RE: Spam: RE: Forensic/Cyber Crime Investigator

["Craig Wright" <cwright () bdosyd com au>]

First, to "** "Moist"???  Are people perspiring *that* much?  ;P", most
of course, fat fingers and a lack of checking on my part.

Forensics, IT or otherwise is related to a legal process. Your own post
does not do anything to alter this fact. The collection of evidence in a
legally sound manner is a process based on the acquisition for court.
This does not (and I have not stated this) mean that the collection of
evidence for a court means that there is any prospect of actually going
to court.

Most cases and disputes are settled outside of court and do not involve
the legal jurisdictional controls. This said, obtaining a search warrant
(for LE) or an Anton Pillar (for civil searches) requires an order from
the court. The nature of the orders sought will determine the court that
needs to be approached in first instance. This may be a magistrate,
state or federal court (or the local, district etc for those in other
countries).

A failure to execute the search correctly (even with incriminating
evidence discovered) leaves the initiating party up to a claim for
damages. It also may invalidate the evidence in the worst case and at
the least decreases its weight.

Motivation is ok for an incident response adept to attempt. It is not a
good area to go in forensics. Unless you are a criminologist, the
opposing council will use this to attack your report and credentials in
court. In forensics one has to stick to the facts. This is the facts in
totality, whether they help or hurt the clients case. A forensic witness
is considered an expert witness in court and has to be impartial and
have no personal opinion. The facts and only the facts.

I have barely touched incident response and am willing to start a
separate thread for this topic, but as this thread started with
Forensics, I believe that this is where it should be focused. If you
will read my posts - you may not that I am stating that Forensic
computing and Incident response are separate disciplines.

Regards,
Craig

-----Original Message-----
From: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Sent: 8 February 2006 1:01
To: Craig Wright; Robinson, Sonja; security-basics () securityfocus com
Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator

See comments below.

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)

----- Original Message -----
From: Craig Wright [mailto:cwright () bdosyd com au]
To: Craig Wright [mailto:cwright () bdosyd com au], "Robinson, Sonja"
[mailto:SRobinson () HIPUSA com], security-basics () securityfocus com
Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator


> Hello,
>
> Just to be particularly annoying...
>
> Forensic

> 1. relating to, connected with, or used in courts of law or public
> discussion and debate.
> 2. adapted or suited to argumentation; argumentative.
> 3. applied to the process of collecting evidence for a legal case:
> forensic accounting; forensic archaeology; forensic linguistics.
> [Latin
> forens(is) of the forum + -IC]

> --forensically, adverb
>
> Just to reiterate. Forensic = court. Incident response is the correct
> terminology that moist people are in all actuality coming to the
> belief

** "Moist"???  Are people perspiring *that* much?  ;P

** You are partially wrong in one term, and way off in the other term. 
** def: "forensics science" (ref:
http://library.thinkquest.org/TQ0312020/whatisforens.htm)
** "Forensic science is any science used for the purposes of the law,
and therefore provides
** impartial scientific evidence for use in the courts of law, and in a
criminal
** investigation and trial. Forensic science is a multidisciplinary
subject,
** drawing principally from chemistry and biology, but also from
physics, geology,
** psychology, social science, etc."

** "Forensics" is often used to first *determine* through evidentuary
methods
** (if possible, or obtainable), **IF** prosecution will be, or can be,
possible, so it
** does not mean that a court hearing or prosecution trial is underway,
or about to
** begin.  In most circumstances, forensic investigations are conducted
BEFORE the trial.
** Lack of evidence, lack of chain of events leading to the crime (if
any were committed),
** etc., are first determined by forensics specialists.

** Standard "forensics science" may also apply to IT or cyberforensics,
but is treated as,
** or considered as, a subset to, general forensics.

** As defined: "Computer forensics, also called cyberforensics, is the
application
** of computer investigation and analysis techniques to gather evidence
suitable
** for presentation in a court of law. The goal of computer forensics is
to perform
** a structured investigation while maintaining a documented chain of
evidence to
** find out exactly what happened on a computer and who was responsible
for it."
** (ref:
http://searchcio.techtarget.com/gDefinition/0,294236,sid19_gci1007675,00
.html)

** The definition for "incident response" is significantly different.
The term, by itself,
** is (purely) a reactionary response to an event, incident, or
catastrophic scenario.
** This is (often times) reflective of an anticipated course of action
that is taken
** immediately following such an event, or resulting from the outcome
from such an event
** (say a fire that destroys a building).  Disaster Recovery Planning
and Business
** Continuity Planning are both forms of incident response.  BCP
demonstrates what will be
** done to ensure that the business *continues* to operate as normally
as possible after an
** incident.  DRP demonstrates how to handle the incident, who is to be
involved, and what
** measures are needed to be taken to ensure "cleanup" of the disaster.

