Re: Good Investigation/Forensic groups - was: SSNs, rootkits, Incident Response, etc...

["H. Morrow Long" <morrow.long () YALE EDU>]

Jim -- Might I recommend        Stroz Friedberg, LLC ( www.strozllc.com ).

They have offices in DC,  NYC, LA and MN.

Eoghan Casey (author of Digital Evidence and Computer Crime, Second  
Edition,
editor of Handbook of Computer Crime Investigation: Forensic Tools &  
Technology and co-
author of Investigating Child Exploitation and Pornography : The  
Internet, Law and Forensic Science)
works for Stroz Friedberg -- and is a former employee of mine.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS

From http://www.strozllc.com/methodology.html

Founded in 2000, Stroz Friedberg, LLC is a consulting and technical  
services firm specializing in computer forensics; cyber-crime  
response; private investigations; and the preservation, analysis and  
production of electronic data from single hard drives to complex  
corporate networks. Typically, we perform this work in the context of  
civil litigation, criminal and regulatory matters, and internal  
corporate investigations. Our unique methodology — which brings  
technology, law, investigative experience and behavioral science to  
bear while providing assurance to all parties — has made us the firm  
of choice in the areas of our expertise. Stroz Friedberg provides  
objective, comprehensive answers based upon expert analysis of  
electronic data and disputed facts that our clients can rely on in  
critical and routine matters, with the assurance that our reports  
will withstand the scrutiny of opposing counsel and experts, courts,  
and the government.


On Jul 7, 2006, at 11:18 AM, James H Moore wrote:

> We have ended up in an investigation, where I thought I was done.   
> I am
> looking for recommendations of forensic firms to finish it. I have  
> 2 pieces
> of advice currently.
>
> 1) Find a firm that is not entirely ex-law enforcement (of verify  
> that they
> have acquired the right amount of Computer Science background).   
> The reverse
> holds for any group that is entirely ex-systems administrators, as  
> they
> don't understand the criminal mind as well.
>
> 2) Find someone that know anti-forensics.
>
> As I mentioned, I thought I was done.  Then I talked to a mentor.   
> He said
> that some hackers/worms/bots/spyware ftp stuff back that looks  
> nasty (like
> old rootkits) just to throw you off.  He said that I should consider
> professional help (I think that he meant for forensics ;-)
>
> So I am looking for suggestions.
>
> Jim
> - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Office: 585-475-5406
> Lab: 585-475-4122
> Fax: 585-475-7950
>
> "Distrust and caution are the parents of security."  -- Benjamin  
> Franklin
>
> "We will bankrupt ourselves in the vain search for absolute  
> security." --
> Dwight D. Eisenhower