Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Computer forensics to uncover illegal internet use

from [Jason Coombs] Network Security [Permanent Link]
Subject: Re: Computer forensics to uncover illegal internet use
Date: Wed, 31 Aug 2005 22:44:33 +0000 GMT 
Yes, of course this is governed by
the rules of evidence for the
jurisdiction they are in.


And governed by common sense, hopefully. If the persons are acting in their 
official capacity in their position within the business, they cannot be 
prosecuted as individuals -- the company can be prosecuted, but the person 
cannot, even if a person is the one who gives a copy to corporate counsel, or 
to a supervisor, or in some other way complies with a stated or an implied 
chain of command or company incident response policy and in so doing literally 
violates a criminal statute. The company can't be imprisoned, and the person 
was doing the company's reasonable business, so no worries. As long as the 
actors do not take actions that fail the 'reasonable company' test or perhaps 
better stated as the Reasonable Corporation Test.

(Yes, I have just coined a term, and a terrible one -- applying the 'reasonable 
person' test to a business even further attribute the quality of being a 
'person' to a corporation pursuant to the 14th Amendment.)

Disagree with my assertion, if you wish. You won't find a statute, presently, 
that makes this clear -- but I have been told recently that the U.S. Attorney 
General is about to give a written opinion clarifying this very topic for 
everyone.

The opinion is reportedly going to include an explicit statement that 
corporations do not have a duty to report in the case of child pornography 
offenses.

It is important to understand that non-corporations (other business entities, 
especially sole proprietorships) may actually have individual criminal 
liability exposure for a variety of people (such as the sole proprietor 
herself) even for circumstances in which a corporate entity and its employees 
would not.

Also, in the case being dicussed, as in most cases of alleged employee actions 
at work using a computer owned by the employer, nobody has actually seen the 
alleged contraband. There may be good reason to fear it is present on the 
drive, but suspicion or feelings of a vigilante duty must not be allowed to 
interfere with our proper response, which is to consider the precise 
circumstances that brought the matter to our attention,

A very important and interesting discussion. Hopefully it has guided Edmond 
sufficiently.

(It hasn't been pointed out before, but it appears that Edmond is located in 
Canada where everything is quite different from this U.S.-centric discussion)

Best,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: "dave kleiman" <dave@isecureu.com>
Date: Wed, 31 Aug 2005 17:18:51 
To:"'Jason Coombs'" <jasonc@science.org>, <security-basics@securityfocus.com>
Cc:"'Edmond Chow'" <echow@videotron.ca>,       "'Beauford, Jason'" 
<jbeauford@EightInOnePet.com>,       <tobin.craig@va.gov>
Subject: RE: Computer forensics to uncover illegal internet use

Jason,

Now that sounds more like you, and I could not agree more.

I was just a little a little concerned with the passing of the "contraband"
and the fudging the logs theory.

Yes wipe and go on could be a plausible option, as long as they stop and go
no further. However, if they get involved in making copies of it and passing
it around to whomever (attorney etc.), they have already begun an
investigation and began handling the contraband.

My vote is stop and wipe, or stop and call the proper authorities.

Yes, of course this is governed by the rules of evidence for the
jurisdiction they are in.

Best regards,

Dave



-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org]
Sent: Wednesday, August 31, 2005 17:06
To: dave kleiman; security-basics@securityfocus.com
Cc: 'Edmond Chow'; 'Beauford, Jason'; tobin.craig@va.gov
Subject: Re: Computer forensics to uncover illegal internet use

dave kleiman wrote:

You bring a drive to do an image,
you have to do your examination
there, if you want to leave the
imaged info on it, your imaged drive
now stays in the evidence room.
 The defense attorney would have
to come there to view the
images, or the LEO would bring it to
them, but they would not leave I
there with them.


Dave,

Nice response. You are correct, of course, that this is how
many jurisdictions prefer that things be done. The prosecutor
and law enforcement do try to follow their own rules once
they confiscate potential contraband.

I am glad to see Tobin Craig cite Title 18, USC 2252, as it
now stands, having been modified by COPPA, etc. in recent
years. It is very important to understand what Federal law
requires of you in order to avoid prosecution for what has
already been done. However, as Tobin acknowledges in his
e-mail, he is unaware that Corporations are treated
completely differently than are natural persons with respect
to the child porn statutes.

If not for the possibility that the worker whose computer is
at-issue may have had their identity stolen or in some other
fashion been framed by the actions of a third-party, such
that the hard drives in the computer are potentially the only
source of evidence to prove reasonable doubt of the person's
guilt, it would ALWAYS be the proper course of action for the
company to wipe the drive and go on with business as usual,
without reporting to law enforcement.

Where much of the discussion thus far has also been mistaken
is in presuming that all jurisdictions operate according to
the same rules and procedures once potential contraband is
confiscated.

This discussion deserves additional attention, for the very
reason that the behavior of various persons on all sides of
this struggle, and in many respects the very statutory
language itself, are outrageous and are ruining lives of
people who are in fact victims -- much the way that the
original child abuse that became the contraband child
pornography harmed an innocent child.

If only persons as well-informed and concerned with the
pursuit of truth, such as Mr. Craig, were more often involved
in advising law enforcement and participating in decisions to
prosecute individual cases.

And if only more corporations were aware that their own
failures to protect their employees' Windows computers from
spyware and other security threats are placing workers at
undue risk of criminal prosecution for doing nothing other
than their jobs.

Sincerely,

Jason Coombs
jasonc@science.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Outlook Security, Boubacar Fadiga
Next by Date:  RE: Computer forensics to uncover illegal internet use, Bob Radvanovsky
Previous by Thread:  RE: Computer forensics to uncover illegal internet use, dave kleiman
Next by Thread:  RE: Computer forensics to uncover illegal internet use, Craig, Tobin (OIG)
Indexes:  [Date] [Thread] [Top] [All Lists]