** Another definition: "Incident response is an organized approach to
addressing and
** managing the aftermath of a security breach or attack (also known as
an incident).
** The goal is to handle the situation in a way that limits damage and
reduces
** recovery time and costs. An incident response plan includes a policy
that defines,
** in specific terms, what constitutes an incident and provides a
step-by-step process
** that should be followed when an incident occurs."
** (ref:
http://searchcio.techtarget.com/gDefinition/0,294236,sid19_gci1121085_al
pI,00.html)

** Incident Response Management (IRM) deals with both man-made disasters
*and* natural
** disasters.  How is forensics tied to IRM based on a natural disaster?

** Think of it as like this: forensics science finds out who did it, and
how they did it,
** and (perhaps) what was their motivation for doing it.  Incident
response finds out
** what happened, how it happened, what caused it, and how is the
business going to
** continue its course of operations.  Incident response might be
responsive to an event
** caused by a single individual that is reflective of an forensics
investigation; but may
** not necessarily always be so. 

** Though these terms may be inter-related, often times, they are
usually not.

** One more thing to remember.  Incident response works at identifying
FOUR (4) basic
** principles: PREPARATION, PROTECTION, RESPONSE, and RECOVERY.  I feel
that a few more
** principles could be added, but for the most part, the industry feels
that *primarily*
** these principles are a good start.  PREPARATION represents measures
taken to ensure
** and minimize operational outages.  PROTECTION represents safeguarding
activity
** against tampering and operational outages.  RESPONSE represents
measures taken after
** an "incident" has occurred.  RECOVERY represents measures taken to
RESTORE the
** enterprise to previous operational levels.  "RECOVERY" is sometimes
referred to as
** "RESTORATION".

> to be forensics.
>
> Regards
> Craig

> -----Original Message-----
> From: Craig Wright

> Sent: 7 February 2006 8:51
> To: 'Robinson, Sonja'; security-basics () securityfocus com
> Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator
>
> Hello,
> There is a confusion between forensic analysis and incident response.
> Although these are related and in fact many people do both, they are
> not the same. Incident response teams or personal are needed in many
> organisations. Having a good investigative team makes life easier for
> a forensic analyst.
>
> They are however different roles. Oft the roles will overlap, but the
> primary focus of forensics is obtaining and preserving evidence. This
> may go against a corporations aims to have production systems running
> as soon as possible.
>
> I am not talking of LE at all. Rather I am stating insolvency support,

> litigation support, etc.
>
> Network security does not mean knowing where to look for logs. This is

> a technical skill. Again a case where people get the more esoteric
> nature of the role confused with the technical skills.
>
> Very few people can investigate a hard drive in a manner that is
> acceptable without challenger in court. This is the role of forensics.
> General investigation is a role in incident response.
>
> I am sure that this will garnish further comment - but I am a purist
> when it comes to definitive terminology. Incident response and
> Forensics are separate (though related disciplines). Most of the
> comments are asking about the former though stating them as the
latter.
> Regards
> Craig
>
> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
> Sent: 7 February 2006 1:51
> To: Craig Wright; security-basics () securityfocus com
> Subject: Spam: RE: Forensic/Cyber Crime Investigator
>
> I'm Sorry but I have to disagree with some of your statements while I
> agree with some others.
>
> 1)  Many corporations in the US and around the world are hiring
> EXPERIENCED forensic personnel.  I have worked as a consultant and for

> private companies doing forensics for over 8 years now.  My start was
> private.  I have never been "employed" by LE however, I have been
> hired by govts/military for jobs.  You can start entry level Info
> Security and get trained by one of their staff if they feel you are up

> to the challenge.  I am training a few co-workers myself and am
> helping them on the career path.

>       Why corporate?  Espionage, sexual harrasment, porn,
assault/murder,
> hacking/incident response, identity theft, HIPAA/SOX, resource abuse,
> etc. etc.  Believe me, there's plenty of work on the corporate side -
> you don't have to go LE if you don't want to.  That's just the tip of
> the iceberg.  You must assume that your cases will go to court,
> especially if employees are terminated as a result of your
> investigation.  Sometimes you work hand in hand with LE.  You can get
> more than they can until you become their agent for internal
> investigations.  But that's where you need ot know the law aspect.
> Sometimes you need their assistance with items such as subpoenas, etc.
> Also with the Calif law that is being adopted throughout the US, you
> will be working with LE for disclousres.
> 2)  Network security is essential if you want to perform and
> investigation.  How will you know where to look, what logs to obtain,
> etc.  You must also know the law in the country, states and other
> jurisdictions that the case involves (i.e subpoena in another
> state/country).  Nothing personal but with the right tools, most
> anyone can investigate a hard drive although they will most likely
> screw up the acquisition, chain of custody and legal aspects thereby
> nullifying their review.  Point being, it takes a lot of training and
> experience and if you can't find your way around a network you;ve got
> no business doing an investigation because you will only be looking at

> a small part of the picture in many cases.

