Eoghan, > Here is an example of Locard's exchange principle at > work in the digital realm: Your example was excellent! When I've taught my course, we haven't really gotten too far into this area, b/c there is so much other information that needs to be presented to the attendees first...however, it's extremely important that this sort of thing be understood. > The Windows application used to connect to the Unix > system (e.g., Telnet, > SecureCRT, SSH) may have a record of the target IP > address/hostname. In the case of the telnet client on NT, you're absolutely correct. This information will be stored in the Registry. This is NOT true, however, for Win2K. Another issue is that if that was the last connection made using the telnet client, the LastWrite time of the Registry key in question will correspond with the time that the connection was made. > This is only a quick > summary - there are likely to be many other > exchanges of digital evidence > cause by an intruder's activities in a given case. And understanding these things ahead of time is extremely important...whether dealing with forensics or dealing with first responder/root cause analysis/incident responce activities. > Regarding evidence dynamics (a topic near and dear > to me), I do not see > this as a developing trend. Evidence dynamics has > always been and always > will be a challenge that we must deal with. This is another area that I think needs to be better understood...perhaps the "future trend" could be further discussions and education on both of theses issues. After all, the way you presented your two examples, it's pretty clear that a failure to understand the exchange principle can lead to an evidence dynamics issue in which valuable corroborating evidence is damaged or destroyed. Carv __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 14:06:40 PDT