Re: Outsourcing Forensics

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

> There is much that can be done under internal policy that is 
> eliminated as an option once the option is made to involve law 
> enforcement, as their hands are tied when it comes their scope of 
> work.  Under policy you can declare a machine and all data the 
> property of the institution, and deny its use for personal ends.  Then

> during investigation, anything out of sorts can be pursued per policy 
> in any imaginable way.  Under a legal review, you will be restricted 
> to the particular scope of the charges and the restrictions provided 
> by both state and federal law as to what you may do with the data you 
> find.  Policy is far less limited in terms of discovery.

GF>> It sounds like you're making the argument that internal or third 
GF>> party, non-law enforcement forensics is a better first option than 
GF>> contacting law enforcement because the scope of the investigation 
GF>> can be broader.

Gary,

I was not really trying to make that argument, more to the point I was
trying to distinguish between everyday recovery and snooping along
policy lines and full blown, disciplined forensics with prosecution as
an objective.  I think there is use for some skill and effort being
applied to the first w/o the perfect investment in skills and resources,
whereas the second shouldn't be pursued w/o the requisite skills and
resources as it is doomed to likely failure.  I was more concerned with
the definitional aspect of "forensics" than the philosophical approach.
One of those "do it right the first time" sorts of things - or don't do
it, get someone who can.  Ultimately, the discipline is worthy of the
right level of investment, or don't bother to pursue it was my line of
thinking - but a lesser form of the discipline still has utility under
policy, and that may serve the institution just the same, just don't
confuse it with the other or you are not likely to succeed.

Jim