has advantages if you are using the tools in a live IR
scenario and don't trust the host OS), supports UFS1/2, Extn, JFS, NTFS and
FATn among others but does not yet have a ZFS module. I'm working on this
slowly, am not one of mother nature's born programmers...
* OpenSolaris CDROMs
Specifically for forensics, there are several Linux boot CDs out there like
Helix and BackTrack. Helix[2] is sort of the benchmark, is very
comprehensive, with lots of Windows tools & scripts as well. A purely
OpenSolaris CD with Solaris tools etc has a guaranteed niche in the armoury.
But please NO automounting :-)
On size: CDROMs ISO of 700MB should do for most purposes, are perhaps the most
common or easy to use, and we don't need large word processor apps or heavy
GUIs.
"Open Solaris Forensics bootable DVD/CD/PenDriveIso": Why not use Indiana as a
basis, with one or two tweaks and added tools (*again* please please NO
automounting, or at least some tips about tweaking boot prompts)? It'd be
more efficient.
* the Solaris fingerprint database
- Last time I used it, it didn't support sunfreeware, blastwave etc tools.
Personally, this latter site is where I get my GNU utils from since pkg-get
is so easy to use. Can you add these tools?
-* now that I think about it, MD5 is showing signs of age, how about parallel
supporting sha256 (for example) as well as md5. Spoofing both these at once
is still pretty much impossible.
- Existing procedure:
1. Visit the Solaris Fingerprint Database page.
The Solaris Fingerprint web form is displayed.
2. Copy and paste one or more MD5 digital fingerprints into the web form.
3. Press submit to view the results.
It is a *really serious drag* to check a whole system for dodgy binaries
against the website, one file at a time. How about adding the checksum
database to the packaging system so we can download it and upgrade it
locally? How about download scripts on the boot CD or so to get the latest
checksum as a downloadable text-format database?
Regards
Mark
[1] www.sleuthkit.org
[2] www.e-fense.com/helix/
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
Re: PROPOSAL: Open Solaris
Fotrensics Tools Project
Posted:
Nov 22, 2007 2:51 AM
in response to: mark_
|
|
Hey Mark,
YAY taht's a whole lot of ideas :-D
This is all fantastic and I can assure you that I already though of most
of them and actually most of what you want to see is on the forensics
tools section in automated form of the Solaris 9 forensics CD I was
telling you about. It was internal to Sun only now but I see no problem
to open source it. What will be the new base is something we can decide
as we establish a formal project and form discussion and working groups.
I thing that now our priorities should be the following:
- Formalise a Charter
- Think of _few_ tangible goals and establish sub projects
- Ask the community for sponsorship and formalization of the project
- Organise core working group[s]
My idea here is to produce something reasonably fast in order to be able
to show the value of such project and and then step on that base for a
stable and long term development.
Now, do not take me wrong! The geek in me also wants to stand up and
brainstorm and shout out ideas! I am just afraid that if we are not a
little bit more organized (look who is speaking) we might not be able to
capture all the ideas. I do not want to loose intellectual gems in such
a way :-D
Please all tell me what you think !
Cheer
E-
[Efi and curmudgeon are oxymoron]
On Wed, 2007-11-21 at 20:50 +0100, Mark Furner wrote:
> On Wednesday 21 November 2007, Evtim Batchev (Evtim Batchev
> <Evtim dot Petrov at sun dot com>) may have written:
> > Another concern was the lack of ZFS specific forensics tools and the
> > believe that this topic should become top priority. Also given the ZFS
> > capabilities I personally think it is about time to look into this.
>
> Hi Folks
>
> Some random thoughts FWIW.
>
> * Tools + Sleuthkit
> As well as the BackTrack and Helix type CD Linux distros I'd like to see
> Sleuthkit / Autopsy for file system analysis.[1] Sleuthkit is the premier OSS
> toolkit for this type of analysis, *works independent of a given operating
> system* (which has advantages if you are using the tools in a live IR
> scenario and don't trust the host OS), supports UFS1/2, Extn, JFS, NTFS and
> FATn among others but does not yet have a ZFS module. I'm working on this
> slowly, am not one of mother nature's born programmers...
>
> * OpenSolaris CDROMs
> Specifically for forensics, there are several Linux boot CDs out there like
> Helix and BackTrack. Helix[2] is sort of the benchmark, is very
> comprehensive, with lots of Windows tools & scripts as well. A purely
> OpenSolaris CD with Solaris tools etc has a guaranteed niche in the armoury.
> But please NO automounting :-)
>
> On size: CDROMs ISO of 700MB should do for most purposes, are perhaps the most
> common or easy to use, and we don't need large word processor apps or heavy
> GUIs.
