[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Two questions
From:       Bert Knabe <bert.knabe () lubbockonline ! com>
Date:       2008-02-26 14:51:18
Message-ID: 4DE10F3A-67BE-4747-AA12-18FA96F7652E () lubbockonline ! com
[Download RAW message or body]

Can you point me to sources about the possibility of needing a PI or  
other license to do forensics and incident response? I'm the local  
responder for our site. It sounds like I may be ok for now, being  
part of the IT staff, but I'd like to know more. I'd especially like  
to know more before I go to corporate with questions.

Thanks,

Bert Knabe
Technician
Lubbock Avalanche-Journal
806-766-2158


On Feb 25, 2008, at 1:24 PM, Jon R. Kibler wrote:

> Michael,
>
> I am NOT a lawyer and do not know the law in your area. However, I do
> know that U.S. DoJ is pushing hard to require anyone doing anything
> forensics or incident response to be a licensed PI.
>
> Please see my embedded comments...
>
> Michael Condon wrote:
> <SNIP>
>> I also need to find out if you just need certification, or just  
>> need to be a licensed PI, or both, in each of the three states.
>
> My best advice would be to contact the a lawyer or the state attorney
> general in each jurisdiction. You may also want to post a question to
> Security Focus' forensics mailing list. However, be wary of any 'legal
> opinions' you may receive.
>
> However, I can tell you that in SC, to get a PI license requires 2  
> years
> training and a year apprenticeship.
>
>> And what certification, if not CHFI, is recognized as sufficiently  
>> valid to perform this kind of investigation (perhaps CISSP/ISC2)?
>
> I have heard law enforcement openly laugh at CHFI -- and CISSP and  
> other
> non-forensics certs are useless. The certification that I see most law
> enforcement agencies require is the ISFCE/CCE -- which, as I  
> understand
> it, takes 3 years to obtain.
>
>> I've had to do internal sort of forensic work of this sort and  
>> more for former employers - it resulted in reprimand or at times  
>> termination.
>
> These days, doing such work could easily get you criminally  
> prosecuted.
> I have been given legal advice to 'do nothing that can be construed as
> forensics.' I was told that looking at someone's browser's history and
> showing management where they had been going to xxxporn.com would be
> considered doing forensics, as would using DNS query logging or  
> sniffing
> network traffic to show similar activity. It is even questionable  
> as to
> whether it is technically legal for an organization's IT staff, unless
> they have a PI license, to use IDS logs to track down compromised  
> systems,
> as that may be considered incident response.
>
> Insane mess? I agree.
>
> Jon Kibler
> -- 
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> m: 843-224-2494
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>

[prev in list] [next in list] [prev in thread] [next in thread]