Home page logo
/

basics logo Security Basics mailing list archives

RE: Forensic/Cyber Crime Investigator
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 10 Feb 2006 10:11:57 +1100


From the Global information security survey, Information week (referencing available if asked for)
Based on responses from 2,700 executives, security professionals, and technology managers from 49 countries:

"Globally, about 64% of companies were hit by at least one virus in the past 12 months, up from 53% the year before. In 
the United States, viruses stung 69% of companies. Those figures are about four times as high as the next highest 
category of security breaches: unauthorized network entry."

Viruses and computer hacking will cost U.S. businesses an estimated $266 billion this year--more than 2.5 percent of 
America's Gross Domestic Product (GDP)

"The percentage of companies suffering security breaches increased slightly. Last year, 27% of companies responding 
said they had not suffered a security breach. This year, only 24% could make that claim. In the United States, just 22% 
reported no security breaches."

110 cases and court (DOJ figures) v. 78% of all US companies reporting at least one breach.

This misses the companies not reporting, that some companies have more than a single breach, That some have no idea 
anyway.

I have to again state that not all or even a percentage of incidents can go to court. I.e., most incidents are not nor 
could ever be forensic. If it where the case - not only would more lawyers, judges and court support be needed, there 
are not enough forensically trained experts. By the nature of the word expert there never can or will be either.

In the real world, most crimes do not get investigated.

Regards
Craig




-----Original Message-----
From: Craig Wright
Sent: 10 February 2006 10:02
To: 'dave kleiman'; 'security-basics () securityfocus com'
Subject: RE: Forensic/Cyber Crime Investigator

Further,

From your example (http://www.usdoj.gov/criminal/cybercrime/cccases.html) the DOJ has prosecuted only 110 cases 
involving computer crime.

The current virus statistics (admittedly vendor bias is involved) has 50,000 and 60,000 incidents per hour.

Without getting complex and to keep this post simple (as the last was longer) - anecdotal evidence is not scientific 
proof. The courts can not handle the volume of all incidents. There is no possible manner. Take an estimated worldwide 
(based on extrapolation for US, AU and UK courts) of 600,000,000 hours of court time in total EVERYWHERE. For all the 
courts in the world to handle the reported US cases alone would require them to complete all cases in .7 seconds each.

Again. Most incidents will never go to court. They can not, it is not viable or feasible. If we make all the lawyers on 
earth into trial magistrates there will not be enough to do everything.

Regards
Craig

-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: 10 February 2006 3:44
To: security-basics () securityfocus com
Subject: RE: Forensic/Cyber Crime Investigator

Craig,

I hope you are taking this as a friendly discussion

Answers inline..

     -----Original Message-----
     From: Craig Wright
   
    
     Virus attacks etc as you put are incidents. The average
     (and all but maybe a rare exception) organisation will
     treat these as incidents. They do not take them to court
     nor have the intention of doing such. To take your Virus
     example. This is an incident, it requires a response. It
     does not require a forensic analysis of the system, nor
     would this be generally done. Organisations want "the
     systems up" more than they want to catch the criminal.
     California may prove interesting... But we will see.

Interesting concept, however not correct:
 
http://www.southeastforensics.com/services.php

http://www.dailything.com/2005/01/31/teen-convicted-of-virus-distribution/

http://www.usdoj.gov/criminal/cybercrime/pierre-louis_Convict.htm

There was a large forensic investigation involved in these cases and many more you can easily find with Google.

Even analysis of the viruses themselves are done in a forensic manner.

I have dealt with cases of in-house malware being distributed by disgruntled employees, and had to conduct a forensic 
investigation.  This is a reason to have Incident Response as part of the orgs DRP/BCP, often entire systems must be 
taken down to investigate.


        
     By, "Many organizations have a policy of not going to
     litigation." I means that some (and by some - a lot - I
     have statistics if you wish - most at the 95% CI, some at
     alpha = 10% levels) of organisations would rather bury the
     issue. This is not all and is something that needs to be
     decided in advance, but it is a business decision (we have
     no disclosure laws for disclosure of these incidents).
     Public admission is required to get an Anton pillar (civil
     search) - many listed companies would never do this. Many
     listed companies would rather remain in the dark (they
     know what is happening - but stock options ...)

Wow, so if the CFO embezzles millions of dollars, at these companies with a no litigation policy,  they just fire the 
CFO and the CFO gets to keep the money?

By the way, how do these companies handle discovery requests from the court?
Do they reply with a letter that says "dear court, we are sorry to inform you we have a no litigation policy, therefore 
we refuse to participate in your tribunal."


     As for concedes - I have know several companies who would
     not concede a case if they had the world only infallible
     evidence from every other personal and company in the
     world to oppose them.
    
Yes some will not concede, however if you have two councils and one is looking at the evidence and says "we are toast" 
they usually advise the client to settle out of court, as to not cost them more.


     You are again looking from a perspective that assumes that
     separate skill may never be deployed by a single person.
     This is not the case. Incident response as I have been
     stated has a different set of goals to Forensics. As
     stated, Forensics ALWAYS involves court (this is not only
     a definition in a dictionary, but also in law. As stated
     defined word etc. There ARE consequences for using the
     term incorrectly - at least there can be). An affidavit
     (or deposition is the US) is a function of the court
     (involving court does not mean going into court - please
     not the separation). Incident repose may or may not have
     something to do with this process.

Forensic does not ALWAYS involve court.  It is a best practice method, in case you end up in litigation.

    
    
     You state "Investigations are the systematic and thorough
     gathering, examining, and studying of factual information
     that results in the factual explanation of what
     transpired." I agree with this statement. It misses the
     line however "for legal production" or "for use in court"
     etc. This is the difference. As stated, forensic = court
     (as simple as I may state). Investigation may OR MAY NOT
     mean court (court being the legal process).

Here we go with a slight contradiction again, you state my "quote about Investigations" leaves off  "for legal 
production" or "for use in court", however in the next sentence you state ""Investigation may OR MAY NOT mean court 
(court being the legal process)"" ????



     You seem mostly to not understand that (in a common law
     jurisdiction - which includes the US), experts (including
     forensic experts) are agents of the court. You work for
     the court - this does not mean you are paid (and I know it
     is not a perfect world and this oft does not hold true).
     The party who pays you is not who you represent. You are a
     representative of justice (the court). Not the state, not
     your employer. You present the facts, not the opinion (and
     I know this does occur).
    
Since I not only do civil investigations, I also do criminal and even participated in military tribunals, I believe I 
fully understand the concepts agents of the court. However, did I state something that made you feel I was not aware of 
this concept?


  
     So yes, there are forensically conducted investigations
     and there are investigations. Thus DFS and Investigation
     are separate (though related).
    
But, if we treat them all as if they might end up in litigation and do them in a forensically sound manner, are our 
clients, organizations etc, not better served?

     Regards,
     Craig
    
   

Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
 



Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]