Security Minded - from Kai the Security Guy

Some thoughts on security (and other stuff) from a Microsoft security professional

TechEd Australia and TechEd New Zealand 2007: Mission Complete!!

TechEd Australia and TechEd New Zealand 2007: Mission Complete!!

  • Comments 2
  • Likes

Well, I'm sitting in the (very nice) Qantas Business Class Lounge here at the Auckland Airport, and I'm happy to report that the two events that were delivered in Australia and New Zealand were a huge success! Both events were sold out, and I can see why. The sessions were really well done and provided loads of information. I always consider it a privilege to be asked to speak at events such as this, and I hope my audiences enjoyed our chats. Thank you for sharing your valuable time with me. As always, I think I learned as much as I taught.

I also want to give a shout out and heartfelt thanks to the fine federal agents who assisted me in my computer investigations sessions. Paul Reedy from the AFP provided some valuable insight into investigations and forensics during the Australia closing keynote (aka "locknote") and Scott, Luke, and Matt (also AFP agents) helped drive a very interesting customer "Ask the Feds" Q&A session in Gold Coast. They showed some amazing pictures of crime scenes and what it is they encounter when they show up onsite. Absolutely nasty. (Piece of advice: If you're committing a cybercrime....please take 2 minutes to wipe the slime off your keyboard.....you're going to get caught eventually....and they may go easier on you.) Unfortunately, I'm not allowed to share the photos....but if you did get to see them....you know what I'm talking about. As these fine agents mentioned during the session, if you're interested in a role with the AFP, please feel free to check the AFP website for more info.

Not to be outdone, Simon and Barry helped me provide a tremendous session in New Zealand. Simon and Barry are both with the New Zealand Police Electronic Crime Lab and get to see a lot of interesting things as well. They also took the opportunity to share with us the role they play in not only cybercrime, but also how the contribute when a computer is used in a narcotics or homicide investigation. I especially liked the story of the homicide suspect who named a file on his computer "HowToCommitThePerfectHomicide.doc". Simply amazing. 

The key points that all of these agents stressed were:

  1. Contact law enforcement early in your investigation process. They can assist and get you in touch with the right people.
  2. Turn on auditing now! If you need additional drivespace to store logs....get it. You'll be glad you did.
  3. Law enforcement is going to do everything they can to consider your business needs. They are not going to come and start seizing computers if they don't have too. They will work with you to ensure business continuity. However, if you have a machine in your network that has contraband, such as child pornography on the machine...they will seize that asset. That's the law.
  4. These guys need your help. You know (or should know) that network better than anyone. Your cooperation ensures they can get what the need quickly, and return you to normal business operations faster.
  5. Finally, if you start doing the investigation yourself...and you mess something up....be honest with law enforcement when they arrive on the scene. 9 out of 10 times, the case can still go to court, as long as they know what it is you did. Hmmmm....be honest with law enforcement.....probably a Best Practice. Might want to write that one down.

Well, I hope that everyone learned as much during these sessions as I did. It was a valuable opportunity to hear from the guys out there actually fighting eCrime for a living. Thanks to the Australian Federal Police and the New Zealand Police for their assistance!

Thanks everyone who attended and for the hospitality of your two fine nations. Cheers mates!

Comments
  • Sadly, I think that it needs to be started, restarted, and stated again that one of the biggest things to keep in mind for internally executed forensics that later involve legal cases or law enforcement is honesty, particularly if you are at that point because your internal folks could get you to the point of knowing something is seriously wrong but really dont have the expertise to effectively handle the incident further.

    The whole "Honesty as a best practice" bit is very true and one would assume would be something known without having to be said but my experience would point otherwise.

  • Great point Falconic! It can not be stated enough! If you do anything to the data, even if it's something horrible like a "nuke and pave", just let the investigators know about it. I had a chat with some of the fine FBI agents here in Dallas, and they summed it up nicely: "We're not there to make you a victim twice." Just be honest. It'll serve you well.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment