Trusted Adviser
I've blogged before regarding the need for a "trusted adviser" and I recently had an opportunity to respond to a query, and recommend yet again for a trusted adviser.
This time, however, it was a little different, in that the initial question had to do with asking forensic analysts what they would do to educate prosecutors on what is available and what can be achieved from digital forensic analysis. The short story is...a lot. But that doesn't really help answer individual questions as they come up. So, providing an initial brief and then extending that to include something more regular and even on-call would be something that I would recommend.
I did an exam once where our team was asked to look at a bunch of EXE files pulled from a system, in relation to a CP case. While we were delivering our report on the exam, I asked the attorney if she was interested in answering the "Trojan Defense", and she responded that she was...which is why she'd asked us to look at the EXEs. I suggested to her that another approach might be to look to see what files (images, movies, etc.) the various user accounts had been used to view, and provide that list to her, along with dates and times, as applicable. She seemed very appreciative, and provided the necessary data we needed in order to provide the list. Additional information beyond what was requested had been provided, so we were also able to answer other questions specific to remote logins to the systems. The issue ended in a plea agreement. However, that route (Registry analysis) wasn't something that had been considered as a resource previously...so the "trusted adviser" role proved to be very effective.
Having a trusted adviser can be extremely beneficial. You can ask questions about what is available given specific data, and even have someone on-hand, that you trust, to do the actual work. This applies not only to public sector (LE, gov't, etc.) but also to the private sector, as well. Many times corporations may purchase an expensive product because they haven't clearly defined their needs in their own mind, and they get that "clarity" from someone in sales. Sometimes, it may simply be beneficial to contact someone to help you define what you're looking at or trying to do.
This time, however, it was a little different, in that the initial question had to do with asking forensic analysts what they would do to educate prosecutors on what is available and what can be achieved from digital forensic analysis. The short story is...a lot. But that doesn't really help answer individual questions as they come up. So, providing an initial brief and then extending that to include something more regular and even on-call would be something that I would recommend.
I did an exam once where our team was asked to look at a bunch of EXE files pulled from a system, in relation to a CP case. While we were delivering our report on the exam, I asked the attorney if she was interested in answering the "Trojan Defense", and she responded that she was...which is why she'd asked us to look at the EXEs. I suggested to her that another approach might be to look to see what files (images, movies, etc.) the various user accounts had been used to view, and provide that list to her, along with dates and times, as applicable. She seemed very appreciative, and provided the necessary data we needed in order to provide the list. Additional information beyond what was requested had been provided, so we were also able to answer other questions specific to remote logins to the systems. The issue ended in a plea agreement. However, that route (Registry analysis) wasn't something that had been considered as a resource previously...so the "trusted adviser" role proved to be very effective.
Having a trusted adviser can be extremely beneficial. You can ask questions about what is available given specific data, and even have someone on-hand, that you trust, to do the actual work. This applies not only to public sector (LE, gov't, etc.) but also to the private sector, as well. Many times corporations may purchase an expensive product because they haven't clearly defined their needs in their own mind, and they get that "clarity" from someone in sales. Sometimes, it may simply be beneficial to contact someone to help you define what you're looking at or trying to do.