Wednesday, September 11, 2013

Daily Blog #80: What don't we know?

Hello Reader,
         One of the things we've been talking about through the blog, on twitter and elsewhere is forensic research. Joachim Metz has been nice enough to point out areas where ideas and topics of research that need to be completed have been accumulating and I think that's great. What I keep wondering though is what don't we know?

What do I mean by that? We talk in computer forensics about how applications, operating systems, embedded devices and networks work together and the live and postmortem indications of their usage. We talk at length about what a registry key means, or a log file indicates as we look at systems to try to understand what was done to a system we are investigating. In all this work I think its time we stop and trying to figure out what we do and do not know.

So I'm going to start a page on the forensic wiki,hopefully tomorrow, and start with one version of Windows and lets work together to lay out what we do and don't know about what exists. Most of the time when new forensic research comes out that reveals something new and extraordinary its not because the feature was created the day before but because a forensic researcher realized that some previously unknown or not understood activity was occurring and they put their mind to determining what it was.

What are your thoughts on this? Leave a comment below and lets see if we can map out what we know and don't know about the systems we investigate everyday.