Security Basics mailing list archives
Re: Two questions
From: Bert Knabe <bert.knabe () lubbockonline com>
Date: Tue, 26 Feb 2008 08:51:18 -0600
Can you point me to sources about the possibility of needing a PI or other license to do forensics and incident response? I'm the local responder for our site. It sounds like I may be ok for now, being part of the IT staff, but I'd like to know more. I'd especially like to know more before I go to corporate with questions.
Thanks, Bert Knabe Technician Lubbock Avalanche-Journal 806-766-2158 On Feb 25, 2008, at 1:24 PM, Jon R. Kibler wrote:
Michael, I am NOT a lawyer and do not know the law in your area. However, I do know that U.S. DoJ is pushing hard to require anyone doing anything forensics or incident response to be a licensed PI. Please see my embedded comments... Michael Condon wrote: <SNIP>I also need to find out if you just need certification, or just need to be a licensed PI, or both, in each of the three states.My best advice would be to contact the a lawyer or the state attorney general in each jurisdiction. You may also want to post a question to Security Focus' forensics mailing list. However, be wary of any 'legal opinions' you may receive.However, I can tell you that in SC, to get a PI license requires 2 yearstraining and a year apprenticeship.And what certification, if not CHFI, is recognized as sufficiently valid to perform this kind of investigation (perhaps CISSP/ISC2)?I have heard law enforcement openly laugh at CHFI -- and CISSP and othernon-forensics certs are useless. The certification that I see most lawenforcement agencies require is the ISFCE/CCE -- which, as I understandit, takes 3 years to obtain.I've had to do internal sort of forensic work of this sort and more for former employers - it resulted in reprimand or at times termination.These days, doing such work could easily get you criminally prosecuted.I have been given legal advice to 'do nothing that can be construed as forensics.' I was told that looking at someone's browser's history and showing management where they had been going to xxxporn.com would beconsidered doing forensics, as would using DNS query logging or sniffing network traffic to show similar activity. It is even questionable as towhether it is technically legal for an organization's IT staff, unlessthey have a PI license, to use IDS logs to track down compromised systems,as that may be considered incident response. Insane mess? I agree. Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Two questions Michael Condon (Feb 22)
- Message not available
- Re: Two questions Michael Condon (Feb 25)
- Re: Two questions Jon R. Kibler (Feb 25)
- Re: Two questions Bert Knabe (Feb 26)
- Re: Two questions Bert Knabe (Feb 26)
- PI to do Forensics? WAS: Re: Two questions Jon R. Kibler (Feb 26)
- Re: PI to do Forensics? WAS: Re: Two questions Adam Pal (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- Re: PI to do Forensics? WAS: Re: Two questions Jon R. Kibler (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- Re: PI to do Forensics? WAS: Re: Two questions Jon R. Kibler (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- RE: PI to do Forensics? WAS: Re: Two questions Scott Moulton (Feb 26)
- Re: Two questions Michael Condon (Feb 25)
- Message not available