Re: Two questions

[Bert Knabe <bert.knabe () lubbockonline com>]

Can you point me to sources about the possibility of needing a PI or  
other license to do forensics and incident response? I'm the local  
responder for our site. It sounds like I may be ok for now, being  
part of the IT staff, but I'd like to know more. I'd especially like  
to know more before I go to corporate with questions.

Thanks,

Bert Knabe
Technician
Lubbock Avalanche-Journal
806-766-2158


On Feb 25, 2008, at 1:24 PM, Jon R. Kibler wrote:

> Michael,
>
> I am NOT a lawyer and do not know the law in your area. However, I do
> know that U.S. DoJ is pushing hard to require anyone doing anything
> forensics or incident response to be a licensed PI.
>
> Please see my embedded comments...
>
> Michael Condon wrote:
> <SNIP>
> > I also need to find out if you just need certification, or just  
> > need to be a licensed PI, or both, in each of the three states.
>
> My best advice would be to contact the a lawyer or the state attorney
> general in each jurisdiction. You may also want to post a question to
> Security Focus' forensics mailing list. However, be wary of any 'legal
> opinions' you may receive.
>
> However, I can tell you that in SC, to get a PI license requires 2  
> years
> training and a year apprenticeship.
>
> > And what certification, if not CHFI, is recognized as sufficiently  
> > valid to perform this kind of investigation (perhaps CISSP/ISC2)?
>
> I have heard law enforcement openly laugh at CHFI -- and CISSP and  
> other
> non-forensics certs are useless. The certification that I see most law
> enforcement agencies require is the ISFCE/CCE -- which, as I  
> understand
> it, takes 3 years to obtain.
>
> > I've had to do internal sort of forensic work of this sort and  
> > more for former employers - it resulted in reprimand or at times  
> > termination.
>
> These days, doing such work could easily get you criminally  
> prosecuted.
> I have been given legal advice to 'do nothing that can be construed as
> forensics.' I was told that looking at someone's browser's history and
> showing management where they had been going to xxxporn.com would be
> considered doing forensics, as would using DNS query logging or  
> sniffing
> network traffic to show similar activity. It is even questionable  
> as to
> whether it is technically legal for an organization's IT staff, unless
> they have a PI license, to use IDS logs to track down compromised  
> systems,
> as that may be considered incident response.
>
> Insane mess? I agree.
>
> Jon Kibler
> --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> m: 843-224-2494
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.