Matt, I think that the analogy applies if you accept that evidence dynamics is not limited to obliteration of evidence. "Evidence dynamics is any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent, between the time evidence is transferred and the time the case is adjudicated". For instance, in a violent crime, the position of the victim or patterns of blood spatter can be important when reconstructing the crime. If the victim is moved or blood is smeared before they are photographed (e.g. when emergency response personnel move the victim) it becomes more difficult to reconstruct the crime. In this situation, interviews with witnesses or the first responders can help gain a better sense of the original state of the scene. Even if you are never called upon to assist in the investigation of a violent crime and are just responsible for forensic analysis of computer systems in other types of crime, it can be very helpful to have an understanding of more general aspects of forensic science and criminal investigation. For instance, Criminalistics by Saferstein provides a good overview of Forensic Science. Criminal Profiling by Turvey provides a significant amount of practical information about investigation of violent crime, including evidence dynamics and crime reconstruction. Eoghan On Fri, 30 Nov 2001, Matt Pepe wrote: > > > In-Reply-To: > <9993DAE9D49BD411AB180008C7B1FF20053B52EEat_private> > > >Eoghan Casey's book discusses evidence dynamics, > >and Rob Lee (http://www.incident-response.org) has > >an excellent analogy, that of a murder > >investigation, which I'll paraphrase: > >Assume you walk into a store, and you notice > >someone lying on the floor. Assume you approach > >the person and try to see if they're all right. > >You roll them over and see a pool of blood under > >them. You call 911 and the paramedics arrive. > >They attempt to revive the person and then get > >them into the ambulance and take them to the > >hospital. In the doctor's care, the victim dies. > > However, the police can still investigate the > >crime, and even prosecute the guilty party. > > Actually, I contend that this is an invalid analogy. > If a body is disturbed, forensic evidence from fluids > and fibers remains intact, unless you decide to clean > up really quick and pile a few bodies in the corner.. > On the digital side, if actions are taken, there is > a nearly 100% chance that the media will be altered. > > I do see and agree with your point though. If a > system is powered up, there are valid reasons to > complete a limited live review of the system. (I think > I read this in a book somewhere ;) ) You have to know > what and why you are doing those things ahead of time, > as well as what the consequences are of each action. > Having a defined action plan that you have used in the > past is quite essential to success during the litigation > process. > > -- Matt Pepe > --- www.incidentresponsebook.com > (to be updated when our ops tempo slows! hehe) > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 07:51:13 PST