Expectations of Community Tools in DFIR
When I started studying Digital Forensics for an Associate's degree it quickly became apparent that I needed to learn a language to assist me. At that time it seemed like the majority of the community was using Perl, so that is what I started teaching myself. By the time I finished my Bachelor's degree Python was gaining traction. Now, the majority of the community seems to be using Python. For my new projects, I do enjoy using Python. However, this is not about Perl or Python. It is about what we need to start incorporating into our tools that will benefit the community. This would have been a useful topic when I started teaching myself a language as a student.
By knowing what benefits the community I could have had a baseline of what I needed to start off learning about when creating tools. I learned how to parse binary and output it as a string. Job done. But does that benefit many people?
Willi Ballenthin touches on some of these topics. See his blogs at:
http://www.williballenthin.com/blog/2014/02/07/towards-better-tools-part-1/
http://www.williballenthin.com/blog/2014/02/08/towards-better-tools-part-2/
So what do you expect from a decent tool that you will use often?
Here is what helps me:
Willi Ballenthin touches on some of these topics. See his blogs at:
http://www.williballenthin.com/blog/2014/02/07/towards-better-tools-part-1/
http://www.williballenthin.com/blog/2014/02/08/towards-better-tools-part-2/
So what do you expect from a decent tool that you will use often?
Here is what helps me:
- Handle Images
- Handle Unicode
- Timezone Handling for Timestamps
- Offsets of parsed data
- Flexibility of Output
- Choice of Delimiter for Text
- Output to a SQLite
- Output Formats (XLSX)
- Automation ability (CLI or evidence manager)
- Modular
- Scalable
No comments:
Post a Comment