SANS Digital Forensics and Incident Response Blog: Tag - policy

Block Pornography - The Bane of Computer Forensics

By J. Michael Butler

What is more important? Searching for porn on an organization owned asset, or looking for misuse of organization owned data? Not even a trick question. Too easy. So why do organization's computer forensic experts still find themselves searching for porn? Because it is there.

New problem? I think not. In T.h.e. Journal, there is an article written in 1997 addressing this same issue and suggesting a product called "Little Brother" to fix it.[1] Today there are a plethora of software products for home and office use, ranging from free to more than $100 per workstation. Some are more effective than others, but evaluation is outside the scope of this article. Just know that


NCS vs DRN - Educating the Client

As forensic analysis, our product is only as good as our input. And unfortunately, many times our input is not what we would hope for.

If you have worked many unauthorized access cases in the past, you know what I am talking about. These cases are my favorite to work honestly. Seeing the new methods used to compromise systems and the challenge of trying to find every way the system was affected is great. However, much of the evidence from these cases has issues that are common from one case to the next.

First response

For years now users have been taught that on the first sign of problems with their system, the best thing to do is run a full anti-virus check of the entire system. And for good measure, follow that up with an anti-malware scan or two. And for the most part users have got this message.

It is not just users that do this. How many times do you see companies with very informal incident response plans which leaves the process of what to do

... Continue reading NCS vs DRN - Educating the Client