First: I've been dabbling in the forensics field for a while. I've done a few of the projects on security focus, as well as my own honeypot, for the last few months. I completed the technical part of the forensics challenge, got the right information, but didn't submit because I'd never really been exposed to the reporting format before. Since then, I've practiced the forensic analysis procedure a few times on my own. I've read through a few computer incident books, including "Incident Response: Investigating Computer Crime" by Mandia and Prosise (McGraw Hill). I've been in webserver security for a few years now, and I've done a bit of attack analysis, virus analysis, and worm analysis through my current job, although it wasn't my primary focus. My question: Am I ready to begin a career in incident handling? Other questions: 1. Any problems in imaging a SCSI drive to an IDE drive? If the SCSI bus is significantly faster, will I encounter errors trying to write to an IDE33/66 drive? Any issues that prompt people to image to same-bus drives? dd is my friend. 2. I'm considering a forensic setup where I have a headless PC-type machine for mounting the drives (linux), with a laptop providing interaction through the serial port via null-modem cable. Anything to consider using this setup? 3. Any other good books on the forensics process I should know about? I've got O'Reilly's book, but haven't read it yet. I've read "Basic Steps in Forensic Analysis of Unix Systems", and sometimes re-read parts of it. If you've mentioned books or papers on the list before, don't mention them again. I'll search the archive. 4. Any current members of incident teams: any good public records that relate to testifying, evidence handling, or court hearings available would be good. I'd like to see what a court appearance is like for a forensic examiner. Thanks, JJ -- J. J. Horner "H*","6a686f726e657240326a6e6574776f726b732e636f6d" *************************************************** "H*","6a6a686f726e65724062656c6c736f7574682e6e6574" Freedom is an all-or-nothing proposition: either we are completely free, or we are subjects of a tyrannical system. If we lose one freedom in a thousand, we become completely subjugated.
This archive was generated by hypermail 2b30 : Sun Oct 21 2001 - 18:32:03 PDT