> 3)  There is no "one" certification.  There are ones that are more
> common, advisable etc. but there is no one stop shopping.

> 4)  I agree with everything up to the "after incident response".  This

> is because, IT people will most liekly trample your evidence.  Ideally

> you should be preserving evidence while they correct a problem so it
> should be in tandem.  Of course, many time it does occur after IT has
> responded and corrected an issue.  Your company should make a decision

> before hand wether their primary goal is recovery, forensics or both.
> The answer will vary by system, issue, etc.
> 5)  There are classes you can take, some proprietary/some not.  There
> are many groups you can join to learn if you are truly interested. 
> The job can be boring and monotonous (i.e. Log reading and
> correlation) but it's also a lot of fun.  It's a big game of hide and
> seek and I think it's a blast.  It's never the same and you find out a
lot about people.
> 6)  I totally agree with pretty much every other statement of Craig's.
> It's work, it's integrity, it's honesty, a lot of good communication
> skills, a knowledge of law, operating systems, networking, incident
> response and recovery, network security, cryptography/steganography,
> and the ability to think like criminals/abusers without actually being
one.
> You  must also remember that you can not speculate.  You present
facts.
> 7)  Forensics is a science of processes.  It deals in facts.  There
> ARE a lot of people and products who purport to be "forensics" but are

> not and are well, we'll just say, "not able to present or be
> presentable" in court for a number of reasons.
>
>
> Sonja L. Robinson, CISSP, CIFI, CISA, CISM Forensic Specialist,
> Digital Investigations HIP Information Security Group
> Tel: 212-806-4125
> srobinson () hipusa com

> -----Original Message-----
> From: Craig Wright [mailto:cwright () bdosyd com au]
> Sent: Thursday, February 02, 2006 5:22 PM
> To: security-basics () securityfocus com
> Subject: RE: Forensic/Cyber Crime Investigator
>
>
> First, Computer Forensics is a separate discipline to Computer
Security.
> Next, incident response in business is not generally about forensics
> nor does it have a lot to do with it.
>
>
> Other than a low level knowledge of systems (and forget the tools
> based
> - Encase training only - approach). A strong knowledge of law is
> required.
>
> Your job/role as a forensic services provider (of any type) is to
> provide court support. This is it - full stop.
>
> Your job is;
>       1       Investigate. Document Preserve the "chain of evidence",
>       2       Document everything. This is for and against. You have
> to be impartial.
>       3       Be prepared to sit in court and have your life,
> experience and training picked apart.
>       4       Answer the facts simply and succinctly, no more, no
> less. What you are asked you answer. Your opinion only comes into this

> when and IF your have been directly asked.
>
> The role is slow and methodological. If you think accounting and being

> an auditor is fun, than you may fit into the role.
>
> Complete some courses in English grammar and report writing. This is
> an essential skill. Spelling and punctuation can make or break your
> career in this field.
>
> Forensics has NOTHING to do with detection of an attack. It comes
> after the attack. It comes after the initial incident response
process.
> Knowledge of incident response is needed to ensure the "chain of
> evidence", but it is not generally part of your role as a forensic
> analyst.
>
> SANs GCFA is a good preliminary as is CCE. Neither will make you more
> than an intern level by itself. You will be judged (at more than an
> intern level) on how you handle cases. How you respond in court. Many
> prospective employers will expect to view transcripts of cases you
> have been involved with to see how you handle under cross.
>
> You want to be top of the field. Many years. Much training. Calm
> demeanour. Honesty. Integrity. This is the simple answer. There is a
> great deal more as well. You need at least knowledge of the law (a
> degree is not necessary, but does help. This is how experience as an
> officer of the law aides). Absolutely NO knowledge of information
> security is required (in contradiction to popular belief). It does
help.
> Familiarity of file-systems is crucial. Learn both Linux and Windows
> at the least. Understand how to create a timeline. Know how to extract

> and analyse slack space while maintaining evidential integrity. These
> are some of the required skills (tip of the iceberg).
>
> There are many people who profess to have computer forensic skills.
> There are very few who really have these skills. There are even fewer
> who can use their skills in court.
>
>
> Regards
> Craig
>
>
>       Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP
> G7799 GCFA AFAIM Manager - Computer Assurance Services BDO Chartered
> Accountants & Advisers Level 19, 2 Market Street, Sydney, NSW 2001
> Telephone: +61 2 9286 5555
> Fax: +61 2 9993 9705
> Direct: +61 2 9286 5497
> <Mailto:CWright () bdosyd com au>
>
>
> -----Original Message-----
> From: mhayden [mailto:mike_hayden () quintum com]
>
> Sent: 2 February 2006 7:46
> To: security-basics () securityfocus com
> Subject: RE: Forensic/Cyber Crime Investigator
>
> Koolk3,
>
> I am also looking into this, I don't have much information but this is

