Loading ...
Sorry, an error occurred while loading the content.

When and how to publish?

Expand Messages
  • Capt Jesse Kornblum USAF
    As I mentioned last week, I am researching whether linux 2.6 kernels can access the last sector of a hard drive with an odd number of sectors. If the
    Message 1 of 14 , May 3, 2004
    • 0 Attachment
      As I mentioned last week, I am researching whether linux 2.6 kernels can
      access the last sector of a hard drive with an odd number of sectors. If
      the experiment is successful, I will be writing a paper to announce my
      results. The question is, where and how should I publish that paper?

      The results of this experiment could have large implications for how
      computer forensics are accomplished, and thus I want the widest possible
      audience. This paper needs to be accessible to government agents,
      judges, legal researchers, and defense attorneys at the federal, state,
      and local level.

      Here are the options as I see them:

      1. Publish on my own web site - Ensures wide distribution, but does
      not offer peer review. Could be taken off-line when I move, lose
      broadband access, etc.

      2. Publish in a free (as in beer) journal like the International
      Journal of Digital Evidence <http://ijde.org/> - Very accessible,
      more reliable than my private server, approved by an editorial
      board, but still no peer review. (I should note that the man whose
      work upon which my project is based sits on this journal's
      editorial board.) Can I publish on my own web site first to get
      comments and then submit to a journal?

      3. Publish in a non-free, referred journal like Digital Investigation
      <http://www.compseconline.com/digitalinvestigation/>. At $300 per
      year for individuals and $650 for institutions, there is very
      limited access to this (brand new) journal. But there is peer review.

      How much is peer review worth?

      Thoughts?

      --
      Jesse Kornblum, Capt, USAF
      United States Naval Academy
      Chauvenet Room 329
      572 Holloway Rd. Stop 9F
      Annapolis, MD 21402-5002
      Comm 410-293-6821 DSN 281-6821
      Fax 410-293-2686 Fax DSN 281-2686
      e-mail: kornblum@...
      http://www.cs.usna.edu/~kornblum/


      --
      Jesse Kornblum, Capt, USAF
      United States Naval Academy
      Chauvenet Room 329
      572 Holloway Rd. Stop 9F
      Annapolis, MD 21402-5002
      Comm 410-293-6821 DSN 281-6821
      Fax 410-293-2686 Fax DSN 281-2686
      e-mail: kornblum@...
      http://www.cs.usna.edu/~kornblum/
    • Enda Cronnolly
      I d say publish to your own website, and invite peer review through mailing lists. You may wish to refine it then, and when you re completely happy with it,
      Message 2 of 14 , May 3, 2004
      • 0 Attachment
        I'd say publish to your own website, and invite peer review through mailing
        lists. You may wish to refine it then, and when you're completely happy with
        it, offer it if you so desire to ijde.org

        -Enda.

        ----- Original Message -----
        From: "Capt Jesse Kornblum USAF" <kornblum@...>
        To: <linux_forensics@yahoogroups.com>
        Sent: Monday, May 03, 2004 5:27 PM
        Subject: [linux_forensics] When and how to publish?


        >
        > As I mentioned last week, I am researching whether linux 2.6 kernels can
        > access the last sector of a hard drive with an odd number of sectors. If
        > the experiment is successful, I will be writing a paper to announce my
        > results. The question is, where and how should I publish that paper?
        >
        > The results of this experiment could have large implications for how
        > computer forensics are accomplished, and thus I want the widest possible
        > audience. This paper needs to be accessible to government agents,
        > judges, legal researchers, and defense attorneys at the federal, state,
        > and local level.
        >
        > Here are the options as I see them:
        >
        > 1. Publish on my own web site - Ensures wide distribution, but does
        > not offer peer review. Could be taken off-line when I move, lose
        > broadband access, etc.
        >
        > 2. Publish in a free (as in beer) journal like the International
        > Journal of Digital Evidence <http://ijde.org/> - Very accessible,
        > more reliable than my private server, approved by an editorial
        > board, but still no peer review. (I should note that the man whose
        > work upon which my project is based sits on this journal's
        > editorial board.) Can I publish on my own web site first to get
        > comments and then submit to a journal?
        >
        > 3. Publish in a non-free, referred journal like Digital Investigation
        > <http://www.compseconline.com/digitalinvestigation/>. At $300 per
        > year for individuals and $650 for institutions, there is very
        > limited access to this (brand new) journal. But there is peer review.

