In-Reply-To: <9993DAE9D49BD411AB180008C7B1FF20053B52EEat_private> >Eoghan Casey's book discusses evidence dynamics, >and Rob Lee (http://www.incident-response.org) has >an excellent analogy, that of a murder >investigation, which I'll paraphrase: >Assume you walk into a store, and you notice >someone lying on the floor. Assume you approach >the person and try to see if they're all right. >You roll them over and see a pool of blood under >them. You call 911 and the paramedics arrive. >They attempt to revive the person and then get >them into the ambulance and take them to the >hospital. In the doctor's care, the victim dies. > However, the police can still investigate the >crime, and even prosecute the guilty party. Actually, I contend that this is an invalid analogy. If a body is disturbed, forensic evidence from fluids and fibers remains intact, unless you decide to clean up really quick and pile a few bodies in the corner.. On the digital side, if actions are taken, there is a nearly 100% chance that the media will be altered. I do see and agree with your point though. If a system is powered up, there are valid reasons to complete a limited live review of the system. (I think I read this in a book somewhere ;) ) You have to know what and why you are doing those things ahead of time, as well as what the consequences are of each action. Having a defined action plan that you have used in the past is quite essential to success during the litigation process. -- Matt Pepe --- www.incidentresponsebook.com (to be updated when our ops tempo slows! hehe) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 17:33:51 PST