> what I've gathered:
>
> - There seem to genarally be 2 facets of Forensics:
> * Computer Forensics - pouring over someone's harddrive to gather and
> document evidence.
> * Network Forensics - Alot of what the folks on this list do on a day
> to day basis, intrusion protection, detection and analysis.
>
> You can persue one or the other but it sounds like you want a
> combination of both.
>
> - It has been suggested to me that if I was interested I should persue

> a Law Enforcement career and go at it from that angle.  I have been a
> Software developer for almost 20 years, in the US I'm too old for Law
> Enforcement (35 yrs is the cutoff in my state) so that option is out
> for me.
>
> - Another suggestion was the FBI or CIA as a civilian professional or
> if you meet the age/citizenship criteria an Agent.
>
> - There are also private companies that do Computer Forensics and are
> hired out by Lawyers or Law Enforcement that need the help when
> computers are acquired in crimes.
>
> I have taken a Computer Forensics class at the college level to get a
> feel for that but unfortunately that isn't enough to get you in the
> door (unless you get lucky).  I also get the feeling that without an
> IT background you are out in the cold.
>
> Another suggestion was to join one of the local chapters of the IACIS
> (International Association of Computer Investigative Specialists).  I
> think you would need to be invited in my an existing member and I'm
> not sure if its only open to Law Enforcement folks checkout there
> website (http://www.iacis.info/iacisv2/pages/home.php).  There are
> many different groups, some are open to civilians and some are not.
>
> Hope this helps a bit.  I look forward to comments from others to help

> me in my quest also.
>
> MH
>
>
>
>
> -----Original Message-----
> From:
> security-basics-return-38141-mike_hayden=quintum.com () securityfocus com
> [mailto:security-basics-return-38141-mike_hayden=quintum.com@securityf
> oc
> us.com]On Behalf Of Koolk3
> Sent: Wednesday, February 01, 2006 12:21 PM
> To: security-basics () securityfocus com
> Subject: Forensic/Cyber Crime Investigator
>
>
> Hi List,
>
> I tried posting this before, didn't go through. So I am trying again.
>
> I am interested in becoming a Forensics/Cyber Crime Investigator
> preferably with any law enforcement agency in Canada. I will graduate
> this April with a Bachelor in Computer Engineering. I have some
> experince in Forensics and IT security from coop placements and wanted

> to take this option as a career.
>
> My questions are:
>
> 1) What kind of certification is the most demanding/respected among
> law enforcement aganices in Canada/US?
>
> 2) If anyone on the list is with RCMP, OPP or any other law
> enforcement agency here could you please give me any information on a
> possible career path. Where do I start? Are these kind of jobs
> considered as a civilian job?
>
> 3) Those in the USA: could you please tell me if I can have any
> prospect there as a Canadian citizen. I would imagine you would need
> an US citizen to work in the law enforcement agencies, but what about
> private organizations?
>
> 4) Any information in building a career path in this field would be
> helpful.
>
> Thanks everyone.
>
> --
> KoolK3
>
> ----------------------------------------------------------------------
> --
> ---
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich

> University program offers unparalleled Infosec management education
> and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> --
> ---
>
>
>
>
> ----------------------------------------------------------------------
> --
> ---
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich

> University program offers unparalleled Infosec management education
> and the case study affords you unmatched consulting experience.
>
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> --
> ---
>
>
>
>
>
>
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is
> confidential. If you are not the intended recipient, you must not use
> or disclose the information. If you have received this email in error,

> please inform us promptly by reply email or by telephoning +61 2 9286
> 5555. Please delete the email and destroy any printed copy.

> Any views expressed in this message are those of the individual
sender.
> You may not rely on this message as advice unless it has been
> electronically signed by a Partner of BDO or it is subsequently
> confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.
>
> ----------------------------------------------------------------------
> --
> ---
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich

> University program offers unparalleled Infosec management education
> and the case study affords you unmatched consulting experience.

> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> --
> ---
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is
confidential.
> If you are not the intended recipient, you must not use or disclose
> the information. If you have received this email in error, please
> inform us promptly by reply email or by telephoning +61 2 9286 5555.
> Please delete the email and destroy any printed copy.

> Any views expressed in this message are those of the individual
> sender. You may not rely on this message as advice unless it has been
> electronically signed by a Partner of BDO or it is subsequently
> confirmed by letter or fax signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.
>
> ----------------------------------------------------------------------
> ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
> Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting
experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning,
>
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------