Archive

Archive for August, 2013

Patents in the DFIR community space

Good morning,

David Cowen announced that he has submitted a patent application for NTFS TriForce. Let me start off by stating that I admire David quite a bit, I think TriForce is very useful and pushes into new territory, and that I am not angry at anyone, least of all David.

That said, I’m very concerned. The discussion is going on over in G+. Here is my very off the top of my head contribution to what may be a very interesting discussion. I hope others chime in.

From the G+ post:

 —–
David,

I think my response may have been phrased in overly strong language. I’ve given some thought to why – why I am concerned and why my response was more emotional than the situation warranted.

My perception was that your tool was well supported by the community, and that through your beta program, presentations, and blog posts you were engaging with the community to help develop it. I, rightly or wrongly, mentally lumped it in with other reasonably priced tools that were closely tied to the DFIR community. So when I saw your patent post my immediate thought was “There’s another tool that I’m not going to want to support any more.”

Your post set off warning bells in my hindbrain. My experience with patents has almost always been negative, and in some very personal ways at times. I’ve had colleagues say “I’m doing this for all of us” on more than one occasion. Even when they were being honest, there were negative repercussions.

I think you’re going to run into prior art issues, and quite a few of them. I think that this may be part of my emotional reaction. My perception is that the prior art may be the DFIR community’s work and I’m reacting to the perception that you may be trying, directly or indirectly, to patent the work of many other people.

I fear that you may set off an arms race in the DFIR community. Maybe it is going to happen anyhow and you’re just getting there first. I don’t really want to be a part of that, and I’m not going to be thrilled about watching it happen if it does occur.

Guidance is a very poor example to cite of good behavior with respect to public relations, community engagement, and good business decisions. If they are your model for pretty much anything, you’re elevating my level of concern.

There are other ways to protect and control your intellectual property without patents. Sharing your thoughts on why you’re going with patents rather than licensing would be helpful.

Someone asked me if I am angry. I’m not. I am quite concerned though and I look forward to seeing how this plays out.

-David

IRcollect – collect incident response information via raw disk reads and $MFT parsing

ircollect is a Python tool designed to collect files of interest in an incident response investigation or triage effort. This is very beta code. I’m hacking on it regularly, using it to learn about internal structures, finding minor and major issues, …. Use it at your own risk! If you have advice on how to address issues I’ve encountered, please share ….

In the process of writing this, I added data run parsing and ADS detection to analyzeMFT so those are now available.

The github site has more details and will be updated much more regularly than this blog.

Running as local admin, it:

  • Opens the raw disk
  • Reads the master boot record, collects a copy of it, and uses the MBR to find partition and disk information
  • Using the MBR information, it finds the NTFS partitions.
  • Working from the start of the NTFS partition, it finds the $MFT
  • It collects a copy of the $MFT and then builds a list of all the files on the system and their data runs
  • Using the file list and data runs, it collects interesting files through direct reads from the disk, bypassing access controls.

All collected files are stored in a directory specified with the -d option. They are further organized by hostname and the date-time the script was run.

Requirements:

pip install analyzemft

Status:

VERY beta. Active development daily, often hourly.

Currently collects master boot record, $MFT, and live (corrupted) registry hives. User can modify table in ircollect.py to specify any files they desire.

Thank you to:

  • Jamie Levy for mbr_parser
  • Willi Ballenthin – bit manipulation code, lots of useful tips for analyzeMFT