At 02:50 PM 10/21/2002, H C wrote: >Eoghan, > > > Here is an example of Locard's exchange principle at > > work in the digital realm: > >Your example was excellent! That was a very good example. >This is another area that I think needs to be better >understood...perhaps the "future trend" could be >further discussions and education on both of theses >issues. After all, the way you presented your two >examples, it's pretty clear that a failure to >understand the exchange principle can lead to an >evidence dynamics issue in which valuable >corroborating evidence is damaged or destroyed. Amen to education. Most sysadmins are not focused on preservation of forensics evidence, be it for prosecution purposes or technical investigation, but instead on stopping the attack and recovering. It isn't until later when someone tries to gather evidence than it's realized that the sysadmins' well-intentioned actions rendered much evidence useless. Management needs to be aware of this as well, to understand the competing interests at work (quick return to service vs preservation of evidence) and be able to make an assessment of the tradeoffs needed to best serve the business/agency/etc interests. Doug ------------------------------------------------------------ This email, and any included attachments, have been checked by Norton AntiVirus Corporate Edition (Version 7.6), AVG Server Edition 6.0, and Merak Email Server Integrated Antivirus (Alwil Software's aVast! engine) and is certified Virus Free. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 16:39:02 PDT