[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: comments on evidence draft

To: grip-wg@uu.net
Subject: Fwd: comments on evidence draft
From: Barbara Fraser <byfraser@cisco.com>
Date: Mon, 28 Aug 2000 14:18:01 -0700
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM

Here are some review comments from a friend in the Australian Federal Police.

Barb

>Hi Barb
>
>Sorry about the delay in getting back to you.  I have been flitting around 
>the place and things have been rather hectic.
>
>(snip)

> >I was wondering if you would review a short IETF draft on protecting 
> evidence. We would like the document to >be appropriate world-wide so if 
> you know others like yourself around the globe, please forward to them as 
> well.
> >Replies should be sent to the GRIP working group at grip-wg@uu.net
>
>No problem I have had a look at it now.  One of the first things I noticed 
>missing was any discussion of clock drift.  Did you perchance give these 
>folks a copy of my paper???  If you haven't I will shoot them off a copy.
>
>One thing I noticed is that the guidelines are really for preserving 
>evidence on a compromised system and don't discuss other network evidence 
>sources source as router flow logs (go Cisco...), firewall logs, etc.  I 
>think it would be worthwhile to discuss these sources as well.  Also there 
>are issues with leaving electronic logs around and not just on the 
>compromised system.  I have had a number of cases where the bad guys have 
>found examination logs/emails and played with them as well.  We recommend 
>written logs where possible for key activities as these are readily admissible.
>
> >The draft can be found in the usual IETF archives, or at www.ietf.org, 
> but for convenience, I've just included it >in this message.
>
>I have blasted it to a heap of colleagues and to a law enforcement 
>computer forensic mailing list so that should give the guidelines a heap 
>of commentary.
>
>Glad to hear things are well
>
>Byron
>
>
>**********************************************************************
>                                 WARNING
>
>This email message and any attached files may contain information
>that is confidential and subject of legal privilege intended only for
>use by the individual or entity to whom they are addressed.   If you
>are not the intended recipient or the person responsible for
>delivering the message to the intended recipient be advised that you
>have received this message in error and that any use, copying,
>circulation, forwarding, printing or publication of this message or
>attached files is strictly forbidden, as is the disclosure of the
>information contained therein. If you have received this message in
>error, please notify the sender immediately and delete it from your
>InBox.
>
>AFP Web site: http://www.afp.gov.au
>**********************************************************************

Prev by Date: Re: Comments on draft-ietf-grip-isp-expectations-04.txt
Next by Date: Re: Comments on draft-ietf-grip-isp-expectations-04.txt
Previous by thread: iesg comments on draft-ietf-grip-isp-expectations-04.txt
Next by thread: I-D ACTION:draft-ietf-grip-isp-expectations-05.txt
Index(es):
- Date
- Thread