Re: Outsourcing Forensics

[Gary Flynn <flynngn () JMU EDU>]

Jim Dillon wrote:

> Gary,
>
> That (your comment below) is exactly the reason I tend to discourage
> Audit Departments and Security Depts from taking on Forensics roles -
> Most will encounter the following:
>
> 1. Not enough funding to remain current.
> 2. Not enough work to keep skills intact.
> 3. Not enough training to maintain skills through change.
> 4. Not enough resources to properly handle the variety of equipment and
> situations they encounter.
> 5. Not enough credibility to stand up in court despite the skills.

I don't disagree, Jim. The most important part for us is to
preserve the evidence using procedures accepted by the
courts if we think we may want to prosecute. That limits the
critical parts of our work quite a bit.

If the evidence is correctly protected and all investigation
work is done on duplicate data, it doesn't matter if our own
analysis and conclusions hold up in court. If it goes to court,
the original evidence can be turned over to the third party
for their own analysis and conclusions.

The tricky part for us is deciding when to go into evidence
protection mode. We certainly don't image every desktop
with a virus or spyware infection before looking at it,
let alone perform a full forensics examination, though we
would in an ideal world. After all, the device has been
compromised and you can never know the extent of the
compromise or the severity of the crime until a full
analysis is performed.

It is important to realize that incident response handling,
including forensics, like all security issues often involves
conflicting goals and that decisions that favor one over
the other will always be called into question. An
organization has to prioritize its goals.

For example, if the priority is as follows:

1) Protect constituents
2) Preserve and restore services
3) Prosecute offenders

the incident handling steps would likely be different than
they would be if prosecuting offenders was the first
priority.

> There is much that can be done under internal policy that is eliminated
> as an option once the option is made to involve law enforcement, as
> their hands are tied when it comes their scope of work.  Under policy
> you can declare a machine and all data the property of the institution,
> and deny its use for personal ends.  Then during investigation, anything
> out of sorts can be pursued per policy in any imaginable way.  Under a
> legal review, you will be restricted to the particular scope of the
> charges and the restrictions provided by both state and federal law as
> to what you may do with the data you find.  Policy is far less limited
> in terms of discovery.

It sounds like you're making the argument that internal or third party,
non-law enforcement forensics is a better first option than contacting
law enforcement because the scope of the investigation can be broader.

> The exception to this rule is if you are willing to create a forensic
> function that can be hired out by the state or that will support other
> institutions so that a continual workload/professional experience can be
> pursued.  If your forensics function is available to your state
> government and potentially even private parties, then you can maintain
> the skills and fund the process as well as a private company, perhaps
> even with some advantage given the internal opportunities for practice
> and the captive source for a young, skilled workforce.
>
> Best regards,
>
> Jim
>
> *****************************************
> Jim Dillon, CISA, CISSP
> IT Audit Manager, CU Internal Audit
> jim.dillon () cusys edu
> 303-492-9734
> *****************************************
>
>
>
> -----Original Message-----
> From: Gary Flynn [mailto:flynngn () JMU EDU]
> Sent: Monday, August 28, 2006 8:44 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Outsourcing Forensics
>
>
> We have not yet had an incident where we outsourced it though in a
> complicated, critical case we might. We have a forensics lab and myself
> and another person have been through training but we don't do it often
> enough to be any good at it. :(
>
>
> Clip...


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature