mailing list archives
RE: Forensic/Cyber Crime Investigator
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 9 Feb 2006 17:02:08 +1100
I have a good knowledge of some areas of Australian law, but in only some areas (I have not the foggiest idea re family
law for example) and a little regards the others states (NSW being the one I live in).
Virus attacks etc as you put are incidents. The average (and all but maybe a rare exception) organisation will treat
these as incidents. They do not take them to court nor have the intention of doing such. To take your Virus example.
This is an incident, it requires a response. It does not require a forensic analysis of the system, nor would this be
generally done. Organisations want "the systems up" more than they want to catch the criminal. California may prove
interesting... But we will see.
We have separate laws for separate incidents etc in AU. These vary from Federal to State etc. NSW has a few regarding
workplace surveillance for example and how these investigations are to be conducted. Some require forensics skills
others do not. In fact most do not. In fact there are not enough forensically trained and experienced people to be able
to do this even if it was required/requested.
By, "Many organizations have a policy of not going to litigation." I means that some (and by some - a lot - I have
statistics if you wish - most at the 95% CI, some at alpha = 10% levels) of organisations would rather bury the issue.
This is not all and is something that needs to be decided in advance, but it is a business decision (we have no
disclosure laws for disclosure of these incidents). Public admission is required to get an Anton pillar (civil search)
- many listed companies would never do this. Many listed companies would rather remain in the dark (they know what is
happening - but stock options ...)
As for concedes - I have know several companies who would not concede a case if they had the world only infallible
evidence from every other personal and company in the world to oppose them.
You are again looking from a perspective that assumes that separate skill may never be deployed by a single person.
This is not the case. Incident response as I have been stated has a different set of goals to Forensics. As stated,
Forensics ALWAYS involves court (this is not only a definition in a dictionary, but also in law. As stated defined word
etc. There ARE consequences for using the term incorrectly - at least there can be). An affidavit (or deposition is the
US) is a function of the court (involving court does not mean going into court - please not the separation). Incident
repose may or may not have something to do with this process.
In 2001 the DFRWS proposed the term digital forensic science (rather than the poorly worded computer forensics
[hereafter DFS]. It is true that this includes investigation. The inclusion of investigation as I have stated does not
make one an investigator. DFS has components of incident response - again this is not the same thing.
You state "Investigations are the systematic and thorough gathering, examining, and studying of factual information
that results in the factual explanation of what transpired." I agree with this statement. It misses the line however
"for legal production" or "for use in court" etc. This is the difference. As stated, forensic = court (as simple as I
may state). Investigation may OR MAY NOT mean court (court being the legal process).
I will if the list likes quote the laws concerning the application of evidence in Australia (now finally unified over
all states and territories). If you like I will add case law and common law relevance. Law of Equity, Tort or even
criminal law if you like.
You seem mostly to not understand that (in a common law jurisdiction - which includes the US), experts (including
forensic experts) are agents of the court. You work for the court - this does not mean you are paid (and I know it is
not a perfect world and this oft does not hold true). The party who pays you is not who you represent. You are a
representative of justice (the court). Not the state, not your employer. You present the facts, not the opinion (and I
know this does occur).
As for "not just your opinion." I will quote evidence rules if you like? The handbooks (though these are not US
applicable)? Casey's (Digital Evidence and computer Crime, (2004) Casey, E; Elsevier, USA) in s. 4.2 defines the
Investigative Methodology concisely. It covers the forensic investigation process efficiently.
Wells ("Corporate Fraud Handbook" (2004), Wells, J; ACFE) has another approach to a fraud investigation.
[Full details available if requested (late in the day - ask me for the book ref. If you want it)] Statistical Auditing
has another. The SANs GCIH methodology is another investigative approach. SANs GCFA has a forensic investigative
So yes, there are forensically conducted investigations and there are investigations. Thus DFS and Investigation are
separate (though related).
From: dave kleiman [mailto:dave () davekleiman com]
Sent: 9 February 2006 3:01
To: security-basics () securityfocus com
Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator
First let me say I do not know AU law, I do however have a grasp on US law.
Are employee misconduct, internal theft of trade secrets, a DoS attack on a business, or virus a purposely released on
an important business day to disrupt business INCIDENTS? (just to name a few)
Do we respond to them?
Is that not incident response?
When we look into these, are we not conducting an investigation? (In many states it is required that you must be a
licensed investigator to do so)
If we do not do so in a forensically sound manner, and we have to pursue the matter; will we be able to?
I believe you are contradicting yourself unknowingly.
You said "Most cases and disputes are settled outside of court and do not involve the legal jurisdictional control".
But, I do not think you realize how accomplish staying out of court, we do this by presenting the evidence in such a
way that it is overwhelming, air-tight, and the other side concedes. This evidence must be gathered properly, or the
other side will contest and bring it to tribunal.
You said "Many organizations have a policy of not going to litigation."
Do you mean they would rather not pursue the issue? If so then that is their policy so there is no need to investigate.
However, if they require the incident investigated, you better have your ducks in a row. (conduct it in a forensically
I can personally tell you, I love it when a case does not make it passed the deposition stage, or even not that far, if
the evidence is solid!!
Remember a deposition, sworn statement, stipulation of expected testimony, and courtroom testimony are all affirmations
under oath / sworn testimony.
You said "Investigation and Forensics are separate disciplines."
Investigations are the systematic and thorough gathering, examining, and studying of factual information that results
in the factual explanation of what transpired.
So explain the difference to us, not just your opinion.
Maybe you are trying to explain the difference between imaging a H/D and conducting an investigation??
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by
a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference,
interception, corruption or unauthorised access.
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
- RE: Forensic/Cyber Crime Investigator, (continued)