On Tue, Jan 20, 2009 at 06:00, Rainer Gerhards <[email protected]> wrote: > are there some folks on this list who are working in the computer > forensics space? I wonder how syslog, and rsyslog in specific, works in > forensics.
Could you clarify what you're asking here? There are two clearly delineated portions of the computer forensics space: that which is analyzed and that which performs the analysis. Are you looking more to improve analysis of rsyslog instances or to integrate into back-end tools? > Most importantly, I am interested in what stops acceptance in > the forensics field (or what nurtures it). I am interested in feedback > to help shape the medium to long term schedule for rsyslog (including > those initiatives that I should learn more about). Law Enforcement. LE is by far the biggest driver in industry acceptance, nearly regardless of technology. The "primary" forensics tool, EnCase, is a perfect example: there are many arguably better products on the market, but because huge numbers of extremely non-technical police officers are comfortable with it (since Guidance gives steep LE discounts), it is by far the biggest player. There isn't a huge amount of logging to be done in the analysis space. Although centralized solutions are becoming more prevalent, most of the critical logs are being (or will be) stored with the encrypted/signed forensic data for non-repudiation. Even so, there is more effort going into improving analysis (carvers, documenting formats, etc.) than building up proper logging and storage. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
