Home page logo

basics logo Security Basics mailing list archives

RE: Forensic/Cyber Crime Investigator
From: "dave kleiman" <dave () davekleiman com>
Date: Thu, 9 Feb 2006 11:44:21 -0500


I hope you are taking this as a friendly discussion

Answers inline.. 

     -----Original Message-----
     From: Craig Wright 
     Virus attacks etc as you put are incidents. The average 
     (and all but maybe a rare exception) organisation will 
     treat these as incidents. They do not take them to court 
     nor have the intention of doing such. To take your Virus 
     example. This is an incident, it requires a response. It 
     does not require a forensic analysis of the system, nor 
     would this be generally done. Organisations want "the 
     systems up" more than they want to catch the criminal. 
     California may prove interesting... But we will see.

Interesting concept, however not correct:



There was a large forensic investigation involved in these cases and many
more you can easily find with Google.

Even analysis of the viruses themselves are done in a forensic manner.

I have dealt with cases of in-house malware being distributed by disgruntled
employees, and had to conduct a forensic investigation.  This is a reason to
have Incident Response as part of the orgs DRP/BCP, often entire systems
must be taken down to investigate.

     By, "Many organizations have a policy of not going to 
     litigation." I means that some (and by some - a lot - I 
     have statistics if you wish - most at the 95% CI, some at 
     alpha = 10% levels) of organisations would rather bury the 
     issue. This is not all and is something that needs to be 
     decided in advance, but it is a business decision (we have 
     no disclosure laws for disclosure of these incidents). 
     Public admission is required to get an Anton pillar (civil 
     search) - many listed companies would never do this. Many 
     listed companies would rather remain in the dark (they 
     know what is happening - but stock options ...)

Wow, so if the CFO embezzles millions of dollars, at these companies with a
no litigation policy,  they just fire the CFO and the CFO gets to keep the

By the way, how do these companies handle discovery requests from the court?
Do they reply with a letter that says "dear court, we are sorry to inform
you we have a no litigation policy, therefore we refuse to participate in
your tribunal."

     As for concedes - I have know several companies who would 
     not concede a case if they had the world only infallible 
     evidence from every other personal and company in the 
     world to oppose them.
Yes some will not concede, however if you have two councils and one is
looking at the evidence and says "we are toast" they usually advise the
client to settle out of court, as to not cost them more.

     You are again looking from a perspective that assumes that 
     separate skill may never be deployed by a single person. 
     This is not the case. Incident response as I have been 
     stated has a different set of goals to Forensics. As 
     stated, Forensics ALWAYS involves court (this is not only 
     a definition in a dictionary, but also in law. As stated 
     defined word etc. There ARE consequences for using the 
     term incorrectly - at least there can be). An affidavit 
     (or deposition is the US) is a function of the court 
     (involving court does not mean going into court - please 
     not the separation). Incident repose may or may not have 
     something to do with this process.

Forensic does not ALWAYS involve court.  It is a best practice method, in
case you end up in litigation.

     You state "Investigations are the systematic and thorough 
     gathering, examining, and studying of factual information 
     that results in the factual explanation of what 
     transpired." I agree with this statement. It misses the 
     line however "for legal production" or "for use in court" 
     etc. This is the difference. As stated, forensic = court 
     (as simple as I may state). Investigation may OR MAY NOT 
     mean court (court being the legal process). 

Here we go with a slight contradiction again, you state my "quote about
Investigations" leaves off  "for legal production" or "for use in court",
however in the next sentence you state ""Investigation may OR MAY NOT mean
court (court being the legal process)"" ????

     You seem mostly to not understand that (in a common law 
     jurisdiction - which includes the US), experts (including 
     forensic experts) are agents of the court. You work for 
     the court - this does not mean you are paid (and I know it 
     is not a perfect world and this oft does not hold true). 
     The party who pays you is not who you represent. You are a 
     representative of justice (the court). Not the state, not 
     your employer. You present the facts, not the opinion (and 
     I know this does occur).
Since I not only do civil investigations, I also do criminal and even
participated in military tribunals, I believe I fully understand the
concepts agents of the court. However, did I state something that made you
feel I was not aware of this concept?

     So yes, there are forensically conducted investigations 
     and there are investigations. Thus DFS and Investigation 
     are separate (though related).
But, if we treat them all as if they might end up in litigation and do them
in a forensically sound manner, are our clients, organizations etc, not
better served?




The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]