        >
        > How much is peer review worth?
        >
        > Thoughts?
        >
        > --
        > Jesse Kornblum, Capt, USAF
        > United States Naval Academy
        > Chauvenet Room 329
        > 572 Holloway Rd. Stop 9F
        > Annapolis, MD 21402-5002
        > Comm 410-293-6821 DSN 281-6821
        > Fax 410-293-2686 Fax DSN 281-2686
        > e-mail: kornblum@...
        > http://www.cs.usna.edu/~kornblum/
        >
        >
        > --
        > Jesse Kornblum, Capt, USAF
        > United States Naval Academy
        > Chauvenet Room 329
        > 572 Holloway Rd. Stop 9F
        > Annapolis, MD 21402-5002
        > Comm 410-293-6821 DSN 281-6821
        > Fax 410-293-2686 Fax DSN 281-2686
        > e-mail: kornblum@...
        > http://www.cs.usna.edu/~kornblum/
        >
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        >
      • Gary Funck
        ... [...] ... I don t know about the best place to publish, but as a reader/reviewer, I d be interested in knowing the source of the original error. Was it:
        Message 3 of 14 , May 3, 2004
        • 0 Attachment
          > -----Original Message-----
          > From: Capt Jesse Kornblum USAF [mailto:kornblum@...]
          > Sent: Monday, May 03, 2004 9:28 AM
          [...]
          >
          >
          > As I mentioned last week, I am researching whether linux 2.6 kernels can
          > access the last sector of a hard drive with an odd number of sectors. If
          > the experiment is successful, I will be writing a paper to announce my
          > results. The question is, where and how should I publish that paper?

          I don't know about the best place to publish, but as a
          reader/reviewer, I'd be interested in knowing the source of the
          original error. Was it: (1) the kernel, (2) the IDE driver, or
          (3) an interaction between 'dd' and the OS? I'd also be interested
          in knowing how/why it was fixed. As an aside, I'd be curious to
          know if the problem was specific to IDE, or whether it would have
          manifested itself on other SCSI devices as well, for example. I'd
          also be interested in knowing if the last sector of the drive has
          any particular use, for example diagnostics, that would have precluded
          it from being allocated into a file system. None of those details
          change the usefulness of the result, but may help support the
          strength of your conclusions.
        • Enda Cronnolly
          ... Quite simply, the linux kernel traditionally used a 1024K block size when addressing all block devices. All disks, be they IDE SCSI are represented as
          Message 4 of 14 , May 3, 2004
          • 0 Attachment
            Gary Funck wrote:
            > > -----Original Message-----
            > > From: Capt Jesse Kornblum USAF [mailto:kornblum@...]
            > > Sent: Monday, May 03, 2004 9:28 AM
            > [...]
            > >
            > >
            > > As I mentioned last week, I am researching whether linux 2.6 kernels can
            > > access the last sector of a hard drive with an odd number of sectors. If
            > > the experiment is successful, I will be writing a paper to announce my
            > > results. The question is, where and how should I publish that paper?
            >
            > I don't know about the best place to publish, but as a
            > reader/reviewer, I'd be interested in knowing the source of the
            > original error. Was it: (1) the kernel, (2) the IDE driver, or
            > (3) an interaction between 'dd' and the OS?

            Quite simply, the linux kernel traditionally used a 1024K block size when
            addressing all block devices. All disks, be they IDE SCSI are represented as
            block devices in linux.

            > I'd also be interested
            > in knowing how/why it was fixed.

            The why is less important than the how, as has been pointed out on this
            list, the question has been raised on the kernel lists, but no response yet.

            > As an aside, I'd be curious to
            > know if the problem was specific to IDE, or whether it would have
            > manifested itself on other SCSI devices as well, for example. I'd
            > also be interested in knowing if the last sector of the drive has
            > any particular use, for example diagnostics, that would have precluded
            > it from being allocated into a file system. None of those details
            > change the usefulness of the result, but may help support the
            > strength of your conclusions.