>
> "Open Solaris Forensics bootable DVD/CD/PenDriveIso": Why not use Indiana as a
> basis, with one or two tweaks and added tools (*again* please please NO
> automounting, or at least some tips about tweaking boot prompts)? It'd be
> more efficient.
>
> * the Solaris fingerprint database
> - Last time I used it, it didn't support sunfreeware, blastwave etc tools.
> Personally, this latter site is where I get my GNU utils from since pkg-get
> is so easy to use. Can you add these tools?
> -* now that I think about it, MD5 is showing signs of age, how about parallel
> supporting sha256 (for example) as well as md5. Spoofing both these at once
> is still pretty much impossible.
>
> - Existing procedure:
> 1. Visit the Solaris Fingerprint Database page.
> The Solaris Fingerprint web form is displayed.
> 2. Copy and paste one or more MD5 digital fingerprints into the web form.
> 3. Press submit to view the results.
> It is a *really serious drag* to check a whole system for dodgy binaries
> against the website, one file at a time. How about adding the checksum
> database to the packaging system so we can download it and upgrade it
> locally? How about download scripts on the boot CD or so to get the latest
> checksum as a downloadable text-format database?
>
> Regards
>
> Mark
>
>
> [1] www.sleuthkit.org
> [2] www.e-fense.com/helix/
>
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
34
From:
Registered:
4/2/07
|
|
|
|
Re:
PROPOSAL: Open Solaris Fotrensics
Tools Project
Posted:
Nov 22, 2007 10:35 AM
in response to: Evtim Batchev
|
|
On Thursday 22 November 2007, Evtim Batchev <Evtim dot Petrov at sun dot com> may have
written:
> The geek in me also wants to stand up and
> brainstorm and shout out ideas!
Yeah, you're right. This is pretty certain risk. Good to have someone (else)
to crack the whip.
:-)
M
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Evtim Batchev
Evtim.Petrov@Sun.COM
|
|
|
|
PROPOSAL: Open Solaris Forensics Tools Project
Posted:
Nov 23, 2007 7:31 AM
in response to: Evtim Batchev
|
|
I just posted this on my blog . Comments apreciated :-)
Cheers
E-
http://blogs.sun.com/efi/category/Forensics+and+Incident+Response
======================================================================
Proposal - Open Solaris Forensic Toolkit Project
Few days ago after being poked by several people (but mainly by Mark
Furner ) I decided to ask the Open Solaris Security Community does the
creation of Open Solaris Forensic [Toolkit] Project makes sense.
I personally was pleasantly surprised by the reaction:
PROPOSAL: Open Solaris Fotrensics Tools Project
(one can see that I was pretty excited on posting by looking at the way
my fat fingers hit "tr" together resulting in "Fotrensics" instead of
Forensics)
Apparently the Open Solaris Security Community finds this project to be
a useful and I hope to count on their sponsorship upon future porject
instantiation.
I have been looking trough the Open Solaris Policies inorder to find the
process for requesting a new project and I found there the things I need
to submit. Some of the requirements are present and other are missing
partially. Amongst the mossing ones I still need to compile the
following:
* A list of sponsoring Community Groups
* Security Community - I hope the idea got their attention
and the project has at least one sponsor, unless I am
very much wrong ! (please be direct with me !)
* ZFS Community - I think this will be a very interesting
sponsorship and collaboration opportunity as on of the
main missing pieces in the Solaris Forensics challenge
is a proper ZFS forensics analysis toolkit.
* Unix File Systems (UFS) - Though many tools exist for
UFS forensic data gathering, grave digging and analysis
the proper implementation details may require
cooperation and possible interest from this group.
Comments?
* Observability Community - getting sponsorship from this
group should be considered as a priority because they
are providing the tools used in live data gathering or
post mortem investigation. I will be contacting them to
request sponsorship.
* Other Suggestions Welcome.
* Project team - Here I do have some volunteers but I actually
need confirmations from the interested. I also intend to invite
explicitly some external but very valuable personalities (more
on that later).
So I am looking for Volunteers on this point !
I will get the act together and will start moving forward after
thanksgiving vacation, meanwhile awaiting suggestions, woes or anything
you have to say on the subject.
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
99
From:
US
Registered:
3/29/07
|
|
|
|
Re: PROPOSAL: Open Solaris Fotrensics Tools Project
Posted:
Jan 12, 2008 1:18 AM
in response to: Evtim Batchev
To: Communities » security » discuss
|
|
A suggestion for toolset stuff would be s/w to deal with ntfs images and tools for exchange files, since these are some of the most common things to have to grope around for data on.
Tim
|
|
|
|
|
