±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 31939
New Yesterday: 8 Visitors: 269

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News   Forums   Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Amateur (IT Department) Investigators

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Amateur (IT Department) Investigators

Post Posted: Mon Mar 20, 2017 11:14 pm

Like most everyone else here, I'm a believer in using the right tools, following good procedures and documenting what I do. I'm also aware that many organizations conduct internal investigations using their own IT staff who are untrained and who will download and run whatever their Google search recommends.

My questions: Have any of you been involved in cases where the local IT department got the first crack at investigating the machines in questions? If so, what was the impact on the investigation? What was your role? Did the case make it to court? Did mistakes made by IT cause the case to be resolved in a way that was different from what might have happened if the investigation was handed to an expert from the start? Anything you can share would be insightful.

Thanks.  

tracedf
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 6:57 am

The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?
_________________
------------------------
t: @JasonPickens 

jpickens
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 9:38 am

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course Wink , but I have the impression that the OP has already a strong opinion on the matter ...


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 9:46 am

- jaclaz
Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course Wink , but I have the impression that the OP has already a strong opinion on the matter ...


jaclaz


No; you don't have to assume that. Some organizations do have trained staff within IT or IT Security. I'm specifically interested, however, in cases where untrained IT staff got to investigate first. And Googling to locate a tool is fine, but blindly running things you've never tested without taking any measures to preserve evidence is no bueno.

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.  

tracedf
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 9:51 am

- tracedf

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.

Good Smile , I posted because it seemed to me like you were only interested to the bad ones.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 10:11 am

Agreed...

I'll play devils advocate here also to the OP. What if you are considered an "amateur" because you come from an IT background and not an investigative one?

Also, HTCIA?

- jaclaz
Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course Wink , but I have the impression that the OP has already a strong opinion on the matter ...


jaclaz

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
  

Re: Amateur (IT Department) Investigators

Post Posted: Tue Mar 21, 2017 10:26 am

Being trained in IT and being trained in investigations are two very separate ideas. On the LE side I have had officers muck up cases because they were good investigators, but next to zero IT experience. On the other hand, I have had IT personnel muck up cases because they knew what to do with the technology, but no idea what to look for and how to look for it.

My main point is this, is it necessarily a bad thing to have IT personnel take a stab at it first? Probably not, but, you run the risk of evidence being lost. So when those cases come in where in house IT has looked at it first, I have to sit down with that person (sometimes persons) and go through EXACTLY WHAT they did and HOW they did it. This does a few things: you know going into the investigation whether it’s a lost cause, you know if there are going to be any problems with spoliation, you know if there are going to be problems with testimony.

Document, document, document has always been my motto. If something was done outside of my control, I want to know about it and how it can affect my investigation.  

sgreene2991
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 2
Go to page 1, 2  Next