            The last sector remained unused in a linux based system, and therefore was
            of no particular value to a linux system analysis. The problem really only
            occured if you had a windows based disk / partition with an odd number of
            sectors, the case of a partition being easier to get around than the case of
            a disk.

            -Enda.





            >
            >
            > Yahoo! Groups Links
            >
            >
            >
            >
            >
            >
          • bill tydeman
            My 2 cents: The value of the research is higher if the article is peer reviewed. You could publish another article in other forums, and reference the
            Message 5 of 14 , May 3, 2004
            • 0 Attachment
              My 2 cents:

              The value of the research is higher if the article is peer reviewed. You
              could publish another article in other forums, and reference the
              peer-reviewed document as well, This absolves you of publishing the
              article twice and gets double the visibility (although, you'd have to do
              twice the work). Additionally, most editorial policies allow the author
              to send out copies of the article provided that they do not charge for
              it, et cetera.

              Bill

              On Mon, 03 May 2004 12:27:50 -0400 Capt Jesse Kornblum USAF
              <kornblum@...> writes:
              >
              > As I mentioned last week, I am researching whether linux 2.6 kernels
              > can
              > access the last sector of a hard drive with an odd number of
              > sectors. If
              > the experiment is successful, I will be writing a paper to announce
              > my
              > results. The question is, where and how should I publish that
              > paper?
              >
              > The results of this experiment could have large implications for how
              >
              > computer forensics are accomplished, and thus I want the widest
              > possible
              > audience. This paper needs to be accessible to government agents,
              > judges, legal researchers, and defense attorneys at the federal,
              > state,
              > and local level.
              >
              > Here are the options as I see them:
              >
              > 1. Publish on my own web site - Ensures wide distribution, but
              > does
              > not offer peer review. Could be taken off-line when I move, lose
              > broadband access, etc.
              >
              > 2. Publish in a free (as in beer) journal like the International
              > Journal of Digital Evidence <http://ijde.org/> - Very
              > accessible,
              > more reliable than my private server, approved by an editorial
              > board, but still no peer review. (I should note that the man
              > whose
              > work upon which my project is based sits on this journal's
              > editorial board.) Can I publish on my own web site first to
              > get
              > comments and then submit to a journal?
              >
              > 3. Publish in a non-free, referred journal like Digital
              > Investigation
              > <http://www.compseconline.com/digitalinvestigation/>. At $300
              > per
              > year for individuals and $650 for institutions, there is very
              > limited access to this (brand new) journal. But there is peer
              > review.
              >
              > How much is peer review worth?
              >
              > Thoughts?
              >
              > --
              > Jesse Kornblum, Capt, USAF
              > United States Naval Academy
              > Chauvenet Room 329
              > 572 Holloway Rd. Stop 9F
              > Annapolis, MD 21402-5002
              > Comm 410-293-6821 DSN 281-6821
              > Fax 410-293-2686 Fax DSN 281-2686
              > e-mail: kornblum@...
              > http://www.cs.usna.edu/~kornblum/
              >
              >
              > --
              > Jesse Kornblum, Capt, USAF
              > United States Naval Academy
              > Chauvenet Room 329
              > 572 Holloway Rd. Stop 9F
              > Annapolis, MD 21402-5002
              > Comm 410-293-6821 DSN 281-6821
              > Fax 410-293-2686 Fax DSN 281-2686
              > e-mail: kornblum@...
              > http://www.cs.usna.edu/~kornblum/
              >
              >
              >
              >
              > Yahoo! Groups Links
              >
              >
              >
              >
              >
              >
              >

              ________________________________________________________________
              The best thing to hit the Internet in years - Juno SpeedBand!
              Surf the Web up to FIVE TIMES FASTER!
              Only $14.95/ month - visit www.juno.com to sign up today!
            • Gary Funck
              ... [...] ... The LKML article cited below, seems to indicate: (1) the last block is reserved for the md super block , and that (2) if the device were read as
              Message 6 of 14 , May 3, 2004
              • 0 Attachment
                > -----Original Message-----
                > From: Enda Cronnolly [mailto:enda@...]
                > Sent: Monday, May 03, 2004 2:51 PM
                [...]
                >
                > The last sector remained unused in a linux based system, and therefore was
                > of no particular value to a linux system analysis. The problem really only
                > occured if you had a windows based disk / partition with an odd number of
                > sectors, the case of a partition being easier to get around than
                > the case of
                > a disk.

