RSpec and Forensics

I’m currently reading the beta edition of the RSpec book by David Chelimsky Because a book like this can only be comprehended when actually using the content, I’ve decided to start documenting a new project I’m doing with it.

So far, it has been about Behavior Driven Design (BDD), which is an acronym I’ve head before, but I didn’t have the time to read more about it.

It feels a bit weird specifying stuff using mostly natural language, but on the other hand it’s naturally very cosy to do so. What’s really neat is that you start using the api you want to specify right up, instead of first formalizing a design for it. That way you known that all the methods in your api really belong there and actually work.

While I was busy to code up some small project I received the new linux journal, which had an article on metric_fu. It contains a lot of code that can measure the quality of your code. That is always good to do, because the more checks you perform on your code, the bigger the chance that you run into a bug waiting to happen. Of course, you also run into false positives faster, and most people stop using checks like these because they run into false positives too often.

But reading the article I was thinking to myself: why don’t we use BDD combined with something like metric_fu on hour one-off tools we create to solve a case? Most forensic practitioners I know are bound to run into the situation where all the available tooling is not adequate to perform a certain job. Things that come to mind are refiling images based on camera, but oh wait, based on resolution first, or extracting all email addresses from an image and compare them to some filter, These things should be rigorously tested before put in use, because a simple code snafu can dump all your stuff in the bin and will cost you valuable time to clean up again. There is in this case an obvious tradeoff between codingtime, solvingtime, clean-the-errors-time and the time you need in court to explain that you did everything in your power to not botch up the code. For that last part you would ideally show testing output that shows that your testcases have a 100% coverage and pass every test you thought was possible.

Getting things done with software

I’ve been steadily improving my efficiency by using the Getting Things Done method, way of Life, something like that. One of the first recommendations is to have a single inbox. One way to have a single inbox is by using some piece of software to do that for you.

So far I’ve used TaskPaper, OmniFocus, Things and the recent newcomer (only in Beta) The Hit List.

Taskpaper is quite simple, it has the minimal set of features to manage your inbox. You can do most things, like selecting everything with a certain tag. However, it’s not too easy to organize everything by deadline. My final conclusion is that TaskPaper is too basic to fill my needs.

Things is much more advanced. What I like are the ‘Focus’ boxes in the sidebar. They make it very easy to change your focus to what should be done today, which tasks are available to do next etc. What I absolutely don’t like is that you can’t (or, at least I can’t) create sub-projects. As I found out, it’s a number one requirement for me. Further the number of tags grows quite rapidly for me and that makes it inconvenient to use. But, in retrospect, I may have been misusing the tags functionality a bit. If I’d have used it more as the list of contexts it might have been more workable. Things did not quite cut the cake, right now. Today I’ve also looked at the 1.0rc and it has 100% eye-candy, but I have not seen subprojects yet.

OmniFocus is the software I put my money in. It had all the features I needed, like subprojects. What it hasn’t got is eye-candy. It’s not quite as ugly as a baboon’s backside, but nearly there. I’ve been using it for the last month as I should. The things I use most are:

  • Recurring tasks (both recurring after completion as on a fixed deadline).
  • Subprojects. In this respect I almost use Omnifocus to do the outline of the project, now if only the output could be shown as a Gantt chart… One thing you cannot do is put a subproject on hold.
  • Emailing new ideas to my inbox via the Apple Mail integration. Nice.
  • It’s easy to spot which tasks are available next, and what tasks are due any time soon. It’s only configurable for all taks, whereas Things allows you to enter this information separately.

The Hit List is in semi-private beta since December 23rd and I’ve been using it on-and-off (not fulltime since it’s a beta and I have serious doubts if I like to reenter all the items from omnifocus again in THL, since there is currently no import/export functionality, also, THL does not have recurring tasks, which is necessary for me for THL to be a OmniFocus replacement. But do I like what I see so far?

  • It looks good, very good.
  • It’s stable.
  • You can organize your projects (why does the menuitem say ‘List’ btw?) in any way you want. Tagging can be done in any way you want, for contexts as well as ‘ordinary tags’.
  • There are shortcuts for just about anything to speed you up.
  • You can approach the tasks in the list as the project-breakdown, but also as a ‘card’ (with shuffle-eye-candy when going from one task to the next). This invites you to create more extensive notes. Since I use the note to describe the result of the task, I think this way of viewing a task is a plus.
  • You can time the duration of a task.

But there are some things I think should be added:

  • I couldn’t find how you can create a list of ‘next’ tasks. But, for this to be useful, you have to be able to specify that a (sub-)project is parallel or serial.
  • Make it scriptable, so you can hook it to mail via mail rules.
  • Make a task that is due more obvious than making it bold.
  • If you have subsubtasks it’s not obvious from the card-view for the task. Ideally the top project card would show a gantt chart of the subtasks. Featuritis, I know.
  • Create an import-feature for plaintext or any of the competitor’s file formats.
  • Due times could be displayed as ‘in 3 days’ like Things has. That’s quite nice.

The Conclusion for me is that it’s going to be either THL or OmniFocus.

P2P Investigation

I was hoping p2pmarshal could help with investigating ongoing p2p exchanges. Alas, that was not to be, it only creates an analysis of content found on a seized medium.

I have not tested it (yet), but it will come in handy in a lot of child-abuse cases, that’s for sure.

To be sure everyone understands: I have NOT tested the application. If I have, I will post my review.