From: Babak Pasdar (bpasdarigxglobal.com)
Date: Mon Feb 20 2006 - 11:22:35 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vladis,

Thank you for your response.

I would just like to ask you and others not to make presumptions about
our preparedness, the intelligence of our consultancy, our script
writing capabilities or the depth of our team, since I did not emphasize
or define those things in the story. I would certainly like to ask you
not to minimize the time and effort it takes to build a good forensics
case.

I know it is a slow Full Disclosure day, but Harping on a writing style
component of the story is a waste of the list's resources.

What I was hoping the list would appreciate is that something good
happened. A bad guy was caught!

This is my last comment on this issue, I will certainly let you and the
list have the last word.

Again, thank you for your response.

Babak

On Mon, 2006-02-20 at 11:15 -0500, Valdis.Kletnieksvt.edu wrote:
> On Mon, 20 Feb 2006 09:15:12 EST, Babak Pasdar said:
>
> > 1. I had to get back to our office from the client site over an hour
> > away :) Laws of physics to New York City traffic apply no matter what.
>
> Definite lack of resources there. You *really* want to be at least 2 or 3
> deep at the "first responder" position. What if you had 5 minutes before
> gotten on a plane headed for Los Angeles, and thus basically unreachable for
> the next 6 hours?
> > 2. The client or a security company's network are not the best source
> > for scanning and investigation activities. Lest you have someone who
> > looks for these early signs of the investigation. Scans have to be
> > alternately sourced.
>
> Again, a security company that doesn't plan ahead for this and have a few
> AOL or NetZero accounts already set up indicates a security company that
> needs to get ahead of the learning curve.
> > 3. Running a few commands by no means is an indication of a fully
> > packaged and verified set of information. A forensics case has to be
> > started fully documenting all actions and times for possible future
> > reference in legal proceedings. Rushing through something like this and
> > not following procedure is the first step in being caught with your
> > pants down later.
>
> Again, this should not add "hours". If you have procedure in place, it
> shouldn't add much more than 30-45 *seconds* to each command. And if you're
> really smart, you have all the initial queries in a script, and only need
> to document that you ran the script....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQIVAwUAQ/n62rvyNfLJIrQWAQItPBAAxULbC2CfgBRId4OYc48CgrlKSm680tTQ
rUqk16CEhf1d/jnLClet5BDqYGCU/FIuNr2YB67o000qUp3ZHPUdieqKGh31Eaja
MHNSrWJXt9TkE0gkJPY6ZbnKM6mA6ksKa20HjMQ+9wN4Rw9oYxrxxwJqD9eqGPFG
eMWPOpSPbmZFj+gHP22yCEgkt3iIqSQV8Qcrgo0847Br9KZoE+7CayV/L2pHE2+g
64ah2tIAQUp0m/1CKIf5SeIOEpjPLlBUEWOnWRjQY+3YTD3uq6L7QEwhywQOwns9
LEGr75GbQeIw+9F3sJmIhNFDBibf1dp50Y7SFt3l/2ndJdH5UXIjE5skz7wrfHwK
DvYcqVBoT314JMFn4WuUFQxjznOo+Y1DT+Uzb6k2dspJ+ZZ/8LKi+Gsk3LtwBOXY
Z9whex5c6cbpKhswP0c7TRvtT9RxqpWR8CkZthDzAKIg5h4I2NpQc5SMXcaoxEjT
NvMTmqPYTIE5L3lkCh6cPii7YyNK1cn9kqvu3EfcpHYO6IBtx9+aKB7Av9AAVgiQ
nsN+nQUzfFmwAhypiFhPEuSj4Scd8kAsf5F8fn8dLBdpswbWpZqYmUpWvdKLIZQB
gb6v845GFDq3z7RTjtnlPGr6o89bcbSjb7KdtqG2QMCbd4uIGbYVVHK7lx3xlK7D
opB5OR5J4/U=
=M9rs
-----END PGP SIGNATURE-----

_________________________________
igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information:

https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]