Yes I should have been a little more clear. What a meant was a technical forensics investigator and a more "investigative" forensics investigator. Both are investigators but the separation allows them to focus on certain areas. As with everything the experience of the people is what counts and there are people that can do both, but my limited experience has shown two heads to be better than one during an investigation. phzyat_private wrote: > > Hello, > > Why make the distinction? The distinction does not preclude the 'network > forensics > investigator' from following a legally sound process. In Canada, at least, a > log or > record (IDS log, sniffer log) collected during an investigation does not > fall under > the category of a record generated during the course of normal business, so > the > investigator must strictly adhere to all rules of evidence (not that one > shouldn't > always do that, but I routinely see 'forensic investigators' comb through a > system > during an IR engagement, pull logfiles, install sniffers or snort, but not > really > being careful to ensure that they can attest to the integrity of any > information collected). > The bottom line -- get the right person todo the job. Pairing up an > investigator that > understands the process with a tech can be ok; however, I have seen a > problem > where the techie overlooks something that is very technical, as he may not > understand > the relevance in court, and since the investigator doesn't have in-depth > knowledge > of the technology they are dealing with, something is left out, or they > invalidated their > process unknowingly only to be suprised in court when some other > investigator > performs a detailed QA to point out their flaws. There's really no getting > around it ; > the forensic investigator must be technical and understand process & > procedure. > That's what makes forensics so difficult! > > - phzy > -- > Sent with Antiplur webmail: http://www.antiplur.com > > -- > Sent with Antiplur webmail: http://www.antiplur.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Bill Pennington - CISSP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 09:58:07 PDT