Re: Two questions
- From: Bert Knabe <bert.knabe@xxxxxxxxxxxxxxxxx>
- Date: Tue, 26 Feb 2008 08:51:18 -0600
Can you point me to sources about the possibility of needing a PI or other license to do forensics and incident response? I'm the local responder for our site. It sounds like I may be ok for now, being part of the IT staff, but I'd like to know more. I'd especially like to know more before I go to corporate with questions.
Thanks,
Bert Knabe
Technician
Lubbock Avalanche-Journal
806-766-2158
On Feb 25, 2008, at 1:24 PM, Jon R. Kibler wrote:
Michael,
I am NOT a lawyer and do not know the law in your area. However, I do
know that U.S. DoJ is pushing hard to require anyone doing anything
forensics or incident response to be a licensed PI.
Please see my embedded comments...
Michael Condon wrote:
<SNIP>
I also need to find out if you just need certification, or just need to be a licensed PI, or both, in each of the three states.
My best advice would be to contact the a lawyer or the state attorney
general in each jurisdiction. You may also want to post a question to
Security Focus' forensics mailing list. However, be wary of any 'legal
opinions' you may receive.
However, I can tell you that in SC, to get a PI license requires 2 years
training and a year apprenticeship.
And what certification, if not CHFI, is recognized as sufficiently valid to perform this kind of investigation (perhaps CISSP/ISC2)?
I have heard law enforcement openly laugh at CHFI -- and CISSP and other
non-forensics certs are useless. The certification that I see most law
enforcement agencies require is the ISFCE/CCE -- which, as I understand
it, takes 3 years to obtain.
I've had to do internal sort of forensic work of this sort and more for former employers - it resulted in reprimand or at times termination.
These days, doing such work could easily get you criminally prosecuted.
I have been given legal advice to 'do nothing that can be construed as
forensics.' I was told that looking at someone's browser's history and
showing management where they had been going to xxxporn.com would be
considered doing forensics, as would using DNS query logging or sniffing
network traffic to show similar activity. It is even questionable as to
whether it is technically legal for an organization's IT staff, unless
they have a PI license, to use IDS logs to track down compromised systems,
as that may be considered incident response.
Insane mess? I agree.
Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
m: 843-224-2494
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
- Follow-Ups:
- PI to do Forensics? WAS: Re: Two questions
- From: Jon R. Kibler
- PI to do Forensics? WAS: Re: Two questions
- References:
- Two questions
- From: Michael Condon
- Re: Two questions
- From: Michael Condon
- Re: Two questions
- From: Jon R. Kibler
- Two questions
- Prev by Date: Re: ISO 27001 mapping to PCI
- Next by Date: Re: PI to do Forensics? WAS: Re: Two questions
- Previous by thread: Re: Two questions
- Next by thread: PI to do Forensics? WAS: Re: Two questions
- Index(es):
Relevant Pages
|
