I had co-moderated a mailing list with Bret Watson and Anton Aylward for
Information Security Auditors FAQ, so I guess I'll volunteer to collaborate
on a Computer Forensics FAQ..from Start to Finish. I am sure my former
employer would be so pleased with me.. -:) They charge lots of money for
this type of stuff, especially for "Making it up as they go along"..
I was more into making the process repeatable by others over and over again
and not looking for the missing pieces especially when one has to
testify. It is a very bad experience when that happens, all those billable
hours wasted because some process was not documented or the person that did
that piece did not document the steps they took. "Was that checksum -rr or
sum -rr"
Peronsally, I never believed in "making it up as one went along" That type
of methodology has never been proven to be scaleable or repeatable. But
that is another discussion altogether.
/mark
> Holly Cow, I'm participating...
>
> I like what I've just seen, although I'm behind on this thread I
>think it's the first time it's been demonstrated this way. Maybe it
>wasn't even intentional. It was the "First and Foremost" comment, the
>start of a ten commandments or industry best practices policy/model. I
>wonder if Mark would be willing to host a "Line Item" web site that we
>could use to house an accumulation of best practices, especially items
>that have been tested in a military or civilian court of law. We could
>even include a section with a chart that compares the different toolsets,
>their interoperability, pros and cons. Like in the IDS list, we should
>set the issue of cost aside.
>
> I've suggest and implemented different process improvements in the
>handling of forensics where repudiation is required. These cases included
>corporate HR requirements and AFOSI investigations/inquiries, we've come a
>long way, yet still no "Industry Best Practices". One of the practices
>you listed below was the attention paid to all unused partition space.
>What about known stego signatures? There's much, much more, but we have
>to keep track of these line items in a central store for all of us to
>enjoy the full benefits.
>
>Thanks,
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
