'Re: Two questions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Two questions
From:       "Jon R. Kibler" <Jon.Kibler () aset ! com>
Date:       2008-02-25 19:24:36
Message-ID: 47C315F4.2030300 () aset ! com
[Download RAW message or body]


Michael,

I am NOT a lawyer and do not know the law in your area. However, I do
know that U.S. DoJ is pushing hard to require anyone doing anything
forensics or incident response to be a licensed PI.

Please see my embedded comments...

Michael Condon wrote:
<SNIP>
> I also need to find out if you just need certification, or just need to 
> be a licensed PI, or both, in each of the three states.

My best advice would be to contact the a lawyer or the state attorney
general in each jurisdiction. You may also want to post a question to
Security Focus' forensics mailing list. However, be wary of any 'legal
opinions' you may receive.

However, I can tell you that in SC, to get a PI license requires 2 years
training and a year apprenticeship.

> And what certification, if not CHFI, is recognized as sufficiently valid 
> to perform this kind of investigation (perhaps CISSP/ISC2)?

I have heard law enforcement openly laugh at CHFI -- and CISSP and other
non-forensics certs are useless. The certification that I see most law
enforcement agencies require is the ISFCE/CCE -- which, as I understand
it, takes 3 years to obtain.

> I've had to do internal sort of forensic work of this sort and more for 
> former employers - it resulted in reprimand or at times termination.

These days, doing such work could easily get you criminally prosecuted.
I have been given legal advice to 'do nothing that can be construed as
forensics.' I was told that looking at someone's browser's history and
showing management where they had been going to xxxporn.com would be
considered doing forensics, as would using DNS query logging or sniffing
network traffic to show similar activity. It is even questionable as to
whether it is technically legal for an organization's IT staff, unless
they have a PI license, to use IDS logs to track down compromised systems,
as that may be considered incident response.

Insane mess? I agree.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
m: 843-224-2494




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic