tag:blogger.com,1999:blog-9518042.post3857737310200012074..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Are You Being Served?Unknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-12032709197449161822013-03-26T15:41:45.149-05:002013-03-26T15:41:45.149-05:00Harlan,
The challenge of picking a qualified anal...Harlan,<br /><br />The challenge of picking a qualified analyst really transcends DFIR. It could be rephrased to state how do I find a quality attorney, CPA, or anyone who offers a professional service.<br /><br />It's a very good question you ask, by the way, because in my experience, there is no simple formula.<br /><br />Let me give you the example of selecting an corporate attorney for a firm I worked for. We did our research and ultimately picked a "big name" AMLAW 100 firm whose client list was a who's who of Silicon Valley hot start-ups. The Partner who represented us did nothing but corporate work for start-ups (which we needed) and went to Stanford Law. So we were very comfortable with out pick. Top firm, the Partner has impeccable credentials...we would be well served, right? Wrong.<br /><br />We weren't well served. The quality of the work and advice we received was consistently below our expectations, and certainly not to the level that earned them such a lofty reputation.<br /><br />The problems was, the partner was overextended. He had taken on too many clients and he had more work than he could handle. And since the firm I worked for wasn't the next Facebook, our work got pushed to his Senior Associate...then to the Junior Associate, and then to the Paralegal.<br /><br />So we thought we were doing the right thing by picking based on the firms reputation and the attorney's credentials, but none of that matters if he doesn't do the work. Bait and switch. Pay for the Stanford grad but the work gets done by a paralegal flunky.<br /><br />So we switched firms. We continued to look at the firm's reputation but we also got guarantees on who would do the work and we asked very direct questions about how much work the Partner did vs. the Associates. That made a huge difference.<br /><br />So my advice to anyone looking for an DFIR analyst/consultant would be the same. Pay attention to credetials and industry involvement, but if you're a small operation, think twice about going to a big firm where you could be lost in the shuffle. A smaller firm that can dedicate time and resources to you could just be the better option.<br /><br />-ShazAnonymoushttps://www.blogger.com/profile/05561078947653401569noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66626027852509758342012-12-23T10:58:01.333-05:002012-12-23T10:58:01.333-05:00Cheeky,
Thanks for the comment.
...we will be st...Cheeky,<br /><br />Thanks for the comment.<br /><br /><i>...we will be stuck with a variety of organisations and no singular certifying body.</i><br /><br />I don't know...I think that the CDFS may be making some in-roads in this direction.<br /><br /><i>...if clients can't find a definitive indicator of "expertise", they will probably default to the lowest bidder...</i><br /><br />That's really no different than what's happening now.<br /><br />At a recent conference, I asked a room full of people, who was performing shellbag analysis...two people raised their hands, and one of the stated that they hadn't actually done that type of analysis since they had attended SANS training. I then asked who in the room were interested, during exams, in determining a user's actions...and about 80-90% of the hands went up.<br /><br />So, my question would be, why isn't everyone doing shellbag analysis, or at least asking about it? Are they not doing it because it was not part of the <i>insert vendor name</i> training they attended? Or, are they not doing it because it's not something that their management comes back and asks them about after they've submitted a report? Or...is it not something they do because someone else didn't put it on the checklist?<br /><br />Going back to your comment (which I tend to agree with...), how is the consumer of DFIR services going to make a determination as to the quality of services they are rendered? My first thought was to look at the reporting...what does the analyst say that they do or did in the report? However, I'm not sure how much they would be able to discern from that report.<br /><br />I don't know...it's an interesting question.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-26054211571800914172012-12-23T04:27:19.738-05:002012-12-23T04:27:19.738-05:00How can we know we are doing/getting quality work?...<br />How can we know we are doing/getting quality work?<br />As a (naive?) newbie, I would think having a common standard of training would help. <br /><br />Clients can get a basic indicator of their potential investigator's skillset/ability to learn.<br />Investigators will have a structured method for improvement.<br /><br />But in reality ... <br />- multiple jurisdictions of the world<br />- different areas of investigation (eg crime vs e-discovery)<br />- the changing nature of technology<br />will probably mean we will be stuck with a variety of organisations and no singular certifying body.<br />And if clients can't find a definitive indicator of "expertise", they will probably default to the lowest bidder aka the computer shop.<br /><br />Anyway, just my 2 cents ... :)Cheeky4n6Monkeyhttp://cheeky4n6monkey.blogspot.comnoreply@blogger.com