                The LKML article cited below, seems to indicate: (1) the last block is
                reserved for the 'md super block', and that (2) if the device were read
                as a raw device, and not a partition that all blocks would come through.

                http://www.uwsg.iu.edu/hypermail/linux/kernel/0009.1/1054.html

                and this cite, restates the same restriction and adds some additional
                detail,

                http://www.uwsg.iu.edu/hypermail/linux/kernel/0009.1/0089.html

                Both of the above (circa Sep-2000) discussions talk mostly about
                partitions, though the "md superblock" may somehow relate to the
                info. in this (Sep-2001) article,

                http://lwn.net/2001/0906/kernel.php3

                [...]

                The case of the conflicting block ioctls.

                How do you access the last sector on a odd-sized disk? The Linux kernel
                (normally) likes to deal with a 1K block size, which (normally) gets mapped
                into two contiguous, 512-byte sectors on a disk drive. But, if the drive
                contains an odd number of sectors, this scheme leaves the last sector
                unreachable. That is not normally considered to be a big problem; one
                missing sector does not make a very large dent in the capacity of a modern
                disk drive.

                It turns out, however, that the IA-64 architecture has defined a new
                partitioning scheme which stores a copy of the partition table in the last
                sector on the disk. With this scheme, it matters if that sector is not
                reachable - there is no way for an administrator to change the partition
                table when running under Linux. This kind of limitation can lead
                administrators to do irrational things, like install Windows. Clearly a fix
                was required.

                So, back in February, Michael Brown created a new ioctl call specifically to
                provide access to the last sector on a disk; that call is now part of the
                IA-64 port. It is not, however, to be found in the mainstream kernel at this
                time, which is part of the problem.

                Ben LaHaise, meanwhile, needed an ioctl call that would retrieve the size of
                a device as a 64-bit quantity - disks are getting big, after all. So he put
                together a patch with the new ioctl call. Part of his patch was to the ext2
                utility programs; that patch was accepted and distributed as part of the
                e2fsprogs distribution a little while back.

                The problem: both new ioctls needed a new ioctl number. The block I/O ioctl
                numbers are defined in linux/fs.h, and it is a natural thing to do to pick
                the next one in series. There is no central registry for these ioctl numbers
                other than the source itself; if you have not put in a patch reserving a
                given ioctl number, it's not really yours. Unfortunately, Michael Brown did
                not put in any such patch. Ben LaHaise also failed to do so before
                (accidentally) getting the ioctl number included in the e2fsprogs
                distribution. Of course, both chose the same number.

                This week, Ben put in a patch to reserve the number for his ioctl. His
                reasoning: renumbering the IA-64 ioctl will be less disruptive than changing
                e2fsprogs. He also believes that the ioctl is the wrong solution to the
                problem; it should have been fixed for all systems in the general block
                code, rather than being an IA-64-specific ioctl.

                Michael has also sent in a patch trying to reserve the same ioctl number.
                Just asking for a number is not enough, though, as can be seen from Alan's
                reaction to Michael's patch:


                Rejected. I still think this is an ugly evil hack and want no part in it.

                ----

                Thus, it seems that as of Sept-2001 the last sector was still in limbo
                land, though there were some attempts by developers to make it accessible.

                By the way, I think the new disk structure they talk about above may
                relate to Intel's Extensible Firmware Interface (EFI),
                http://developer.intel.com/technology/efi/efi.htm
                (in particular, the EFI GUID partition handling)

                I found this in the 2.58pre3 kernel (April 2002) change log

                (02/04/08 1.445)
                [PATCH] size_in_bytes

                It is a step on the road to removal of the arrays.
                It also solves other things, like the fact that Linux
                is unable to read the last sector of a disk or partition
                with an odd number of sectors.

                That's as far as I followed the thread. Perhaps others here can
                add some additional detail/corrections.
              • IanC
                ... I doubt I can add or correct anything as it will take me a day to digest what you wrote in that quick email! [Quick Email - Joke]! Awesome info there
                Message 7 of 14 , May 3, 2004
                • 0 Attachment
                  > From: Gary Funck [mailto:gary@...]

