What is Rape

Sexual assault (including rape as sub-category) is a common crime in Australia affecting 0.3-0.7% of the total population per year and affecting close to 20% of 18-24 year old women in the past 12 months(!) Only 15% of sexual assaults are reported to the police.

Let us define rape. This is difficult as can be evidenced by a quick google search for definitions of rape. Let us go with the following for now:

“Rape is defined as forced, manipulated or coerced sexual intercourse (or other sexual act) against the will of the victim. If the act occurs while the victim is unconscious, asleep or otherwise unable to communicate unwillingness, it is still considered rape.”

(As per Massacheusetts law)

What is Stalking

Stalking too is a common phenomenon, affecting some 23% of people throughout their lifetime, and with rates of 32% amongst people aged 18-35.

There are various definitions of stalking in legal and academic literature. The nature of the behaviours and the intent are controversial areas- if the intent is romantic in nature, is it stalking? Similarly, if it is a seemingly innocent gesture but is repeated and done in such a way to cause (reasonable) fear, is it stalking? Consensus however is reached when it comes to the effect on the victim: it is necessary that the conduct causes the victim to fear for his/her safety. Thus I use the following definition:

“Stalking refers to a course of conduct by which one person repeatedly inflicts on another unwanted intrusions to such an extent that the recipient fears for his or her safety.”

(Purcell, Pathé, Mullen 2004)

Who Rapes, Stalks- and Why?

Many models have been proposed for rape, stalking, sexual murder and sexual assault, striving to represent the diversity of motive and execution evident in the crime.

Summary of Convicted Rapists

Not all rapists (I must point out once again) are psychopathic- fully half are non-psychopathic.

>95% of reported rapes have a male perpetrator. However female rapists are likely very underrepresented due to sociocultural factors and attitudes.

It is also to be noted that rapists carry a recidivism rate (for all crimes) of roughly 50%- the highest rate for violent offenders; convicted paedophiles carry a rate of between 10-50% depending on study and subcategorisation, which includes both child rapists as well as those attracted to children.

Summary of Convicted Stalkers

Stalking has only recently entered the popular lexicon despite reports of stalking behaviours since at least the 1800s; it became a common term only some time in the 1980’s, as a response to celebrity stalkers. This became more generalised to harrassment and predatory behaviour towards non-famous victims.

In contrast with rape, the gender split with perpetrators is roughly 50/50. Once again, this difference may represent greater social acceptability for people to report female stalkers than female rapists.

Various studies of stalkers have also shown that concurrent psychiatric problems (whether psychosis, mood disorder or personality related) were almost universal in this group.

The FBI Model of Violent Crime

The FBI have a model which divides rapists (and other violent criminals) into “organised” and “disorganised” subtypes. Organised being those who plan carefully, leave few traces of their crime, do not do random acts of “ultra-violence”. Disorganised being those who display “chaotic” features (such as ultra-violence, lack of planning, messiness, etc.)

The FBI model has very little evidence to back it and unsurprisingly is widely derided as simplistic, artificial, unreaistic and, well, incorrect.

More Modern Typologies of Rape, Stalking and Sexual Murder

The only reason for the multiplicity of categories in the diagram below is because of the overlap present in the typologies of rapists, sexual murderers and stalkers in the studies below. These studies took data from crime scenes, criminals and victims and came up with distinct behavioural and motivational clusters.

(Click for larger version)

However, when you compare the studies it would be more accurate to speak of roughly 6 subtypes as follows:

• 1a: Violent, aggressive types who are motivated by pure revenge against the victim. Thus, entirely violent, paranoid motivations, associated with paranoia as well as Cluster B* (antisocial, narcissistic, borderline, histrionic) personality traits.
• 1b: Violent, angry and power-obsessed types who are motivated because of (perceived) rejection by the victim. Thus, sex/intercourse is also a factor. Associated with Cluster B traits.
• 2a: Socially inept, intimacy seeking, incompetent types who do not know any other sure-fire method of procuring intimacy/intercourse and/or who rape because they feel socially inadequate and insecure. They are purely motivated by the desire for sex/intimacy and only use as much force is necessary to get what they want. Murder is an accidental sequel to this. Usually socially inept/of low IQ.
• 2b: Delusional, intimacy seeking types who believe that their victim is in love with them back. Associated with psychosis and schizophrenia.
• 3: Sadistic, fetishistic, predatory types who plan meticulously and whose motivation is complex violent sexual fetish- an extreme form of the combination of sex and violence. Very dangerous, unrepentant, skilled. Associated with psychopathy and extreme paraphilias.
• 4: “Other”. This more nebulous group includes oppportunistic, inept, short term, unplanned acts of random violence, often associated with the commission of other crimes including robbery.

