Security Basics mailing list archives
RE: Forensic/Cyber Crime Investigator
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 9 Feb 2006 17:02:08 +1100
Hi Dave, I have a good knowledge of some areas of Australian law, but in only some areas (I have not the foggiest idea re family law for example) and a little regards the others states (NSW being the one I live in). Virus attacks etc as you put are incidents. The average (and all but maybe a rare exception) organisation will treat these as incidents. They do not take them to court nor have the intention of doing such. To take your Virus example. This is an incident, it requires a response. It does not require a forensic analysis of the system, nor would this be generally done. Organisations want "the systems up" more than they want to catch the criminal. California may prove interesting... But we will see. We have separate laws for separate incidents etc in AU. These vary from Federal to State etc. NSW has a few regarding workplace surveillance for example and how these investigations are to be conducted. Some require forensics skills others do not. In fact most do not. In fact there are not enough forensically trained and experienced people to be able to do this even if it was required/requested. By, "Many organizations have a policy of not going to litigation." I means that some (and by some - a lot - I have statistics if you wish - most at the 95% CI, some at alpha = 10% levels) of organisations would rather bury the issue. This is not all and is something that needs to be decided in advance, but it is a business decision (we have no disclosure laws for disclosure of these incidents). Public admission is required to get an Anton pillar (civil search) - many listed companies would never do this. Many listed companies would rather remain in the dark (they know what is happening - but stock options ...) As for concedes - I have know several companies who would not concede a case if they had the world only infallible evidence from every other personal and company in the world to oppose them. You are again looking from a perspective that assumes that separate skill may never be deployed by a single person. This is not the case. Incident response as I have been stated has a different set of goals to Forensics. As stated, Forensics ALWAYS involves court (this is not only a definition in a dictionary, but also in law. As stated defined word etc. There ARE consequences for using the term incorrectly - at least there can be). An affidavit (or deposition is the US) is a function of the court (involving court does not mean going into court - please not the separation). Incident repose may or may not have something to do with this process. In 2001 the DFRWS proposed the term digital forensic science (rather than the poorly worded computer forensics [hereafter DFS]. It is true that this includes investigation. The inclusion of investigation as I have stated does not make one an investigator. DFS has components of incident response - again this is not the same thing. You state "Investigations are the systematic and thorough gathering, examining, and studying of factual information that results in the factual explanation of what transpired." I agree with this statement. It misses the line however "for legal production" or "for use in court" etc. This is the difference. As stated, forensic = court (as simple as I may state). Investigation may OR MAY NOT mean court (court being the legal process). I will if the list likes quote the laws concerning the application of evidence in Australia (now finally unified over all states and territories). If you like I will add case law and common law relevance. Law of Equity, Tort or even criminal law if you like. You seem mostly to not understand that (in a common law jurisdiction - which includes the US), experts (including forensic experts) are agents of the court. You work for the court - this does not mean you are paid (and I know it is not a perfect world and this oft does not hold true). The party who pays you is not who you represent. You are a representative of justice (the court). Not the state, not your employer. You present the facts, not the opinion (and I know this does occur). As for "not just your opinion." I will quote evidence rules if you like? The handbooks (though these are not US applicable)? Casey's (Digital Evidence and computer Crime, (2004) Casey, E; Elsevier, USA) in s. 4.2 defines the Investigative Methodology concisely. It covers the forensic investigation process efficiently. Wells ("Corporate Fraud Handbook" (2004), Wells, J; ACFE) has another approach to a fraud investigation. [Full details available if requested (late in the day - ask me for the book ref. If you want it)] Statistical Auditing has another. The SANs GCIH methodology is another investigative approach. SANs GCFA has a forensic investigative approach. So yes, there are forensically conducted investigations and there are investigations. Thus DFS and Investigation are separate (though related). Regards, Craig -----Original Message----- From: dave kleiman [mailto:dave () davekleiman com] Sent: 9 February 2006 3:01 To: security-basics () securityfocus com Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator Craig, First let me say I do not know AU law, I do however have a grasp on US law. Are employee misconduct, internal theft of trade secrets, a DoS attack on a business, or virus a purposely released on an important business day to disrupt business INCIDENTS? (just to name a few) Do we respond to them? Is that not incident response? When we look into these, are we not conducting an investigation? (In many states it is required that you must be a licensed investigator to do so) If we do not do so in a forensically sound manner, and we have to pursue the matter; will we be able to? I believe you are contradicting yourself unknowingly. You said "Most cases and disputes are settled outside of court and do not involve the legal jurisdictional control". But, I do not think you realize how accomplish staying out of court, we do this by presenting the evidence in such a way that it is overwhelming, air-tight, and the other side concedes. This evidence must be gathered properly, or the other side will contest and bring it to tribunal. You said "Many organizations have a policy of not going to litigation." Do you mean they would rather not pursue the issue? If so then that is their policy so there is no need to investigate. However, if they require the incident investigated, you better have your ducks in a row. (conduct it in a forensically sound manner) I can personally tell you, I love it when a case does not make it passed the deposition stage, or even not that far, if the evidence is solid!! Remember a deposition, sworn statement, stipulation of expected testimony, and courtroom testimony are all affirmations under oath / sworn testimony. You said "Investigation and Forensics are separate disciplines." Investigations are the systematic and thorough gathering, examining, and studying of factual information that results in the factual explanation of what transpired. So explain the difference to us, not just your opinion. Maybe you are trying to explain the difference between imaging a H/D and conducting an investigation?? Respectfully, ______________________________________________________ Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE http://www.southeastforensics.com/services.php Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Forensic/Cyber Crime Investigator, (continued)
- RE: Forensic/Cyber Crime Investigator mhayden (Feb 02)
- Re: Forensic/Cyber Crime Investigator Isaac Perez (Feb 02)
- Re: Forensic/Cyber Crime Investigator Brandon Steili (Feb 04)
- Re: Forensic/Cyber Crime Investigator Mark Teicher (Feb 05)
- Re: Forensic/Cyber Crime Investigator Dragos Ruiu (Feb 06)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 05)
- RE: Forensic/Cyber Crime Investigator Robinson, Sonja (Feb 06)
- Re: Forensic/Cyber Crime Investigator Mark Teicher (Feb 07)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 08)
- Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator dave kleiman (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- Re: Forensic/Cyber Crime Investigator Bob Radvanovsky (Feb 10)
- Re: Forensic/Cyber Crime Investigator Bob Radvanovsky (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 11)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 13)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 17)