                  > That's as far as I followed the thread. Perhaps others here
                  > can add some additional detail/corrections.


                  I doubt I can add or correct anything as it will take me a day to digest
                  what you wrote in that quick email! [Quick Email - Joke]! Awesome info there
                  Gary,, :-)

                  One silly question I have is if a drive has bad sectors are they counted as
                  bad sectors and ignored by nix or are they considered as part of the
                  complete drive when counting sectors? (I guess they are but was wondering if
                  they 'the bad sectors can be manipulated somehow and not be counted)?

                  Could they be ignored at all,, somehow, or by some means,, or not? If
                  considered as part of the drive can they be manipulated in some way to be
                  'bad sectors' but yet be recoverable by the person who manipulated them to
                  look bad?

                  I honestly doubt anyone can hide sectors like I'm suggesting above - but
                  thought I would just ask,, just in case it's feasible.

                  ~~~~
                  Reason being,,, that Logic Board thread of mine this week.
                  I've been playing around with drives now with different sizes then screwing
                  on a wrong logic board to it and,,, and,,,

                  (Still working on a theory I have). Nothing [really] conclusive thus far.


                  Anyone tried it themselves?
                  Hiding sectors?
                • linuxtard
                  ... counted as ... see bad block bitmap, yes. ... to be ... them to ... You may wish looking at badblocks and reading man page. -lt
                  Message 8 of 14 , May 3, 2004
                  • 0 Attachment
                    --- In linux_forensics@yahoogroups.com, "IanC" <saladin@a...> wrote:
                    > One silly question I have is if a drive has bad sectors are they
                    counted as
                    > bad sectors and ignored by nix

                    see bad block bitmap, yes.


                    >
                    > Could they be ignored at all,, somehow, or by some means,, or not? If
                    > considered as part of the drive can they be manipulated in some way
                    to be
                    > 'bad sectors' but yet be recoverable by the person who manipulated
                    them to
                    > look bad?


                    You may wish looking at 'badblocks' and reading man page.


                    -lt
                  • linuxtard
                    ... Linux never used last sector so from Linux view it didn t matter if accessible or not. Really only good for NTFS backup. ANd when you think of it, why
                    Message 9 of 14 , May 3, 2004
                    • 0 Attachment
                      --- In linux_forensics@yahoogroups.com, "Gary Funck" <gary@i...>
                      >
                      > The LKML article cited below, seems to indicate: (1) the last block is
                      > reserved for the 'md super block', and that (2) if the device were read
                      > as a raw device, and not a partition that all blocks would come through.


                      Linux never used last sector so from Linux view it didn't matter if
                      accessible or not.

                      Really only good for NTFS backup. ANd when you think of it, why
                      support windows in Linux? Doesn't make senses.


                      >
                      > http://www.uwsg.iu.edu/hypermail/linux/kernel/0009.1/1054.html
                      >
                      > and this cite, restates the same restriction and adds some additional
                      > detail,
                      >

                      That is all very old. You should have used sg-utils and raw device up
                      to 2.6 to get last odd sector. Combine with firewire so IDE drives
                      use SCSI modulation then these drives with odd sector are accessible
                      under raw device.


                      I saw original message and I not sure why the writer is putting this
                      as something new? If you know Linux you know workarounds and when /
                      how to solve. Is there something new?

                      -lt
                    • Brian Carrier
                      ... Hash: SHA1 ... Yes to both questions. Most hard disks will sense when a sector goes bad and replace it with a spare one. There are many sectors in a
                      Message 10 of 14 , May 3, 2004
                      • 0 Attachment
                        -----BEGIN PGP SIGNED MESSAGE-----
                        Hash: SHA1


                        On May 3, 2004, at 7:29 PM, IanC wrote:
                        > One silly question I have is if a drive has bad sectors are they
                        > counted as
                        > bad sectors and ignored by nix or are they considered as part of the
                        > complete drive when counting sectors? (I guess they are but was
                        > wondering if
                        > they 'the bad sectors can be manipulated somehow and not be counted)?

                        Yes to both questions. Most hard disks will sense when a sector goes
                        bad and "replace" it with a spare one. There are many sectors in a
                        disk that you do not have access to and it uses some of these spares.
                        In this case, the OS and file system will never know there is a problem
                        and the disk will report the same number of total sectors. I just did
                        a quick search of the ATA spec and can't find a command to mark a
                        sector as bad, so I don't think a user can tell the disk to replace a
                        sector.