*Cluster B personality disorders include: antisocial (violence, disregard for others’ rights, egocentrism, low empathy, includes the subgroup of psychopaths), narcissistic (egocentricity, inflated self-esteem, callous disregard for others), histrionic (attention-seeking, shallow but dramatic moods, egocentrism, overdramatic), borderline (unpredictable behaviour, low self-esteem, inner emptiness, clingy behaviour, mood swings, rapid change from idolisation to demonisation). This group of disorders has high overlap and there is a (possibly cultural) propensity for men to be diagnosed (or misdiagnosed) with APD or narcissism vs women and BPD or histrionicity.

So you see, it is not as simple as “organised” vs “disorganised”, “sane” vs “insane”, or “rape as power”. Rape has many many motivations including power, sex, revenge, delusion, opportunity. Similarly it is not just psychopaths who rape. Fully half of all rapes are committed by people who have other psychological problems, or even no identifiable psychological problem at all.

The results of the rape are also varied. Someone who is motivated by an inept desire for intercourse may end up killing the victim. Someone motivated by psychopathic predatory thoughts may only stalk their victim and never proceed to rape or sexual murder.

MTC:R3 – Towards a More Complex Model of Rape

I did lie. There was some significance to the multiplicity of categories.

(Click for larger version)

The Massachusetts Treatment Center Rapist typology, Version 3 (Knight & Prentky, 1990)

This taxonomy (think species) of rapists is more nuanced and based on a larger set of data. Rather than relying on 4-6 unrelated categorisation, it incorporates underlying psychopathology, motive and the level of violent and/or sexual motivation that is behind these rapes.

There is, then, an interesting distinction that comes about which I shall illustrate below:

(Click for larger version)

I have recoloured the diagram so that the level of red represents sexualisation and the level of yellow represents violence.

In non-psychopathic sexual offenders, violence and sexualisation are inversely correlated- they range from red to yellow with only a very muted orange in-between. However, in psychopathic sexual offenders, violence and sexualisation are positively correlated- they are only various shades of orange. Note that this is true only for psychopathic RAPISTS, not for ALL psychopaths. Thus, perhaps in that minority of psychopaths who rape, violence and sex are much of the same emotion. This is in fact reinforced by the finding that while the VRAG (violent risk appraisal guide) which includes the PCL:R (the most common scale for measuring psychopathy) is a reasonable predictor for psychopathic rape and recidivism, an adjusted scale known as the SORAG (sex offending risk appraisal guide) which includes physical measurement of sexual arousal to sexual deviance in fact correlates with this criminal behaviour much better.

And here we reach perhaps the crux of what I used to not understand about this crime. How such a thing could be done.

How could someone do this?

Some people do not know how to have sex, so they force it out of someone to get their way; they do not know much better. Some people are particularly angry and want to hurt and humiliate someone in particular and they know the effect that rape has; it is not about sex, it is about power and violence. Some people are just so horny and angry at the same time, or so turned on by domination and humilation that they plot and plan and find a victim to lash out at and fulfil their fantasies.

And.

Some people do it because there’s someone right there and they just can, very easily- maybe just ignore that they’re saying no or that they passed out or that they’re drunk or drugged or happened to be there, pretend that it was the heat of the moment and they were really asking for it and how could someone stop themselves in that situation. I mean, you understand don’t you? It’s not like [person] would’ve ever been in that position if they didn’t really want it, and you know how [person] is such a tease and they put me in this position where I just couldn’t help myself. What are you gonna do in that situation? Just stop?

I guess my point is that many people are apologists for the opportunity rapist and the date rapist. In fact, there are many who argue that it is not rape or that in that situation maybe they would do the same thing, or that the victim is to blame for the assault. Look at the underlying thought process and see its real meaning though:

“I raped because I could”

It is an abnormal thought process. It is in fact a psychopathic thought process. It is not the product of the usual human mind. The “I could not stop myself” and the “she was asking for it” are merely excuses and justifications for the true reason- “because I could”.

Discussion

I believe that it is facile and simplistic to conclude that distinguishing particular patterns of rape means that some rapes (as defined above) are not rapes or that rape is a lesser crime according to motivation or psychopathology. The effect on the victim of the rape is dependent on many factors including the psychology of the victim- we do not claim that it is not a rape if the victim recovers better from the psychological trauma, so why should we claim that it is not a rape if the motivation for the rape was X, Y or Z?

