Educause Security Discussion mailing list archives
Re: Outsourcing Forensics
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 29 Aug 2006 12:12:49 -0400
Jim Dillon wrote:
Gary, That (your comment below) is exactly the reason I tend to discourage Audit Departments and Security Depts from taking on Forensics roles - Most will encounter the following: 1. Not enough funding to remain current. 2. Not enough work to keep skills intact. 3. Not enough training to maintain skills through change. 4. Not enough resources to properly handle the variety of equipment and situations they encounter. 5. Not enough credibility to stand up in court despite the skills.
I don't disagree, Jim. The most important part for us is to preserve the evidence using procedures accepted by the courts if we think we may want to prosecute. That limits the critical parts of our work quite a bit. If the evidence is correctly protected and all investigation work is done on duplicate data, it doesn't matter if our own analysis and conclusions hold up in court. If it goes to court, the original evidence can be turned over to the third party for their own analysis and conclusions. The tricky part for us is deciding when to go into evidence protection mode. We certainly don't image every desktop with a virus or spyware infection before looking at it, let alone perform a full forensics examination, though we would in an ideal world. After all, the device has been compromised and you can never know the extent of the compromise or the severity of the crime until a full analysis is performed. It is important to realize that incident response handling, including forensics, like all security issues often involves conflicting goals and that decisions that favor one over the other will always be called into question. An organization has to prioritize its goals. For example, if the priority is as follows: 1) Protect constituents 2) Preserve and restore services 3) Prosecute offenders the incident handling steps would likely be different than they would be if prosecuting offenders was the first priority.
There is much that can be done under internal policy that is eliminated as an option once the option is made to involve law enforcement, as their hands are tied when it comes their scope of work. Under policy you can declare a machine and all data the property of the institution, and deny its use for personal ends. Then during investigation, anything out of sorts can be pursued per policy in any imaginable way. Under a legal review, you will be restricted to the particular scope of the charges and the restrictions provided by both state and federal law as to what you may do with the data you find. Policy is far less limited in terms of discovery.
It sounds like you're making the argument that internal or third party, non-law enforcement forensics is a better first option than contacting law enforcement because the scope of the investigation can be broader.
The exception to this rule is if you are willing to create a forensic function that can be hired out by the state or that will support other institutions so that a continual workload/professional experience can be pursued. If your forensics function is available to your state government and potentially even private parties, then you can maintain the skills and fund the process as well as a private company, perhaps even with some advantage given the internal opportunities for practice and the captive source for a young, skilled workforce. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Monday, August 28, 2006 8:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outsourcing Forensics We have not yet had an incident where we outsourced it though in a complicated, critical case we might. We have a forensics lab and myself and another person have been through training but we don't do it often enough to be any good at it. :( Clip...
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Outsourcing Forensics, (continued)
- Re: Outsourcing Forensics Jay Tumas (Aug 28)
- Re: Outsourcing Forensics Drews, Jane E (Aug 28)
- Re: Outsourcing Forensics Delaney, Cherry L. (Aug 28)
- Re: Outsourcing Forensics Gary Flynn (Aug 28)
- Re: Outsourcing Forensics Russell Fulton (Aug 29)
- Re: Outsourcing Forensics Cam Beasley (Aug 29)
- Re: Outsourcing Forensics Samuel Liles (Aug 29)
- Re: Outsourcing Forensics Ken Connelly (Aug 29)
- Re: Outsourcing Forensics Daniel R Jones (Aug 29)
- Re: Outsourcing Forensics Jim Dillon (Aug 29)
- Re: Outsourcing Forensics Gary Flynn (Aug 29)
- Re: Outsourcing Forensics Mclaughlin, Kevin L (mclaugkl) (Aug 29)
- Re: Outsourcing Forensics Jim Dillon (Aug 29)