"Am I ready" and other neat questions

From: J. J. Horner (jhornerat_private)
Date: Fri Oct 19 2001 - 12:26:29 PDT

Next message: Marcus Holtzhausen: "Re: Netscape History File"

Previous message: H C: "Flushing DLLs from memory"
Next in thread: Kurt Seifried: "Re: "Am I ready" and other neat questions"
Reply: Kurt Seifried: "Re: "Am I ready" and other neat questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First:

I've been dabbling in the forensics field for a while.  I've
done a few of the projects on security focus, as well as my own
honeypot, for the last few months.  I completed the technical part
of the forensics challenge, got the right information, but didn't
submit because I'd never really been exposed to the reporting format 
before.  Since then, I've practiced the forensic analysis procedure
a few times on my own.  I've read through a few computer incident 
books, including "Incident Response: Investigating Computer Crime"
by Mandia and Prosise (McGraw Hill).  I've been in webserver
security for a few years now, and I've done a bit of attack
analysis, virus analysis, and worm analysis through my current job, 
although it wasn't my primary focus.

My question:  Am I ready to begin a career in incident handling?

Other questions:

1.  Any problems in imaging a SCSI drive to an IDE drive?  If 
the SCSI bus is significantly faster, will I encounter errors trying
to write to an IDE33/66 drive?  Any issues that prompt people to
image to same-bus drives?  dd is my friend.

2.  I'm considering a forensic setup where I have a headless
PC-type machine for mounting the drives (linux), with a laptop
providing interaction through the serial port via null-modem cable.
Anything to consider using this setup?

3.  Any other good books on the forensics process I should know about?
I've got O'Reilly's book, but haven't read it yet.  I've read 
"Basic Steps in Forensic Analysis of Unix Systems", and sometimes
re-read parts of it.  If you've mentioned books or papers on the
list before, don't mention them again.  I'll search the archive.

4.  Any current members of incident teams:  any good public
records that relate to testifying, evidence handling, or 
court hearings available would be good.  I'd like to see 
what a court appearance is like for a forensic examiner.

Thanks,
JJ

-- 
J. J. Horner
"H*","6a686f726e657240326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"

Freedom is an all-or-nothing proposition:  either we 
are completely free, or we are subjects of a
tyrannical system.  If we lose one freedom in a
thousand, we become completely subjugated.

application/pgp-signature attachment: stored

Next message: Marcus Holtzhausen: "Re: Netscape History File"
Previous message: H C: "Flushing DLLs from memory"
Next in thread: Kurt Seifried: "Re: "Am I ready" and other neat questions"
Reply: Kurt Seifried: "Re: "Am I ready" and other neat questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 21 2001 - 18:32:03 PDT