SANS Digital Forensics and Incident Response Blog: Tag - Legal

Cloak Your Incident Investigation with Confidentiality

Summary: When an enterprise investigates a data security incident, it is often wise to involve legal counsel early. Counsel may be able to ensure the details of the investigation are kept confidential by law. Infosec Law and Politics Are Dangerous. The law and politics surrounding data security are highly adversarial. Legal and political adversaries have … Continue reading Cloak Your Incident Investigation with Confidentiality

Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that


Lawyers Aren't So Bad, After All

This sentiment may vary depending upon whose side of a case you choose. I have had the good fortune to work with several capable lawyers. It has been my experience that lawyers are good listeners when they need input from me concerning my field - forensics. The important thing is to make sure you have a good relationship with legal. The communication lines have to be open, no matter what you think of the "legal eagles" with whom you are dealing.

Just Push a Button...

I wrote code in a former life for a guy who ran a trucking firm. He didn't even know how to turn the computer on. However, when he wanted some new feature, his comment was, invariably, " should just be able to push a button


Lawyers Can Help You Document

Notebook photo courtesy of adulau at

photo courtesy of adulau at flickr.comIt is widely accepted that technical people don't document their work. That has proven, annecdotally, to be true among the techs with whom I work. If documentation gets done at all by techs, it is the very last thing completed, and usually needs to be reworked a few times before it's usable. However, forensics requires good documentation. Legal expects and needs most the thing we often would like to put off or skip entirely.

Michael R Anderson, of New Technologies, Inc., a forensics services firm, writes that "proper documentation of the steps taken during the evidence