Hi, There have been a total of 30 answers to the survey, thank you for your feedback. Following are the aggregate results from the survey as promised. You will find my own comments where deemed necessary highlighted after each of the answers. Tor Andre has volunteered to host a web page to reflect the numbers answered for each question rather than the percentages, here is a direct link to the mentioned page if you'd rather have that view of it: (thank Tor.) http://www.knackit.net/html/modules.php?op=modload&name=News&file=article&si d=9&mode=thread&order=1&thold=0 1) Do you feel there is a need for an Open Source Methodology Manual for Computer Forensics? [Y: 100% / N: 0%]: --> No comments <G> 2) Do you feel such a standard already exists? [Y: 0% / N: 100%]: --> No comments. *If [NO] what do you think is missing to any of the available resources? (That is, what pitfalls you feel we should avoid in this project) Individual initiatives, not developed by the community [Y: 86% / N: 14%]: Not truly Open, no GPL License [Y: 86% / N: 14%]: Not used by enough people to accept it as a standard [Y: 86% / N: 14%]: Not subject to a formal peer review process inside the community [Y: 93% / N: 7%]: Not kept up-to-date [Y: 89% / N: 11%]: Not enough detail, very abstract or merely "Principles" (ex. G8) [Y: 89% / N: 11%]: --> It seems that these are the key elements which stopped other available resources from meeting the community's needs. The list seems also to be pretty extensive since I have received no additional comments on things which had gone wrong. 3) Do you feel there is a need for an Open Source Standard Operating Procedures Manual for computer forensics? [Y: 100% / N: 0%]: --> No comments. 4) Do you feel such a standard already exists? [Y: 7% / N: 93%]: --> Affirmative answers opted for: *CERT/CC *FBI's Infragard CERT/CC is definitely doing a great job (I'm a former worker from a CERT so this could be biased!) but I feel their forensic resources are not really SOPs nor are they liturgical-oriented which is one of the key aspects of having it become a standard. It is anyway, a resource to take into account. On the other hand the comment about FIB's Infragard was not to use their SOP's which are actually internal and not available to the public, but rather to get them involved in the initiative. *If [NO] what do you think is missing to any of the available resources? (That is, what pitfalls you feel we should avoid in this project) Individual initiatives, not developed by the community [Y: 76% / N: 24%]: Not truly Open, no GPL License [Y: 84% / N: 16%]: Not used by enough people to accept it as a standard [Y: 80% / N: 20%]: Not subject to a formal peer review process inside the community [Y: 88% / N: 12%]: Not kept up-to-date [Y: 92% / N: 8%]: Not enough detail provided [Y: 96% / N: 4%]: --> Same general impression as above. 5) Do you think that we should adopt one of the existing methodologies and from that base develop appropriate Standard Operating Procedures? [Y: 10% / N: 90%]: --> Affirmative answers actually clarified to use available methodologies as guidelines to build an open standard, they didn't feel reinventing the wheel was a good idea. 6) Do you think such a resource should also include technical procedures [Y: 97% / N: 3%]: *If [YES] please provide more detail: Technical Procedures should be developed once the general methodology and non technical procedures/protocols are ready [Y: 87% / N: 13%]: Technical Procedures should be separated from methodology and non-technical procedures/protocols [Y: 87% / N: 13%]: --> It is clear that technical procedures are needed, and the way to go with it seems quite clear too. It seems there is quite and urging need too since that's my only explanation to negative answers for 6.1 question. 7) Do you feel the effort should be made to provide simpler methodology and procedures for non-liturgical forensics scenarios? [Y: 76% / N: 24%]: --> I've had a lot of affirmative answers here stating the fact that the basic model should be liturgical and from that point relax restrictions on non-liturgical forensics. It has been also stressed, both on the answers received and on the list, that a non-liturgical forensics could easily develop into a liturgical one and examiners need to be prepared for it. Some interesting comments received I'd like to share with the list follow: “Separation of process, procedures(how) and what to do, from techniques, which tools and the use of them. Technique age, process don't.” “There are, clearly, some generic guides but, NO, I don't think that there is any universally accepted standard set of best practices.” "This list was created to do just this..." “The pitfalls are that these types of processes or methodologies become part of a capitalistic approach to delivering the information. In other words, once it appears to have credence as a process it immediately is bought up and sold to the community at large who are the victims of cyber attacks and should have these types of tools available for free.” “A place for local legislation, not covering the law in every country but rather how to handle the legal aspects and where to find local information. Like legal placeholders, "Here the following legal aspects apply..., verify your local legal framework for further reference", type of information. Know what to look for. Appendix on where to find local information.” “Methodology ought to be acceptable as 'expert testimony' in courts” “The only thing you have to careful about is that you don't "lock in" the forensic examiner. As you know, not all situations are the same and if we have a set standard, the defense can harp on the fact that the examiner "missed a step" in the set standard, even though it might not be applicable in that given situation. This is the reason why HTCIA and IACIS have avoided making a standard procedures manual.” I wanted to share these insightful comment for various reasons. The first of which is that I believe in Open Source Knowledge and thus wanted to share them with you <g>, the second is that it provides a feeling about what is really needed and expected, and last but not least, it depicts the fact that people have really taken the time to think on it and are willing to cooperate. Taking all of the above into account I'll be starting the initiative asap. I feel we can create some very useful resource for the community, raise up standards and provide a much more mature approach to the field of computer forensics as a whole. I'll be getting back to the list to announce the details about the Source Forge setup. Sincerely, Matías Bevilacqua Trabado CYBEX ___________________________________________________________________ PGP-ID: 0x40A4869F PGP Fingerprint: 2052 98A0 F0F0 2914 D7FA 4E7C 0488 7E8C 40A4 869F ___________________________________________________________________ CYBEX Grupo Intelligence Bureau Rambla de Catalunya, 32 4º-2ª 08007 Barcelona Tel. 93 215 53 23 Fax. 93 215 50 72 http://www.cybex.info ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 22:52:29 PDT