If CrowdStrike did image the server, any subsequent analysis would simply be confirming that the firm hadn’t screwed up.
Dnc server hack analysis by fbi full#
We don’t know exactly what CrowdStrike handed over (the company declined to comment), but that data can range from full disk images to an edited digest of suspicious files and logged connections. Once incident response has been conducted, the crucial evidence can be handed over directly to officials without politically tricky questions of broader access. Similar awkwardness is common at corporate breaches, and the result has given incident response firms like CrowdStrike a persistent business as intermediaries between companies and law enforcement. That’s particularly true for the DNC, since the FBI was actively investigating Hillary Clinton for mishandling classified information at the time - and it’s clear the agency had no reservations about searching for evidence of those crimes in unrelated cases. Turning over a company’s entire network to a law enforcement agency can be an awkward proposition, particularly before the nature of the compromise is clear. That division of labor saves time, but it also protects companies from what could potentially be seen as an invasion of privacy. It’s part of a long-standing division of labor between private firms and law enforcement, in which incident response firms handle the initial analysis and network cleanup, leaving broader legal questions to law enforcement. “In cases like this, the onus for digital forensics is on the third-party contracted by the company that's calling in the incident response team, in this case CrowdStrike.”
“This is normal practice,” says Matt Tait, founder and CEO of Capital Alpha Security. But that’s not a unanimous opinion, and two experts contacted by The Verge disagreed that it was unusual. BuzzFeed described the FBI’s lack of interest in the DNC’s server as unusual, citing a number of response firms that preferred not to be named. "It’s common for the initial forensic analysis to be conducted by outside firms like CrowdStrike, and once that data has been copied, there’s often little need to copy it again.
0 kommentar(er)
