Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

General ideas for improving the tool #1303

Closed
MariasStory opened this issue Sep 1, 2022 · 1 comment
Closed

General ideas for improving the tool #1303

MariasStory opened this issue Sep 1, 2022 · 1 comment

Comments

@MariasStory
Copy link

MariasStory commented Sep 1, 2022
edited
Loading

Hi team,
I love the tool and hope that it will be so cool and free in future.

I want to suggest to increase the tools capability, and make it a full forensic investigation tool.
I am sure that you all know it, but I still want to say it.
For this, we have to think about the Five Ws. I prefer to start with the question "When" and follow with "What".

So, in our case, I suggest to:

  1. Parse as many time stamps as possible, with events related to it.
  2. Use full text indexing for additional indicators, as it is done now.
    Good example for parsers approach is "plaso". Still, IPED is a complete tool on its own.

Most of the features are already present, just need adjustment:

  1. Add parsed/extracted artifacts in the main table. It is a specially useful in the timeline view
    • Some of the table details will be missing, for the extracted records. It is OK. Most important that when you search for an indicator you'll get a timestamp or related indicator that can be farther correlated.
    • The extracted records should be "marked" in order to recognize/hide or filter them
  2. Bookmarks approach is OK for the events tagging. May need to be extended.
    • Another tool used in such cases is Timesketch
  3. Make a possibility to have the search results in a separate window and show the selected item in the timeline view with the possibility to scroll and mark related events
    • Maybe, something similar to the Excel search box

Please consider my suggestions and fill free to improve or criticize.

Thank you,
Anatoliy
@lfcnassif
Copy link
Member

Hi @MariasStory. Most of your suggestions are already the goal of other tickets or pull requests, for example see:

#1193 (if you could help, tests are welcome here)
#467 (some of them only needs regex rules to be configured, even non developers can help)
#668 (already suggested by you, being implemented on #1285, tests are welcome too)
#452
#281
etc

You can find others searching the issue tracker. This is an open source project with very few human resources 100% dedicated (currently just 2), so any contribution is welcome, we aren't able to implement all desired features, so we need your help.

I'm updating the title since IPED already is a forensic investigation tool used by law enforcement and independent examiners of many countries. Since this is about very general suggestions, I'm also moving to discussions.

@lfcnassif lfcnassif changed the title Make IPED a forensic investigation tool General ideas for improving the tool Sep 1, 2022
@sepinf-inc sepinf-inc locked and limited conversation to collaborators Sep 1, 2022
@lfcnassif lfcnassif converted this issue into discussion #1304 Sep 1, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MariasStory @lfcnassif