I would shy away from the data vs. network debate as well. I mean if you have a client that buys "data" forensics and you find he compromise happened over the network, are you going to stop and say "Please give me more money because now this is a network forensics gig." I would hope not because you most likely won't be around very long. :-) There is no difference in the thought process when dealing with a data (really should be static) forensics or network forensics. Things that happen on a network are generally generated and terminated on static devices. this traffic is recorded to static media. I would recommend following the practice of pairing investigators with techs, it has worked very well in my experience. daniel heinonen wrote: > > Hi Filip, > > I believe this is a great question and I will give my opinion, but in no > way will this be an definitive answer to your question. > > Incident response is in relation to obtaining an acceptable outcome for the > victim. In many cases this would be to isolate the extent of the damage, > examine to see the intrusion point and get the compromised machine back to > working order.. They would need to keep in mind appropriate computer > evidence practices as some of the information collected may be used as > evidence.. > > In the case of forensic computing I would see the work of an examiner to be > slightly different as they usually deal with the offenders computer as well > as the victims. > > I would not try to put a distinction on Network/computer forensics as I > believe any forensics involving digital evidence would be classed as > forensic computing? I mean does it matter that the data is from a > photocopier or a palm pilot if it has evidence we need to examine it. I > mean where do you draw the line if a stalker uses email this is over the > network and you may need to liaise with a number of ISP's and authorities > to obtain logs and so forth. However no one has had an Incident. > > I would just like to add to the confusion and state that it may be > necessary for forensic computer examiners to do similar tasks as personnel > on Incident response teams such as piece together a time line of events to > create a larger picture of the crime scene, this may be through the use of > log files and so forth. > > I hope this helps and I would love to know if my views are totally screwed > up. Also is forensic computing the appropriate name for this? > > Daniel Heinonen > > [below is stuff i started writing but was kinda bored so i started again > hence above] > > I find the field of forensic computing as being broad with many different > positions within the field. With this being said I do not believe Incident > Response would definitely be part of this list of positions. These two are > however very closely tied and may do the same tasks. > > Some police departments break up the computer forensics team even more into > an investigative team and an examining team. The Investigative team would > do pre work, obtain warrants and so forth as well as arrest and seize, > these would all be sworn personnel. A examining team would consist of > people who image the computer on site, and examine the computer and the > evidence found would be given to the Investigative team to either use this > evidence as leads or to pursue with charges. > > A Computer Search Warrant Team may consist of "Sketch Preparer, > Photographer, Evidence Recorder, Person-In-Charge" or "Technical Evidence > Seizure and Logging Team, Security and Arrest Team, Physical Search Team, > Sketch and Photo Team, Interview Team, Case Supervisor" [1] > > Of course this would be in the case if we are talking about the authorities > but in the case of the private sector you would be required to obtain data > from effected computers incase they may be used later as evidence. Also > some authorities may not have the expertise to examine computers so then > private sector people may consult these departments. > > I would see the role of an Incident Response team to work closely with > forensic computing staff in the private sector as well as with the > authorities. > > [1] http://www.securityfocus.org/focus/ih/articles/crimeguide4.html > > At 05:03 PM 18/08/01 +0200, you wrote: > >Hi all, > > > >Talking to alot of persons in the field lately, I don't seem to be able > >to find a satisfying answer on the following question. " Topic: Digital > >Forensics -- Where is the line drawn between Network Forensics; which is > >related to Incident Response, thus focussing on a more IT Security > >related domain; and the Data/Computer Forensics terrain; which is more > >focussing on finding / recovering and detecting traces of lost files, > >... quite often in fraudulent activity? To me, there is a distinct > >technical difference, but 'businesswise' and practical this difference > >seems very thin. Specific situation: imagine, a cracker penetrates the > >network. The Incident Response team wants to react quickly by > >identifying the security breach and the result of this incident. This > >involves a post-mortem analysis of the data/logs/... Is this a 100% > >Data/Computer Forensics mission or rather a Network Forensics mission? " > > > >I know, this is more 'philosophy rather than technics', but ... do share > >your opinion in public as well as in private. If not all, at least I > >could get a more clear view on this matter :-) > > > > > >Thanks! > >Filip > > > > > >----------------------------------------------------------------- > >This list is provided by the SecurityFocus ARIS analyzer service. > >For more information on this free incident handling, management > >and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Bill Pennington - CISSP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 08:31:28 PDT