RE: Forensic/Cyber Crime Investigator

["Craig Wright" <cwright () bdosyd com au>]

Hi Dave,

I have a good knowledge of some areas of Australian law, but in only some areas (I have not the foggiest idea re family 
law for example) and a little regards the others states (NSW being the one I live in).

Virus attacks etc as you put are incidents. The average (and all but maybe a rare exception) organisation will treat 
these as incidents. They do not take them to court nor have the intention of doing such. To take your Virus example. 
This is an incident, it requires a response. It does not require a forensic analysis of the system, nor would this be 
generally done. Organisations want "the systems up" more than they want to catch the criminal. California may prove 
interesting... But we will see.

We have separate laws for separate incidents etc in AU. These vary from Federal to State etc. NSW has a few regarding 
workplace surveillance for example and how these investigations are to be conducted. Some require forensics skills 
others do not. In fact most do not. In fact there are not enough forensically trained and experienced people to be able 
to do this even if it was required/requested.

By, "Many organizations have a policy of not going to litigation." I means that some (and by some - a lot - I have 
statistics if you wish - most at the 95% CI, some at alpha = 10% levels) of organisations would rather bury the issue. 
This is not all and is something that needs to be decided in advance, but it is a business decision (we have no 
disclosure laws for disclosure of these incidents). Public admission is required to get an Anton pillar (civil search) 
- many listed companies would never do this. Many listed companies would rather remain in the dark (they know what is 
happening - but stock options ...)

As for concedes - I have know several companies who would not concede a case if they had the world only infallible 
evidence from every other personal and company in the world to oppose them.

You are again looking from a perspective that assumes that separate skill may never be deployed by a single person. 
This is not the case. Incident response as I have been stated has a different set of goals to Forensics. As stated, 
Forensics ALWAYS involves court (this is not only a definition in a dictionary, but also in law. As stated defined word 
etc. There ARE consequences for using the term incorrectly - at least there can be). An affidavit (or deposition is the 
US) is a function of the court (involving court does not mean going into court - please not the separation). Incident 
repose may or may not have something to do with this process.

In 2001 the DFRWS proposed the term digital forensic science (rather than the poorly worded computer forensics 
[hereafter DFS]. It is true that this includes investigation. The inclusion of investigation as I have stated does not 
make one an investigator. DFS has components of incident response - again this is not the same thing.

You state "Investigations are the systematic and thorough gathering, examining, and studying of factual information 
that results in the factual explanation of what transpired." I agree with this statement. It misses the line however 
"for legal production" or "for use in court" etc. This is the difference. As stated, forensic = court (as simple as I 
may state). Investigation may OR MAY NOT mean court (court being the legal process).

I will if the list likes quote the laws concerning the application of evidence in Australia (now finally unified over 
all states and territories). If you like I will add case law and common law relevance. Law of Equity, Tort or even 
criminal law if you like.

You seem mostly to not understand that (in a common law jurisdiction - which includes the US), experts (including 
forensic experts) are agents of the court. You work for the court - this does not mean you are paid (and I know it is 
not a perfect world and this oft does not hold true). The party who pays you is not who you represent. You are a 
representative of justice (the court). Not the state, not your employer. You present the facts, not the opinion (and I 
know this does occur).

As for "not just your opinion." I will quote evidence rules if you like? The handbooks (though these are not US 
applicable)? Casey's (Digital Evidence and computer Crime, (2004) Casey, E; Elsevier, USA) in s. 4.2 defines the 
Investigative Methodology concisely. It covers the forensic investigation process efficiently.

Wells ("Corporate Fraud Handbook" (2004), Wells, J; ACFE) has another approach to a fraud investigation.

[Full details available if requested (late in the day - ask me for the book ref. If you want it)] Statistical Auditing 
has another. The SANs GCIH methodology is another investigative approach. SANs GCFA has a forensic investigative 
approach.

So yes, there are forensically conducted investigations and there are investigations. Thus DFS and Investigation are 
separate (though related).

Regards,
Craig

-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: 9 February 2006 3:01
To: security-basics () securityfocus com
Subject: RE: Spam: RE: Forensic/Cyber Crime Investigator

Craig,

First let me say I do not know AU law, I do however have a grasp on US law.

Are employee misconduct, internal theft of trade secrets, a DoS attack on a business, or virus a purposely released on 
an important business day to disrupt business INCIDENTS? (just to name a few)

Do we respond to them?

Is that not incident response?

When we look into these, are we not conducting an investigation? (In many states it is required that you must be a 
licensed investigator to do so)

If we do not do so in a forensically sound manner, and we have to pursue the matter; will we be able to?

I believe you are contradicting yourself unknowingly.

You said "Most cases and disputes are settled outside of court and do not involve the legal jurisdictional control".
But, I do not think you realize how accomplish staying out of court, we do this by presenting the evidence in such a 
way that it is overwhelming, air-tight, and the other side concedes. This evidence must be gathered properly, or the 
other side will contest and bring it to tribunal.

You said "Many organizations have a policy of not going to litigation."
Do you mean they would rather not pursue the issue? If so then that is their policy so there is no need to investigate.
However, if they require the incident investigated, you better have your ducks in a row. (conduct it in a forensically 
sound manner)

I can personally tell you, I love it when a case does not make it passed the deposition stage, or even not that far, if 
the evidence is solid!!

Remember a deposition, sworn statement, stipulation of expected testimony, and courtroom testimony are all affirmations 
under oath / sworn testimony.

You said "Investigation and Forensics are separate disciplines."
Investigations are the systematic and thorough gathering, examining, and studying of factual information that results 
in the factual explanation of what transpired.

So explain the difference to us, not just your opinion.

Maybe you are trying to explain the difference between imaging a H/D and conducting an investigation??



Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

http://www.southeastforensics.com/services.php
 



Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------