Danged session timeouts... yet another longer post lost... (Retyped in wordpad, and transferred in)
@Andrew -it's signed off on by the highest level management at the customer, who is responsible for the contract negotiation, and ultimately, the pentest. (Preferably the CEO / CIO, but if it's work being contracted below their level, then the highest level manager in the chain.
@tturner - I agree with you. If a client explicitly requires I keep a copy of their data, so be it. I'm not in the business of turning down business, over something like this. I just strongly emphasize that my preference is to NOT retain ANY data.
I DO have reasons for being so adamant with my clients about this issue. While I've NEVER had it come to a head over a pentest, or professional client data, of my own, I HAVE personally been involved with law enforcement cases, where the simple possession of digital / printed information, even remotely related to a case, was enough that law enforcement pointed fingers at an innocent party. (Credit card fraud, child pornography case)
When I say possession of, I refer to, very literally, the sheer owership of a computer, and the fact that it COULD have been used to perpetrate a crime, with NO pre-existing evidence that it had. Because the crime was IT-related, and the innocent party's name was even remotely involved (their credit card had been stolen, and used to open a child pornography site), I witnessed law enforcement confiscate EVERY piece of electronic equipment and media (including those that could NOT hold evidence), from them. The innocent party was left to prove their own innocence, because law enforcement very literally had no clue what they were doing, in said investigation. I watched the involved parties get dragged through the mud. Even when I was brought into the investigation, by the authorities, in order to help them gather information, when I proved the party wasn't involved, they continued to hold the materials until their 'investigation' concluded. Said investigation caused the innocent party's property to be held for almost 3 months, even when I showed, without a shadow of a doubt, that they could have had no involvement, by the end of day 3. (I literally handed law enforcement the IP addresses and names of the real perpetrator, from ISP records, research, etc, and was later told that jurisdiction on the case, from that point on, took any and all visibility away, as to whether they arrested the real offender. From what I have later learned from others in the law enforcement community, this isn't as uncommon as you'd hope.)
The point to my story is this... While not all law enforcement are as anally remiss about how to investigate IT-related crimes, the less responsibility I or my company maintain, and the more that is LEGALLY left in the customer's possession / rsponsibility, the easier it is to defend, in the event of any issues. That's not to say we STILL won't ever end up having to deal with a similar situation, nor that we absolutely won't hold data from a pentest, but it minimizes the chances of future headache, greatly, when all I's have been dotted and T's crossed, in a legally binding document.
Last edited by hayabusa
on Mon Sep 24, 2012 4:12 pm, edited 1 time in total.
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH