FW: Evidence Dynamics, was => Re: boobytraps

From: Matt Pepe (mtpepe@code-monks.com)
Date: Mon Dec 03 2001 - 20:21:03 PST

Next message: H C: "hiding data on NTFS drives"

Previous message: H C: "IR/Forensics issues, was => Re: Evidence Dynamics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wow, we have more tangents here than a 6th grade geometry class.
Now we are dealing with trained peole (EMTs) instead of 
some random joe who finds a body? Yes, that does change everything.

(cut and paste from a private e-mail I sent out to another
person)
I was alluding to the point that
digital evidence in general is more volatile than most 
physical evidence. Simply walking in to a crime scene 
and "viewing the pages in the subject's IE history" may have 
a high possibility of altering or obscuring evidence and 
destroying information of probative value. (Example given 
from a US Marshall on an actual search that I was on recently.)
While information relating to the case may still be recovered
from the media, going through the process of explaining to the
court why elements of the case were altered can be a huge 
headache, and is better avoided altogether. The information
is hardly ever suppressed for issues like these, but in a court
system where every case involving more advanced topics time is 
spent explaining definitions and theory It is better to ensure 
these issues don't come up at all (advanced from the point of view 
of the local cummunity or judge.)

That is what I was driving at in too few words. Other than clearing
that up, our opinions on the subject are quite similar - most likely 
because we worked for the same organization. :)  I was tempted to 
give another analogy.. A woodchuck, a priest and a EMT walk in to a bar..

-- Matt

-----Original Message-----
From: Rob Lee [mailto:robat_private]
Sent: Saturday, December 01, 2001 1:51 AM
To: 'Matt Pepe'; forensicsat_private
Subject: RE: Evidence Dynamics, was => Re: boobytraps


>  Actually, I contend that this is an invalid analogy.
> If a body is disturbed, forensic evidence from fluids
> and fibers remains intact, unless you decide to clean
> up really quick and pile a few bodies in the corner..
>  On the digital side, if actions are taken, there is
> a nearly 100% chance that the media will be altered.

Yes I agree.  Anything you do changes thing... including doing nothing.
<stuff deleted..>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "hiding data on NTFS drives"
Previous message: H C: "IR/Forensics issues, was => Re: Evidence Dynamics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 03:23:48 PST