RE: Future trends in computer forensics

From: JP Hodgins (cyberhoundat_private)
Date: Wed Oct 23 2002 - 05:51:12 PDT

Next message: H C: "Education, was => RE: Future trends"

Previous message: Douglas K. Fischer: "RE: Future trends in computer forensics"
In reply to: Douglas K. Fischer: "RE: Future trends in computer forensics"
Next in thread: Chris Budge: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 04:37 PM 10/22/2002 -0400, you wrote:

>Amen to education. Most sysadmins are not focused on preservation of 
>forensics evidence, be it for prosecution purposes or technical 
>investigation, but instead on stopping the attack and recovering. It isn't 
>until later when someone tries to gather evidence than it's realized that 
>the sysadmins' well-intentioned actions rendered much evidence useless. 
>Management needs to be aware of this as well, to understand the competing 
>interests at work (quick return to service vs preservation of evidence) 
>and be able to make an assessment of the tradeoffs needed to best serve 
>the business/agency/etc interests.

This is really the difference between Computer Forensics and Incident 
Response.  Computer Forensics must be very detailed in its approach as it 
is primarily interested in prosecution as the final goal.  Incident 
Response on the other hand is primarily interested in restoring the 
business functions of the systems with a secondary function of discovery 
(i.e., finding out where and how the hacker got in).

It is important that a company develop good Security Policies/Procedures 
that indicate what users are to do upon discovery of an hack and how the 
system administrators are to handle it.  If the goal is to ultimately 
prosecute, then the time taken to secure a solid image and document the 
initial "crime scene" will be part of the Security Policy for the company 
and everyone will be willing to wait out the time it takes to perform these 
initial critical steps.  To expect an administrator (or other knowledgeable 
staff member) to perform these tasks when upper management is "on their 
backs" because the systems are down, is unrealistic.

One thing about Security Policies though - it is very rare to find a 
company with even a basic one, without seeing a decent job done on issues 
like this.

Just my $.02 worth based on my own experiences.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Education, was => RE: Future trends"
Previous message: Douglas K. Fischer: "RE: Future trends in computer forensics"
In reply to: Douglas K. Fischer: "RE: Future trends in computer forensics"
Next in thread: Chris Budge: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 06:08:12 PDT