Amateur (IT Departm...
 
Notifications
Clear all

Amateur (IT Department) Investigators

13 Posts
8 Users
0 Likes
1,300 Views
tracedf
(@tracedf)
Posts: 169
Estimable Member
Topic starter
 

Like most everyone else here, I'm a believer in using the right tools, following good procedures and documenting what I do. I'm also aware that many organizations conduct internal investigations using their own IT staff who are untrained and who will download and run whatever their Google search recommends.

My questions Have any of you been involved in cases where the local IT department got the first crack at investigating the machines in questions? If so, what was the impact on the investigation? What was your role? Did the case make it to court? Did mistakes made by IT cause the case to be resolved in a way that was different from what might have happened if the investigation was handed to an expert from the start? Anything you can share would be insightful.

Thanks.

 
Posted : 21/03/2017 9:14 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?

 
Posted : 21/03/2017 4:57 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

 
Posted : 21/03/2017 7:38 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
Topic starter
 

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

No; you don't have to assume that. Some organizations do have trained staff within IT or IT Security. I'm specifically interested, however, in cases where untrained IT staff got to investigate first. And Googling to locate a tool is fine, but blindly running things you've never tested without taking any measures to preserve evidence is no bueno.

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.

 
Posted : 21/03/2017 7:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.

Good ) , I posted because it seemed to me like you were only interested to the bad ones.

jaclaz

 
Posted : 21/03/2017 7:51 pm
(@armresl)
Posts: 1011
Noble Member
 

Agreed…

I'll play devils advocate here also to the OP. What if you are considered an "amateur" because you come from an IT background and not an investigative one?

Also, HTCIA?

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

 
Posted : 21/03/2017 8:11 pm
(@sgreene2991)
Posts: 77
Trusted Member
 

Being trained in IT and being trained in investigations are two very separate ideas. On the LE side I have had officers muck up cases because they were good investigators, but next to zero IT experience. On the other hand, I have had IT personnel muck up cases because they knew what to do with the technology, but no idea what to look for and how to look for it.

My main point is this, is it necessarily a bad thing to have IT personnel take a stab at it first? Probably not, but, you run the risk of evidence being lost. So when those cases come in where in house IT has looked at it first, I have to sit down with that person (sometimes persons) and go through EXACTLY WHAT they did and HOW they did it. This does a few things you know going into the investigation whether it’s a lost cause, you know if there are going to be any problems with spoliation, you know if there are going to be problems with testimony.

Document, document, document has always been my motto. If something was done outside of my control, I want to know about it and how it can affect my investigation.

 
Posted : 21/03/2017 8:26 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
Topic starter
 

I come from an IT background. For the purpose of this thread, I'm not concerned with where people started. I'm curious about others experiences working on investigations that were started by IT staff with no training, education, experience or specialized knowledge related to computer forensics.

Here's a couple that I'm aware of, but not first-hand.

IT staff at a school searched for pornography on a female teacher's computer. They believed her when she said that she didn't know it was there and that a student must have downloaded it. Weeks later, the teacher was arrested for soliciting minors online. Oops. [Edit I don't know what tipped them off in the first place.]

A colleague in IT security (with forensic training) works at a financial institution. The IT staff investigated something (that my colleague wasn't at liberty to describe to me) before it was turned over to him. They apparently changed quite a bit and he was not able to salvage the investigation.

 
Posted : 21/03/2017 8:33 pm
(@thefuf)
Posts: 262
Reputable Member
 

Most mistakes were correctable (example creating a disk image with allocated space only using a proprietary format and sharing it with an external examiner) or mitigable (example creating copies of suspicious files and/or log entries on a suspect system before imaging and without documenting this). Totally ineligible actions of an IT department (like reinstalling an operating system on a suspect computer right after a malware incident) are not counted. Legal issues (admissibility, etc.) are not counted too.

The really exciting "this is what I warned you about" moment was when the only piece of evidence in a malware case was found in the $LogFile, while another drive (from the same case) had the $LogFile wiped, because someone from an IT team used Ubuntu / Ubuntu-based distribution to acquire the image.

 
Posted : 21/03/2017 8:54 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
Topic starter
 

Thanks Thefuf.

 
Posted : 21/03/2017 8:56 pm
Page 1 / 2
Share: