Although I’m not much of an academic, I really appreciate some of the great research – pure and applied – that is done every day to further our collective understanding and capabilities. Since I work a lot with the computer forensic sector, I often find some excellent research that happens to line up with something I’ve encountered for a case.
As a recent example, I’ve been tasked with identifying the forensic differences between VMware snapshots, but this is just a most recent example. Plug in your own mad libs.
After a short bit of digging, I came across a very promising paper from the Rochester Institute of Technology (RIT) that covers this exact situation. Others in the forensic community – some of whom I know and trust – also pointed to the paper as potentially valuable work.
Forensic Analysis of VMware Hard Disks <- Great research with code to compare snapshots.ritdml.rit.edu/bitstream/hand…#vmware — Chad Tilbury (@chadtilbury) December 6, 2011
Forensic Analysis of VMware Hard Disks – ritdml.rit.edu/handle/1850/13… — Francisco Gama T. R. (@blackthorne) February 10, 2012
The paper detailed a series of bash shell scripts the author wrote to accomplish exactly what I was after. “Great! This is a perfect starting point!”, says me. However, it soon became apparent that the author did not make those scripts available in any form other than text in an appendix of the PDF. I’m no slouch, and I can copypasta with the best of them, so I set out to do just that… Except that the formatting required some pretty heavy manual tweaking to get over 1300 lines of the script content into usable form. Now, I’ll be troubleshooting the transcribed scripts to ensure there were no errors introduced by the re-formatting process. Not an ideal use of time, and a significant hurdle to generating what I hope to be useful real-world experience with the author’s work.
So I offer the following advice to those in academia as you find and address problems:
- Keep doing great stuff! There are lots of us here in your respective communities that really appreciate your work and would love to provide real-world use case feedback.
- If you write programs, scripts, or other software-like proofs-of-concept: please, PLEASE provide the scripts themselves. Whether as a download link or even a pastebin URL, let us test your code without unnecessary hurdles or extra steps. Include the SHA checksums in your paper for some level of integrity validation.
Update, March 15, 2013: I’ve uploaded the scripts to github, and plan to make modifications and improvements there. The originals needed to be modified so they functioned in the SANS SIFT workstation. Aside from those changes and a few minor tweaks, they’re uploaded in near-original form. See the code here: https://github.com/philhagen/vmware-snapcompare.
Thanks, Chad, and I agree completely. I’m glad to see sites like github and Google Code grow in popularity, so at least the technical fruits of that research can flow between academics and practitioners. Plus, with sites like that, code really doesn’t get “lost” – anyone can fork abandoned code to give it new life when needed.
Even if a researcher’s thesis or paper is locked away behind a journal’s paywall, the code can be put into the open and we can start to make it useful.
You’re certainly welcome for getting the scripts “out there”, but they have a long way to go. They’ve been useful in their current form, but I have a ton of ideas that would make the concept work even better. Now to find the time!
Your post hits on a topic that I am concerned about. As computer security/forensics becomes more prevalent in universities, there is an increasing amount of great research being done. Unfortunately much of that research is not filtering down to the practitioners. One issue is that much of the research is locked up in hard to access scientific journals. However, I think the bigger problem is that there just isn’t enough cross-pollination between academia and those in the field. We should be looking for ways to bridge that gap. Thank you for sharing the updated scripts!