Musings on Forensics Trends

Today I spoke with my friend Mike (one of the forensic dudes with whom I sometimes work), and I was happy to hear that he would soon be working at McAfee’s Foundstone. I was first introduced to Foundstone’s products around 2001 when I became a security engineer with Titan and have since been a fan of their tools and methodology. While I’m not a forensics person, something Mike said sounded very logical, given what little I know about the forensics space: to figure out what’s going on a system, it’s becoming more and more important to run the right tools on a live system and then document its effects, rather than simply imaging everything and then sifting through gigs of data.

While I haven’t yet used Ruby-based AutomateIT in production, I wonder if it (or something like it) will be soon be key to easily automating tools like Procmon and documenting their effects on Windows systems (e.g. DLL calls, registry hooks, and dependent processes). Server automation tools (e.g. CFEngine, Puppet, etc) are key for many business reasons — reducing risk / errors / downtime, simplifying updates / migrations / recovery, codifying knowledge into repeatable “recipes” (sudo make me a sandwich!) — but perhaps soon we might see them integrated into incident response toolkits?