                        As lt mentioned, most file systems also have the ability to mark a
                        sector as bad, but that is rare because the disk typically takes care
                        of it (except for floppy disks). It is fairly easy to hide data as bad
                        blocks using the file system.

                        brian

                        -----BEGIN PGP SIGNATURE-----
                        Version: GnuPG v1.2.4 (Darwin)

                        iD8DBQFAlxFTkllA35nbwSURAji2AJ4yYkjryVUVsGd2DDNXpMGouzFyxwCfbhQH
                        zejbj9mO8UiaqqupCiq0oCk=
                        =qINh
                        -----END PGP SIGNATURE-----
                      • ebaca@linux-forensics.com
                        You are welcome to place it on my website, Linux-Forensics.com. Let me know and I can place it on the site. I am always interested in adding new content to
                        Message 11 of 14 , May 3, 2004
                        • 0 Attachment
                          You are welcome to place it on my website, Linux-Forensics.com. Let me know and I can place it on the site. I am always interested in adding new content to the site.

                          Thanks,
                          Ernie Baca
                          www.linux-forensics.com
                          www.linuxnotjustforgeeks.org
                          www.putercops.org
                          ebaca@...

                          ----- Original Message -----
                        • Gary Funck
                          ... Maybe not. But if a reliable complete image copy is required, then it becomes important to copy every sector. Moreso, if the source drive is a Windows
                          Message 12 of 14 , May 3, 2004
                          • 0 Attachment
                            > -----Original Message-----
                            > From: linuxtard [mailto:linuxtard@...]
                            > Sent: Monday, May 03, 2004 7:51 PM
                            > To: linux_forensics@yahoogroups.com
                            > Subject: [linux_forensics] Re: When and how to publish?
                            >
                            >
                            > --- In linux_forensics@yahoogroups.com, "Gary Funck" <gary@i...>
                            > >
                            > > The LKML article cited below, seems to indicate: (1) the last block is
                            > > reserved for the 'md super block', and that (2) if the device were read
                            > > as a raw device, and not a partition that all blocks would come through.
                            >
                            >
                            > Linux never used last sector so from Linux view it didn't matter if
                            > accessible or not.
                            >
                            > Really only good for NTFS backup. ANd when you think of it, why
                            > support windows in Linux? Doesn't make senses.
                            >

                            Maybe not. But if a reliable complete image copy is required, then it
                            becomes important to copy every sector. Moreso, if the source drive
                            is a Windows system. Fortunately, not many drives have an odd number
                            of sectors.

                            >
                            > >
                            > > http://www.uwsg.iu.edu/hypermail/linux/kernel/0009.1/1054.html
                            > >
                            > > and this cite, restates the same restriction and adds some additional
                            > > detail,
                            > >
                            >
                            > That is all very old. You should have used sg-utils and raw device up
                            > to 2.6 to get last odd sector. Combine with firewire so IDE drives
                            > use SCSI modulation then these drives with odd sector are accessible
                            > under raw device.
                            >

                            That's a good idea, but changes the original problem statement and requires
                            additional
                            hardware. And, if copy speed is important, I don't think Firewire is going
                            to
                            compare well to direct ATA/133 copies, for example.

                            This is an interesting looking firewire to IDE card, with builtin "forensic"
                            write protect ($100 list):
                            http://fwdepot.com/thestore/product_info.php/name/FW-142AV-WP_SPECIAL_ORDER_
                            ONLY/products_id/301

                            Related SCSI links:
                            FAQ:
                            http://sunsolve.sun.com/pub-cgi/retrieve.pl?display=plain&doc=finfodoc%2F281
                            44
                            Linux scsi (sg) driver/tools: http://www.torque.net/sg/

                            >
                            > I saw original message and I not sure why the writer is putting this
                            > as something new?

                            The problem isn't new. The task at hand is to verify that LK 2.6 fixes
                            the problem.

                            > If you know Linux you know workarounds and when /
                            > how to solve. Is there something new?

