> Actually, I contend that this is an invalid analogy. > If a body is disturbed, forensic evidence from fluids > and fibers remains intact, unless you decide to clean > up really quick and pile a few bodies in the corner.. > On the digital side, if actions are taken, there is > a nearly 100% chance that the media will be altered. Yes I agree. Anything you do changes thing... including doing nothing. The point of the analogy is to avoid paralysis in an investigation. In most situations, the EMT is the system admin. The EMT is serving the function of verifying an incident and keeping a system running OK. Sometimes it may be something that is configured wrong, sometimes an IDS tells them something is awry etc. How many false positives are there? I wish I kept some numbers but while working in an AF IDS ops center we had maybe 1 questionable activity a night while we deconflicted around 4 per hour near 100 a day. 1 per 100 were something that was not a false positive and 99 percent of those were probing incidents (port scans) and nothing more. The trained sys admin/EMT needs to be able to see if there is indeed a dead body in the room. Most sys admins trounce through the crime scene as you described without realize the cost of their actions on the evidence until it is too late. They need to know HOW to go about verifying a scene while disturbing as little as possible. Enter the EMT, incident verification team. His main role is to bridge the gap between having an feeling something isn't right and starting the investigation. Sys admins are trained to keep their systems running and configured properly, their first thought is not crime scene preservation as we all would like. EMTs are trained to keep humans running. All EMTS are trained to try to save lives but they also are trained to be able to do their job without tromping through a crime scene. They know what they will touch and they know the outcome of every action. They can testify as well. If a life is to be saved then there interference in a crime scene will be immediate and disturb more than if they just a dead body. The same occurs in computers... some cases you can take your time and affect as little as possible and others you will need to move quicker. Monetary losses are the best example of how time could be a factor. Especially since most sys admins know that 99 percent of all glitches are not crime related. The incident verification principals should be: 1. Avoid paralysis 2. It is OK to touch the system. Even if performing a methodical search you will need to interact in some way. (doing nothing ALSO changes the system). Gather evidence, even in the most time consuming undisturbing way... changes the system. Have procedures and train to them. 3. Document everything. If you know an action might have an unknown affect as many do, record it. You can testify it was you later on. Also good to have a recorder watch you or video tape your actions. > I do see and agree with your point though. If a > system is powered up, there are valid reasons to > complete a limited live review of the system. (I think > I read this in a book somewhere ;) ) You have to know > what and why you are doing those things ahead of time, > as well as what the consequences are of each action. > Having a defined action plan that you have used in the > past is quite essential to success during the litigation > process. Exactly. There are unique roles being played here. Being trained and understanding what cost/effect/benefit/detriment relationships exist is essential. EMTs, trained EMTs, know what their job is as well as what will happen when they respond quickly. The funny thing about EMTs is that in MOST cases, at least you can see the body when you enter the room. ;) We can't. ;) Rob ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Dec 01 2001 - 15:50:24 PST