Security Basics mailing list archives
RE: Forensic/Cyber Crime Investigator
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 10 Feb 2006 09:43:08 +1100
Hi Dave, It is true that there are cases/incidents that go to court (even virus infections). These are statistically the anecdotal case is just the exception. In fact if 1% of all corporate (even excluding personal incidents) incidents involving virus incidents alone where to go to court, the court system would fold. Look at the volume of cases in any given country in total. No organisation would take a case to court for this for costs of less than $50,000 loss - it can not be justified financially and the process will generally cost more than this. An extra 10,000 - 20,000 cases in Australia (lets take the NSWSC and other Supreme courts in the other states as these are the required starting point to file claim at this level of loss etc etc) would result in the total collapse of the legal system. Cases would not be heard. The backlog each year would exceed the number tried. [http://www.austlii.edu.au is a good source for cases etc] Based on the number of companies (not businesses, lets narrow this) in Australia, if every "REPORTED" virus incident was to go to court this would involve at least 200,000 additional cases. (figures calculated from SANS, Symantec and APRIA data). Even taking the incidents with a reported impact of greater than $1,000,000 based on loss estimates from the companies we are looking at 30,000 to 40,000 (Mean 37,102 +/- 3,458 at alpha = 5%). So taking this reduced figure at about 37,000 cases. This is far more than the courts can handle. If only 1 in 4 incidents (with costs over $1,000,000) go to court, this is still more than the system can handle. Even looking to 100 cases worldwide going to court. This does not even come to 1% of incidents. Thus any incident which does go to court is an anomaly. I am certain that the US does not have that many idle judges that they could handle the extra load any better. As to the CFO and embezzlement. It is rare to have large fraud tried. I teach corporate fraud detection as one of my "hats" at a chartered firm (like a US CPA organisation). I have to argue again, Forensic ALWAYS involves court. This is the nature of the word. As stated, involves court does not mean that it will end up in court, but an affidavit (deposition eqv. US) is a court process even if the document never sees the light of day. Dave, you state "But, if we treat them all as if they might end up in litigation and do them in a forensically sound manner, are our clients, organizations etc, not better served?" Well yes in the ideal world. The real world is not as nice and not as clear cut. It is clear that we lack knowledge of the others respective process requirements. Statute is one thing, rules of the courts another. Always remember that anecdotal evidence is not scientific evidence. Regards Craig -----Original Message----- From: dave kleiman [mailto:dave () davekleiman com] Sent: 10 February 2006 3:44 To: security-basics () securityfocus com Subject: RE: Forensic/Cyber Crime Investigator Craig, I hope you are taking this as a friendly discussion Answers inline.. -----Original Message----- From: Craig Wright Virus attacks etc as you put are incidents. The average (and all but maybe a rare exception) organisation will treat these as incidents. They do not take them to court nor have the intention of doing such. To take your Virus example. This is an incident, it requires a response. It does not require a forensic analysis of the system, nor would this be generally done. Organisations want "the systems up" more than they want to catch the criminal. California may prove interesting... But we will see. Interesting concept, however not correct: http://www.southeastforensics.com/services.php http://www.dailything.com/2005/01/31/teen-convicted-of-virus-distribution/ http://www.usdoj.gov/criminal/cybercrime/pierre-louis_Convict.htm There was a large forensic investigation involved in these cases and many more you can easily find with Google. Even analysis of the viruses themselves are done in a forensic manner. I have dealt with cases of in-house malware being distributed by disgruntled employees, and had to conduct a forensic investigation. This is a reason to have Incident Response as part of the orgs DRP/BCP, often entire systems must be taken down to investigate. By, "Many organizations have a policy of not going to litigation." I means that some (and by some - a lot - I have statistics if you wish - most at the 95% CI, some at alpha = 10% levels) of organisations would rather bury the issue. This is not all and is something that needs to be decided in advance, but it is a business decision (we have no disclosure laws for disclosure of these incidents). Public admission is required to get an Anton pillar (civil search) - many listed companies would never do this. Many listed companies would rather remain in the dark (they know what is happening - but stock options ...) Wow, so if the CFO embezzles millions of dollars, at these companies with a no litigation policy, they just fire the CFO and the CFO gets to keep the money? By the way, how do these companies handle discovery requests from the court? Do they reply with a letter that says "dear court, we are sorry to inform you we have a no litigation policy, therefore we refuse to participate in your tribunal." As for concedes - I have know several companies who would not concede a case if they had the world only infallible evidence from every other personal and company in the world to oppose them. Yes some will not concede, however if you have two councils and one is looking at the evidence and says "we are toast" they usually advise the client to settle out of court, as to not cost them more. You are again looking from a perspective that assumes that separate skill may never be deployed by a single person. This is not the case. Incident response as I have been stated has a different set of goals to Forensics. As stated, Forensics ALWAYS involves court (this is not only a definition in a dictionary, but also in law. As stated defined word etc. There ARE consequences for using the term incorrectly - at least there can be). An affidavit (or deposition is the US) is a function of the court (involving court does not mean going into court - please not the separation). Incident repose may or may not have something to do with this process. Forensic does not ALWAYS involve court. It is a best practice method, in case you end up in litigation. You state "Investigations are the systematic and thorough gathering, examining, and studying of factual information that results in the factual explanation of what transpired." I agree with this statement. It misses the line however "for legal production" or "for use in court" etc. This is the difference. As stated, forensic = court (as simple as I may state). Investigation may OR MAY NOT mean court (court being the legal process). Here we go with a slight contradiction again, you state my "quote about Investigations" leaves off "for legal production" or "for use in court", however in the next sentence you state ""Investigation may OR MAY NOT mean court (court being the legal process)"" ???? You seem mostly to not understand that (in a common law jurisdiction - which includes the US), experts (including forensic experts) are agents of the court. You work for the court - this does not mean you are paid (and I know it is not a perfect world and this oft does not hold true). The party who pays you is not who you represent. You are a representative of justice (the court). Not the state, not your employer. You present the facts, not the opinion (and I know this does occur). Since I not only do civil investigations, I also do criminal and even participated in military tribunals, I believe I fully understand the concepts agents of the court. However, did I state something that made you feel I was not aware of this concept? So yes, there are forensically conducted investigations and there are investigations. Thus DFS and Investigation are separate (though related). But, if we treat them all as if they might end up in litigation and do them in a forensically sound manner, are our clients, organizations etc, not better served? Regards, Craig Respectfully, ______________________________________________________ Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Forensic/Cyber Crime Investigator, (continued)
- Re: Forensic/Cyber Crime Investigator Mark Teicher (Feb 05)
- Re: Forensic/Cyber Crime Investigator Dragos Ruiu (Feb 06)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 05)
- RE: Forensic/Cyber Crime Investigator Robinson, Sonja (Feb 06)
- Re: Forensic/Cyber Crime Investigator Mark Teicher (Feb 07)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 08)
- Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator dave kleiman (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 09)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 10)
- Re: Forensic/Cyber Crime Investigator Bob Radvanovsky (Feb 10)
- Re: Forensic/Cyber Crime Investigator Bob Radvanovsky (Feb 10)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 11)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 13)
- RE: Forensic/Cyber Crime Investigator Craig Wright (Feb 17)
- Re: Forensic/Cyber Crime Investigator Mark Teicher (Feb 05)