                            Well, another workaround would be to use BSD, or even DOS (<g>), but that
                            is changing the original goal of using a stock Linux distribution.
                          • Rob Campbell
                            You might try publishing it to your website, advertising its presence on the others and keep a running tally of peer-reviews. Then when its sufficiently
                            Message 13 of 14 , May 4, 2004
                            • 0 Attachment
                              You might try publishing it to your website, advertising its presence on the others and keep a running tally of peer-reviews. Then when its sufficiently roasted, publish it to the larger media. I can see The Law Journal and others in the legal field jumpng on this. Maintaining the original analysis on your website promotes some shameless self-promotion, and publishing a paper/article of results is what most of the media will carry. Of course with a link to your own website for the guts of the analysis.
                              2centavos
                              _________________________
                              Rob Campbell
                              Personal Email Robbie.Campbell@...
                              Personal Cell (817) 821-3367
                              PO Box 1314
                              Hurst, TX 76053
                              ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯



                              ----- Original Message -----
                              From: Capt Jesse Kornblum USAF
                              To: 'linux_forensics@yahoogroups.com'
                              Sent: Monday, May 03, 2004 11:27 AM
                              Subject: [linux_forensics] When and how to publish?



                              As I mentioned last week, I am researching whether linux 2.6 kernels can
                              access the last sector of a hard drive with an odd number of sectors. If
                              the experiment is successful, I will be writing a paper to announce my
                              results. The question is, where and how should I publish that paper?

                              The results of this experiment could have large implications for how
                              computer forensics are accomplished, and thus I want the widest possible
                              audience. This paper needs to be accessible to government agents,
                              judges, legal researchers, and defense attorneys at the federal, state,
                              and local level.

                              Here are the options as I see them:

                              1. Publish on my own web site - Ensures wide distribution, but does
                              not offer peer review. Could be taken off-line when I move, lose
                              broadband access, etc.

                              2. Publish in a free (as in beer) journal like the International
                              Journal of Digital Evidence <http://ijde.org/> - Very accessible,
                              more reliable than my private server, approved by an editorial
                              board, but still no peer review. (I should note that the man whose
                              work upon which my project is based sits on this journal's
                              editorial board.) Can I publish on my own web site first to get
                              comments and then submit to a journal?

                              3. Publish in a non-free, referred journal like Digital Investigation
                              <http://www.compseconline.com/digitalinvestigation/>. At $300 per
                              year for individuals and $650 for institutions, there is very
                              limited access to this (brand new) journal. But there is peer review.

                              How much is peer review worth?

                              Thoughts?

                              --
                              Jesse Kornblum, Capt, USAF
                              United States Naval Academy
                              Chauvenet Room 329
                              572 Holloway Rd. Stop 9F
                              Annapolis, MD 21402-5002
                              Comm 410-293-6821 DSN 281-6821
                              Fax 410-293-2686 Fax DSN 281-2686
                              e-mail: kornblum@...
                              http://www.cs.usna.edu/~kornblum/


                              --
                              Jesse Kornblum, Capt, USAF
                              United States Naval Academy
                              Chauvenet Room 329
                              572 Holloway Rd. Stop 9F
                              Annapolis, MD 21402-5002
                              Comm 410-293-6821 DSN 281-6821
                              Fax 410-293-2686 Fax DSN 281-2686
                              e-mail: kornblum@...
                              http://www.cs.usna.edu/~kornblum/



                              ------------------------------------------------------------------------------
                              Yahoo! Groups Links

                              a.. To visit your group on the web, go to:
                              http://groups.yahoo.com/group/linux_forensics/

                              b.. To unsubscribe from this group, send an email to:
                              linux_forensics-unsubscribe@yahoogroups.com

                              c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



                              [Non-text portions of this message have been removed]
                            • The Dog's Bollix
                              http://www.technologyreview.com/blog/blog.asp?blogID=1392&trk=nl T ... Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs [Non-text portions of
                              Message 14 of 14 , May 7, 2004
                              • 0 Attachment
                                http://www.technologyreview.com/blog/blog.asp?blogID=1392&trk=nl

                                T


                                ---------------------------------
                                Do you Yahoo!?
                                Win a $20,000 Career Makeover at Yahoo! HotJobs

                                [Non-text portions of this message have been removed]
                              Your message has been successfully submitted and would be delivered to recipients shortly.