Sentencing is yet another issue and an altogether unrelated one. Sentencing takes into account societal impact, likelihood of recidivism and other factors- it is not and should not be interpreted purely as a measure of morality. It is a means by which society maintains social control, order, attempts to reduce the likelihood of crime and segregates the potential recidivist from potential future victims.

Some rapists, stalkers, sexual murderers are far more amenable to rehabilitation than others. Some rehabilitation exercises do reduce recidivism and some do not. These factors are very important to find because of the following statistics:

• 50% of rapists re-offend in some way
• 50% do not
• Nearly all stalkers who harrass their victims have an associated psychiatric diagnosis- which may vary from frank schizophrenia/psychosis to an embedded personality disorder.
• Non-psychopathic offenders respond well to rehabilitation and therapy- some reoffend anyway but in significantly lower numbers
• Psychopathy as a personality trait has shown very little promise for treatment and psychotherapies used for non-psychopathic offenders in fact increase or have no effect on recidivism rate- but early research suggests psychopathic offenders may show lower recidivism rates as a result of punishment/behaviour based regimens

Thus, as a heterogenous group of people it is important that society does more research and action into finding appropriate stategies for managing these complex crimes. There is some suggestion that the gradually increasing sentence and taboo against rape has in fact led to a far lower rate of conviction for offenders than previously- someone is far more likely to plead guilty to a 2 year sentence than a 10 year one.

Perhaps we should champion a graded system for rape and sexual assault- the first offence being 2 years and psychiatric evaluation, treatment and rehabilitation. The 2nd offence, 5 years with treatment and close community monitoring, the 3rd 10 years with treatment and very intensive community monitoring. First time offenders would be more likely to admit to their crime and all would undergo measures to attempt to rehabilitate them. However the punishment would increase with each subsequent offence- and remember it is much easier to reconvict someone than to convict someone on a first time offence. Accordingly there should be close surveillance of this vulnerable group to lessen the risk of re-offending.

With stalking, the psychiatric diagnosis is paramount; some stalkers are experiencing a frank psychotic episode and requite psychiatric hospitalisation and treatment. Others may be motivated by a personality disorder such as borderline personality or psychopathy. Depending on what this is, treatment and punishment should proceed accordingly.

Conclusion

Rape and stalking are common crimes affecting a large percentage of the population. They are also under-reported crimes. Thus it is highly likely if not definitely true that we all know someone who has been raped, stalked or both. Even if the number of perpetrators is low – this would imply a high re-offending rate, consistent with the data. Not only are these crimes common, but their incidence far outweighs the likelihood of a false report. False reports no doubt happen and it is very unfortunate and vindictive if they do so; however such events are very rare indeed and far more common is true rape, stalking and sexual assault.

Rapists and stalkers both commit their crimes for a variety of reasons, sexual, violent or both. These reasons include desire for intimacy, revenge/retaliation, sexual fetishism and pure opportunity. Both rapists and stalkers have a high rate of recidivism and co-existing psychiatric diagnosis, whether it be psychotic, mood-related or personality disorder including psychopathy. They are a complex group of criminals with varying motivations and modes of activity but this makes their crimes no less wrong.

Similarly, victims range from young women of reproductive age to babies to old women to old men to young men and anywhere in between. This variability indeed highlights the fact that no victim of rape or stalking is deservent of the crime but is in fact a “convenient object” for the commission of the crime. If it were not them, it would be someone else, so to speak.

It is important that we recognise that these crimes do happen to people we know and are far more common than we realise. It is also very important not to blame the victim and to realise that most of the perpetrators are mentally ill individuals who require psychiatric treatment, rehabilitation and/or even segregation from the greater community.

December 17, 2009

• I had my sixth shot today. No side effects other than occasional itchy skin. I give another blood test on the 30th of December. Hopefully it will show no copies in my blood.

December 19, 2009

• I attended the 21st annual Oppenheimer Park festival. It was really quite good with plenty for everyone. I managed to get a winter vest, gloves and hats, and a sweater.
• Not doing much on the home front. I am just downloading a bunch of music that I got at the library.

December 22, 2009

• I have been waiting to see if my lawyer is going to contact me or not so that I can make plans to appeal the Conditional Discharge that I again received.

Bah Humbug and Season’s Greetings

Play the following for your enjoyment:

Robert Plant’s “Darkness, Darkness“;  Van Halen’s “Mean Street“; Bad Finger’s “No Matter What“; Simon & Garfunkel’s “I Am A Rock” and John  Lennon’s “Imagine“.

