Hi, Down in NZ I have had (2) large companies in last ten days, who have links or a major shareholders in the USA, require incident management plans which include a specific Computer Forensic response to enable evidence to be admissible in court. The IT staff produced a 'small' document which was immediately rejected by US legal staff. As such, we wrote a plan, including an external CIRT (Which included practice incidents) which shocked the IT and HR staff (Do not know CEO/Managemnt response) but was accepted by the US. The point really is that the premise of the IT staff is to fix the problem and the premise for CF specialists is to preserve, as previously stated on the list. Recent case, yes there are thousands worldwide, where the External IT consultant did not want a server (Power Edge) to be removed out of a third party suppliers server room. There was controlled access by 24/7 staff. The acquisition could only be completed over a network cable (due to other difficulties) which ran for 2 days, at 0730 on the Monday morning the duty IT technician (not 24/7 staff) went in, disconnected the network cable and removed the floppy disk to restart the machine, without auth and without reference to the very big notice that said do 'not touch'. I arrived 45 min later and had a fit and had to do it again (downtime for the client and the evidence to go to court). CF specialists need to impress upon the IT staff that the 'exhibit' is under our control for very good reason. They should work within their knowledge base and respect ours. As time goes by one hopes the professionalism of CF trade will grow and the non-law enforcement needs be met. Chris Budge e-Crime (NZ) Limited Phone: +64-9-428 1413 Fax: +64-9-428 1417 Mobile: +64-21-270 9581 Email: chrisat_private kiwiat_private Web: http://www.FighteCrime.co.nz Warning: This email contains information which is CONFIDENTIAL and may also be LEGALLY PRIVILEGED. If you are not the intended recipient you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify us immediately by return email, facsimile or telephone (call us collect) and delete this email. Thank you. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 27 2002 - 10:21:32 PST