[rsyslog] Anyone in Computer Forensics?

RB aoz.syn at gmail.com
Tue Jan 20 16:39:34 CET 2009


On Tue, Jan 20, 2009 at 06:00, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> are there some folks on this list who are working in the computer
> forensics space? I wonder how syslog, and rsyslog in specific, works in
> forensics.

Could you clarify what you're asking here?  There are two clearly
delineated portions of the computer forensics space: that which is
analyzed and that which performs the analysis.  Are you looking more
to improve analysis of rsyslog instances or to integrate into back-end
tools?

> Most importantly, I am interested in what stops acceptance in
> the forensics field (or what nurtures it). I am interested in feedback
> to help shape the medium to long term schedule for rsyslog (including
> those initiatives that I should learn more about).

Law Enforcement.  LE is by far the biggest driver in industry
acceptance, nearly regardless of technology.  The "primary" forensics
tool, EnCase, is a perfect example: there are many arguably better
products on the market, but because huge numbers of extremely
non-technical police officers are comfortable with it (since Guidance
gives steep LE discounts), it is by far the biggest player.

There isn't a huge amount of logging to be done in the analysis space.
 Although centralized solutions are becoming more prevalent, most of
the critical logs are being (or will be) stored with the
encrypted/signed forensic data for non-repudiation.  Even so, there is
more effort going into improving analysis (carvers, documenting
formats, etc.) than building up proper logging and storage.



More information about the rsyslog mailing list