Hi all, I just finished reading a book relating to digital evidence [1] and believe it answers my interpretation of the question. I hope my interpretation of the question is accurate and this answers your question please let me know if it doesn't and I will keep reading : ) Below is an extract from the book, Apologies to the author for republishing. -=-=-=-=-=- -=Digital evidence recovery team (DERT)=- To address the increasing amount of cyber crime larger organisations have created Computer Emergency Response Teams (CERTs) with the specific aim of responding to crimes that involve the organisations's computers. As the name suggests, Computer Emergency Response Teams primarily responsible for containing crisis situations. Collecting evidence and prosecuting criminals is a secondary concern at best. Possibly because few cyber criminals are being prosecuted, cyber crime is on the rise and organisations are experiencing a corresponding increase of losses. As the loses increase, prosecution becomes more desirable - either to recover damages or simply discourage criminals from targeting the organization in the future. If organisations hope to prosecute cyber criminals they will have to assign an individual or group wit the following responsibilities: * investigate crimes that involve computers, networks and the Internet; * recognize, document, collect, preserve, classify, compare, individualise and reconstruct digital evidence; * know when to call in experts or law enforcement; * coordinate with other agencies and organisations that become involved in an investigation; * create and update policies and procedures for computer-related crimes that take into account advances in technology, law and organisational policy; * manage investigations and prepare cases for trial; * testify in court when required; * remain informed about new developments in technology and cyber crime; These responsibilities do not conform well to emergency response model that is currently used to deal with cyber crime. Analyzing evidence and preparing a case for trial requires time and meticulous attention to detail. Therefore, it is sensible to create a specialise Digital Evidence Recovery Team (DERT) that picks up where CERT leaves off. For example, when an incident is reported, a member of the CERT could respond, contain the damage and then call in a member of the DERT to salvage the remaining digital evidence. The member of the DERT could then analyze the evidence, reconstruct the crime, and determine if it is worth pursuing the perpetrator(s). This division of responsibility occurs when a person is injured in a crime. Paramedics tend to the injured person's needs while investigators remain the crime scene. Since paramedics are often the first people on the scene, investigators depend on them for information about the crime scene and victims in their original state. If paramedics have changed anything at a crime scene, investigators need to know this before reconstructing the crime. The same situation arises when a crime involves a computer or network and a similar division of responsibility can be useful. A CERT is responsible for responding to incidents and tends to any immediate needs while a DERT is responsible for collecting Evidence properly and performing a full investigation of a crime. (Casey 2000, p225) -=-=-=-=-=- [1] Casey, E; 2000, "Digital evidence and computer crime", Academic Press, Great Britain > At 05:03 PM 18/08/01 +0200, you wrote: > >Hi all, > > > >Talking to alot of persons in the field lately, I don't seem to be able > >to find a satisfying answer on the following question. " Topic: Digital > >Forensics -- Where is the line drawn between Network Forensics; which is > >related to Incident Response, thus focussing on a more IT Security > >related domain; and the Data/Computer Forensics terrain; which is more > >focussing on finding / recovering and detecting traces of lost files, > >... quite often in fraudulent activity? To me, there is a distinct > >technical difference, but 'businesswise' and practical this difference > >seems very thin. Specific situation: imagine, a cracker penetrates the > >network. The Incident Response team wants to react quickly by > >identifying the security breach and the result of this incident. This > >involves a post-mortem analysis of the data/logs/... Is this a 100% > >Data/Computer Forensics mission or rather a Network Forensics mission? " > > > >I know, this is more 'philosophy rather than technics', but ... do share > >your opinion in public as well as in private. If not all, at least I > >could get a more clear view on this matter :-) > > > > > >Thanks! > >Filip ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 17:59:56 PDT