AWTLPI,
Thanks, but I guess I'm just not sure where the breakdown in communications is…
H
AWTLPI,
Thanks, but I guess I'm just not sure where the breakdown in communications is…
H
Hmmm… well, let's try to define exactly what you are you looking for . I'm guessing you want more than just lists of "what happened."
Are you looking for sites that detail the postmortem process? Attack patterns, viz. 'We are noticing an increase in Slammer worm coming from IP addresses originating in the following countries….'? Prevention/Remediation methodologies?
As you know Incident "Response" can cover a lot of territory. Everything from 'This is what we think happened…' to 'This is how we fixed the problem… and caught the miscreants!'
-AWTLPI
Hmmm… well, let's try to define exactly what you are you looking for . I'm guessing you want more than just lists of "what happened."
Does anyone know of a blog or magazine (online or otherwise) dedicated to incident response and computer forensics?
By that, what I mean is this…knowing that some incident occurred to someone is irrelevant.
I'm not interested so much in sites on pen-testing…that's not "incident response and computer forensics".
I also added the following in another post
1. What do folks look for in a blog that deals with incident response and computer forensics? Or maybe a better question is…do you look for such things?
2. Is there any interest in (reading, as well as contributing to) an IR/CF e-zine similar to Security Horizon or Hackin9, or something like 2600?
Are you looking for sites that detail the postmortem process? Attack patterns, viz. 'We are noticing an increase in Slammer worm coming from IP addresses originating in the following countries….'? Prevention/Remediation methodologies?
As you know Incident "Response" can cover a lot of territory. Everything from 'This is what we think happened…' to 'This is how we fixed the problem… and caught the miscreants!'
Exactly. You're correct. SANS ISC addresses your example of the Slammer worm very well.
What I'm looking for is this…what is out there that has to do with responding to incidents and performing computer forensic analysis that people follow? What sites, blogs, or lists? What are their strengths, and their weaknesses? What good (ie, useful) things do they provide, and how could they be better? If you followed a site/blog for a while and then stopped, what (besides the lack of time) caused you to do so?
I'm trying to determine a different/better way of promulgating information, hopefully by getting folks to contribute what it is they are looking for, what they feel they need, what they feel is missing, etc. However, this is specific to the topic of incident response and computer forensics.
Thanks,
Harlan
Harlan (and others of course), could you share how you view Incident Response vs Computer Forensics? From my view I see them as separate goals and stimuli, but using similar to identical techniques. I'd like to hear how you view them.
Thanks
Greetings,
Reading over your restated purpose, I thought of some items I've been looking for in various forensics related sites and was unable to find
1) An open discussion on rate structures.
2) Good, real world, examples of terms of engagements, contracts, etc. with comments explaining why various phrases are included.
3) More examples of good report styles.
4) Lab management practices. How do people running labs manage workflow - documentation, policy, procedure, tools, layout …..
5) Real world examples of case management. (The Security Monkey blogs are a good source of this. Additional sources would be welcome.)
There's plenty of technical information available, there's a lot less administrative information. Some people might not want to share the information for competitive or legal reasons, but I think in the long run we're doing the community a disservice by not helping everyone be a better all around practitioner.
I eventually found these through a lot of work with Google, my own creativity, and my lawyer, but a single, well organized source of this type of information would be useful. Where these exist, they're often long discussion threads. Such threads can be useful to read all the way through, but a well written article or blog summarizing the conversation would be helpful as well.
-David
David,
Reading over your restated purpose, I thought of some items I've been looking for in various forensics related sites and was unable to find
..snip…
Some people might not want to share the information for competitive or legal reasons, but I think in the long run we're doing the community a disservice by not helping everyone be a better all around practitioner.
I'm sure you would find a great deal of disagreement on that point. For example, how does having access to a billing structure make someone a better practitioner? I would suggest that it doesn't…it does, however, make someone a better armed business development manager. Not only do you have issues with markets (what works in NY isn't going to necessarily be applicable in Ohio), but I think you hit the nail on the head with the competitive issues. You're talking about giving away the "secret sauce".
Finally, the information you're talking about is only of interest to someone who is setting up a forensic practice…most techno-nerds (myself included), LEOs, govvies, etc., aren't really interested in that stuff.
One final thought…would you be willing to post any of that stuff, particularly 1, 2, and 3?
Thanks for contributing…
Harlan
Dennis,
Harlan (and others of course), could you share how you view Incident Response vs Computer Forensics? From my view I see them as separate goals and stimuli, but using similar to identical techniques. I'd like to hear how you view them.
Thanks
This is somewhat off-topic for the thread…could you start another thread for this?
Thanks,
H
An open discussion on rate structures.
Discussing rates in an open forum is always dicey. In the US, this could lead to accusations of price-fixing. Yeah, we all want to know what the other guy charges, but as has been mentioned, prices will vary greatly depending on geographical location. Then when you factor in variations in case complexity, possibility of having to testify, etc. pricing becomes a very thorny topic.
-AWTLPI
Greetings,
There are many people on this forum, from all walks of life, with many different interests. While many of us share common technical interests, we branch out in a variety of directions. The LE, corporate internal, and government practitioners might not be interested in the business side of things, but
- Someone they work for is interested. There are costs associates with computer forensics no matter where you work. There are, or should be, SOPs, policies, and contracts in any organization, public or private. Any lab, public or private, should be concerned with good management practices.
- The people uninterested in business practices now may find themselves looking for new opportunities in the future, outside of their current environment.
- Computer forensics practitioners in private practice are growing in number, and in ability. They need good business practices to succeed.
- I think of "computer forensics practitioners" as being more than just the person collecting evidence and doing the analysis. Even if I am totally biased, you should allow that some practitioners will be interested in things like billing practices, even if you aren't.
- To me, the "secret sauce" isn't billing practices, SOPs, tools, report formats, or lab management techniques. It is who you are, how you conduct yourself, and how well you take care of your clients. You can invest in a full lab, top notch people, and all the trappings and still fail. You can be a solo practitioner with a single PC, a write blocker, a single forensic analysis application, and succeed in the eyes of everyone who knows you.
- Saying "the information you asked for is only of interest to …." is somewhat dismissive. You asked for our opinions. If you're going to dismiss them, you'll find people unwilling to contribute as freely in the future.
Am I willing to share the information I gathered or developed for questions 1,2, & 3?
"1) An open discussion on rate structures.
2) Good, real world, examples of terms of engagements, contracts, etc. with comments explaining why various phrases are included.
3) More examples of good report styles."
As AWTLPI pointed out, #1 might be dicey. For numbers 2 and 3, yes, if some others are willing to do the same. I'd like to do so not only to educate others, but so others can look at what I've done and suggest improvements.
Maybe I'm being idealistic. Maybe I should be looking for partners around the country with a similar mindset to share the information with rather than seeking it in the public forums. But, you asked, and I answered ….
-David
For what it's worth, I'm very interested in the areas David has brought up as potential topics to explore in some depth (and I tend to agree with the points made in his last post).
Without trying to be all things to all people (and failing) I don't see why we can't cater to the interests of those whose focus is primarily technical *and* those whose scope, either now or at some stage in the future, is somewhat wider.
This thread has brought up some useful points but is starting to move away from Harlan's initial question. Interested parties might wish to branch off to a new thread for further discussion of David's topics. Also, if anyone is keen to contribute something along the lines of an article or paper on these topics please contact me directly, I'd certainly be interested in creating a more permanent resource (beyond just forum discussion) for some of these areas.
Cheers,
Jamie