Hello, Why make the distinction? The distinction does not preclude the 'network forensics investigator' from following a legally sound process. In Canada, at least, a log or record (IDS log, sniffer log) collected during an investigation does not fall under the category of a record generated during the course of normal business, so the investigator must strictly adhere to all rules of evidence (not that one shouldn't always do that, but I routinely see 'forensic investigators' comb through a system during an IR engagement, pull logfiles, install sniffers or snort, but not really being careful to ensure that they can attest to the integrity of any information collected). The bottom line -- get the right person todo the job. Pairing up an investigator that understands the process with a tech can be ok; however, I have seen a problem where the techie overlooks something that is very technical, as he may not understand the relevance in court, and since the investigator doesn't have in-depth knowledge of the technology they are dealing with, something is left out, or they invalidated their process unknowingly only to be suprised in court when some other investigator performs a detailed QA to point out their flaws. There's really no getting around it ; the forensic investigator must be technical and understand process & procedure. That's what makes forensics so difficult! - phzy -- Sent with Antiplur webmail: http://www.antiplur.com -- Sent with Antiplur webmail: http://www.antiplur.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 10:05:37 PDT