How true how true.

I think what Mark identifies here is something I've had some heart burn with for several years regarding "computer forensics".

First of all some of the software used is solely for "law enforcement" use. This means that a defendant probably won't be able to analyze the media the same way.

Second the perception of 'law enforcement' somehow puts a stamp of authority on a forensic examination regardless of the experience.

Third incident response does not get the attention needed in any 'forensic course' I've ever seen.

Most of the 'computer forensic courses' involve the technical aspect of how to analyze or get to the information. Very little attention is devoted to what to do once you've identified an incident.

None of this requires the individual to be a computer geek but that they follow a guideline of common sense. Common sense with regard to the incident involving the computer.

I feel this is the point where everything can be won or lost. I am trying to work with a company to formulate a course that is broken into two parts.

One procedures for dealing with different types of incidents and guidelines to address each one to establish a reliable chain of custody.

Two procedures for analyzing quarantined/seized devices.

Three utilizing open source forensic evidence gathering tools so both 'law enforcement' and defendants can provide equal arguments.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/434/34336#34336