RE: Future trends in computer forensics

From: H C (keydet89at_private)
Date: Mon Oct 21 2002 - 11:50:12 PDT

Next message: Jim Persinger: "forensics-ownerat_private"

Previous message: Eoghan Casey: "RE: Future trends in computer forensics"
In reply to: Eoghan Casey: "RE: Future trends in computer forensics"
Next in thread: Douglas K. Fischer: "RE: Future trends in computer forensics"
Reply: Douglas K. Fischer: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eoghan,

> Here is an example of Locard's exchange principle at
> work in the digital realm: 

Your example was excellent!  When I've taught my
course, we haven't really gotten too far into this
area, b/c there is so much other information that
needs to be presented to the attendees
first...however, it's extremely important that this
sort of thing be understood.

> The Windows application used to connect to the Unix
> system (e.g., Telnet, 
> SecureCRT, SSH) may have a record of the target IP
> address/hostname. 

In the case of the telnet client on NT, you're
absolutely correct.  This information will be stored
in the Registry.  This is NOT true, however, for
Win2K.  Another issue is that if that was the last
connection made using the telnet client, the LastWrite
time of the Registry key in question will correspond
with the time that the connection was made.

> This is only a quick 
> summary - there are likely to be many other
> exchanges of digital evidence 
> cause by an intruder's activities in a given case.

And understanding these things ahead of time is
extremely important...whether dealing with forensics
or dealing with first responder/root cause
analysis/incident responce activities.
 
> Regarding evidence dynamics (a topic near and dear
> to me), I do not see 
> this as a developing trend. Evidence dynamics has
> always been and always  
> will be a challenge that we must deal with.

This is another area that I think needs to be better
understood...perhaps the "future trend" could be
further discussions and education on both of theses
issues.  After all, the way you presented your two
examples, it's pretty clear that a failure to
understand the exchange principle can lead to an
evidence dynamics issue in which valuable
corroborating evidence is damaged or destroyed.

Carv


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jim Persinger: "forensics-ownerat_private"
Previous message: Eoghan Casey: "RE: Future trends in computer forensics"
In reply to: Eoghan Casey: "RE: Future trends in computer forensics"
Next in thread: Douglas K. Fischer: "RE: Future trends in computer forensics"
Reply: Douglas K. Fischer: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 14:06:40 PDT