Re: Outsourcing Forensics

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Gary,

That (your comment below) is exactly the reason I tend to discourage
Audit Departments and Security Depts from taking on Forensics roles -
Most will encounter the following:

1. Not enough funding to remain current.
2. Not enough work to keep skills intact.
3. Not enough training to maintain skills through change.
4. Not enough resources to properly handle the variety of equipment and
situations they encounter.
5. Not enough credibility to stand up in court despite the skills.

I am of course using FORENSICS to mean the more complete, thorough,
preparatory steps taken to investigate in a way that would pass scrutiny
in a court of law and provide sufficiency in the most sensitive event.
I am not at all opposed to the local IT or Security shops developing the
skills to seek out information on deleted tracks, to examine a drive's
contents, to do secure copies with the proper equipment to do
duplication.  There are many cases where we (Auditors/Fraud
Investigators/Security Staff) can use "Forensic" type information where
we never intend to use it in a court of law, or have already written off
that option.  We get numerous requests from our legal staff and HR folks
concerning drive contents and internal policy/disciplinary action that
do not require a completely court-worthy forensic process.  

There is much that can be done under internal policy that is eliminated
as an option once the option is made to involve law enforcement, as
their hands are tied when it comes their scope of work.  Under policy
you can declare a machine and all data the property of the institution,
and deny its use for personal ends.  Then during investigation, anything
out of sorts can be pursued per policy in any imaginable way.  Under a
legal review, you will be restricted to the particular scope of the
charges and the restrictions provided by both state and federal law as
to what you may do with the data you find.  Policy is far less limited
in terms of discovery.

The exception to this rule is if you are willing to create a forensic
function that can be hired out by the state or that will support other
institutions so that a continual workload/professional experience can be
pursued.  If your forensics function is available to your state
government and potentially even private parties, then you can maintain
the skills and fund the process as well as a private company, perhaps
even with some advantage given the internal opportunities for practice
and the captive source for a young, skilled workforce.  

Best regards,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 

-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Monday, August 28, 2006 8:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outsourcing Forensics


We have not yet had an incident where we outsourced it though in a
complicated, critical case we might. We have a forensics lab and myself
and another person have been through training but we don't do it often
enough to be any good at it. :(


Clip...