Hi Filip, I believe this is a great question and I will give my opinion, but in no way will this be an definitive answer to your question. Incident response is in relation to obtaining an acceptable outcome for the victim. In many cases this would be to isolate the extent of the damage, examine to see the intrusion point and get the compromised machine back to working order.. They would need to keep in mind appropriate computer evidence practices as some of the information collected may be used as evidence.. In the case of forensic computing I would see the work of an examiner to be slightly different as they usually deal with the offenders computer as well as the victims. I would not try to put a distinction on Network/computer forensics as I believe any forensics involving digital evidence would be classed as forensic computing? I mean does it matter that the data is from a photocopier or a palm pilot if it has evidence we need to examine it. I mean where do you draw the line if a stalker uses email this is over the network and you may need to liaise with a number of ISP's and authorities to obtain logs and so forth. However no one has had an Incident. I would just like to add to the confusion and state that it may be necessary for forensic computer examiners to do similar tasks as personnel on Incident response teams such as piece together a time line of events to create a larger picture of the crime scene, this may be through the use of log files and so forth. I hope this helps and I would love to know if my views are totally screwed up. Also is forensic computing the appropriate name for this? Daniel Heinonen [below is stuff i started writing but was kinda bored so i started again hence above] I find the field of forensic computing as being broad with many different positions within the field. With this being said I do not believe Incident Response would definitely be part of this list of positions. These two are however very closely tied and may do the same tasks. Some police departments break up the computer forensics team even more into an investigative team and an examining team. The Investigative team would do pre work, obtain warrants and so forth as well as arrest and seize, these would all be sworn personnel. A examining team would consist of people who image the computer on site, and examine the computer and the evidence found would be given to the Investigative team to either use this evidence as leads or to pursue with charges. A Computer Search Warrant Team may consist of "Sketch Preparer, Photographer, Evidence Recorder, Person-In-Charge" or "Technical Evidence Seizure and Logging Team, Security and Arrest Team, Physical Search Team, Sketch and Photo Team, Interview Team, Case Supervisor" [1] Of course this would be in the case if we are talking about the authorities but in the case of the private sector you would be required to obtain data from effected computers incase they may be used later as evidence. Also some authorities may not have the expertise to examine computers so then private sector people may consult these departments. I would see the role of an Incident Response team to work closely with forensic computing staff in the private sector as well as with the authorities. [1] http://www.securityfocus.org/focus/ih/articles/crimeguide4.html At 05:03 PM 18/08/01 +0200, you wrote: >Hi all, > >Talking to alot of persons in the field lately, I don't seem to be able >to find a satisfying answer on the following question. " Topic: Digital >Forensics -- Where is the line drawn between Network Forensics; which is >related to Incident Response, thus focussing on a more IT Security >related domain; and the Data/Computer Forensics terrain; which is more >focussing on finding / recovering and detecting traces of lost files, >... quite often in fraudulent activity? To me, there is a distinct >technical difference, but 'businesswise' and practical this difference >seems very thin. Specific situation: imagine, a cracker penetrates the >network. The Incident Response team wants to react quickly by >identifying the security breach and the result of this incident. This >involves a post-mortem analysis of the data/logs/... Is this a 100% >Data/Computer Forensics mission or rather a Network Forensics mission? " > >I know, this is more 'philosophy rather than technics', but ... do share >your opinion in public as well as in private. If not all, at least I >could get a more clear view on this matter :-) > > >Thanks! >Filip > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 19 2001 - 20:26:13 PDT