Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Two questions

from [Bert Knabe] Network Security [Permanent Link]
Subject: Re: Two questions
Date: Tue, 26 Feb 2008 08:51:18 -0600
Can you point me to sources about the possibility of needing a PI or other license to do forensics and incident response? I'm the local responder for our site. It sounds like I may be ok for now, being part of the IT staff, but I'd like to know more. I'd especially like to know more before I go to corporate with questions.

Thanks,

Bert Knabe
Technician
Lubbock Avalanche-Journal
806-766-2158


On Feb 25, 2008, at 1:24 PM, Jon R. Kibler wrote:

Michael,

I am NOT a lawyer and do not know the law in your area. However, I do
know that U.S. DoJ is pushing hard to require anyone doing anything
forensics or incident response to be a licensed PI.

Please see my embedded comments...

Michael Condon wrote:
<SNIP>
I also need to find out if you just need certification, or just need to be a licensed PI, or both, in each of the three states. 

My best advice would be to contact the a lawyer or the state attorney
general in each jurisdiction. You may also want to post a question to
Security Focus' forensics mailing list. However, be wary of any 'legal
opinions' you may receive.

However, I can tell you that in SC, to get a PI license requires 2 years
training and a year apprenticeship.

And what certification, if not CHFI, is recognized as sufficiently valid to perform this kind of investigation (perhaps CISSP/ISC2)?

I have heard law enforcement openly laugh at CHFI -- and CISSP and other
non-forensics certs are useless. The certification that I see most law
enforcement agencies require is the ISFCE/CCE -- which, as I understand
it, takes 3 years to obtain.

I've had to do internal sort of forensic work of this sort and more for former employers - it resulted in reprimand or at times termination.

These days, doing such work could easily get you criminally prosecuted.
I have been given legal advice to 'do nothing that can be construed as
forensics.' I was told that looking at someone's browser's history and
showing management where they had been going to xxxporn.com would be
considered doing forensics, as would using DNS query logging or sniffing
network traffic to show similar activity. It is even questionable as to
whether it is technically legal for an organization's IT staff, unless
they have a PI license, to use IDS logs to track down compromised systems,
as that may be considered incident response.

Insane mess? I agree.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ISO 27001 mapping to PCI, Sheldon Malm
Next by Date:  Re: PI to do Forensics? WAS: Re: Two questions, Adam Pal
Previous by Thread:  Re: Two questions, Bert Knabe
Next by Thread:  PI to do Forensics? WAS: Re: Two questions, Jon R. Kibler
Indexes:  [Date] [Thread] [Top] [All Lists]