Melt Restaurant in Lakewood, Ohio is offering a 25% discount for life for their customers who get a tattoo of their logo, a grilled cheese sandwich, on their bodies. H/T Bob

I’ve seen many interesting tattoos as a forensic pathologist. The guy who shot his wife and then turned the gun on himself, who had tat of a naked woman in chains kneeling in front of a grotesque skull castle. That was when I started really noticing and researching tattoos. The alcoholic who had “your name” tattooed on his penis, and used it to win bar bets (and died of cirrhosis). The man who was shot by police with the word “Outlaw” written across his chest in fractur script.

I’ve seen plenty of Harley Davidson tattoos. I’m not sure that I would be willing to get a brand name upon my body, even if it was a brand I liked. I tend to favour classic tattoo iconography, companies and brands both change too often. I also think that a human analogue of a NASCAR vehicle is…creepy.

Come see the progress!
http://www.therevelationpainting.com
You are the first to see it.

Apologies for the semi-serious post. There’ll be a funny Christmas one along soon.

First there was COFEE. I wrote about COFEE in my first blog on here, but it was mostly as a way of introducing a piss-taking article about the different groups who comment on computer forensics in the online geek press.

In case you don’t know, COFEE is a bundle of freely available, mundane volatile-data collection tools released by Microsoft to LE only. It isn’t exciting, but the fact that it was shrouded in mystery at Microsoft’s behest made for some hugely entertaining speculative column inches on t’internet.

Then a few weeks ago, COFEE was leaked onto said t’internet and merriment ensued. At first the frenziedly self-polluting masses whooped with joy at the release of this pernicious tool – it was Darth Vader’s helmet, the eye of Sauron, Freddy’s claws, Silas’s cilice, the evil Nazi’s monocle – and it was IN THEIR GRASP! This’d really stick it to the man! Yeah! Then they paused for a bit (while other people who actually knew what they were doing had a look at COFEE and reported back), and they realised that it was a bit crap really.

The mob by this time were in a witch-burning mood, and they weren’t going to be thwarted by the fact that their bride of Satan was revealed to be just some unpopular bint with a hook nose. So they created an effigy, and this effigy was given a non-too-subtle  placard reading ‘Law Enforcement Computer Forensics Practitioners’. ‘Look!’, they howled, ‘this thumbdrive of Sysinternals apps is the SUM TOTAL OF POLICE KNOWLEDGE! This is the only forensic tool that the police have ever used, ever, in their lives, ever! Ever! They go swanning into houses, plug in this thing and send people to prison…with this crap!’

And lo, the LE forensics folk said ‘LOL’. And most of the private sector folk had already realised that they’d never actually been called on to look at evidence gathered with COFEE by the police, and they weren’t too bothered either, particularly when they attended a mixed-class live forensics course (such as the excellent ones run by Nick Furneaux) and realised that everyone was using the same tools anyway.

And then there was DECAF. This was released as an antidote to COFEE, a set of tools that would detect when some jackbooted minion of the state plugged COFEE into a computer, and drive a stake through its cold, black heart. The ignorant masses rejoiced again, for they had found a witchfinder general who would stop the evil minions of The Man from erm… using their lawful powers to catch criminals. Whatever. Comments threads in news articles were positively dripping with the froth expelled by these people, as they did their utmost to imitate the taxonomy I’d set out in my first post (don’t believe me?)

In the latest instalment of this saga, the authors of DECAF have revealed that their toolkit was a stunt (along with what surely wins the prize for ‘most incongruously placed proselytizing‘). It’s not a hoax as such – the tools work, if you can be bothered to reactivate them – but they seem to have released their set of mundane, push-button tools to make a point about governments relying on mundane, push-button tools to do their work for them. DECAF, like COFEE, is a bit crap. As this excellent article at Praetorian Prefect points out, the time that paedos spend trying to get it work is time away from their offending – and if it gives them a false sense of security, all the better. I can just imagine them howling with rage as their computers are taken out in black bin bags “You didn’t use COFEE! Go on, plug COFEE in and see what happens! Not fair! Some tape-changer on Slashdot said that you all use COFEE”

DECAF’s purpose is very noble, and it’s hard to argue with the sentiment…except that as far as I can see, we haven’t been “relying on a tool to automate the process of forensics”, not in the way that the DECAF authors meant anyway. I work in the UK, and I’ve never heard of anyone using COFEE in anger. Just because MS released it to LE, doesn’t mean we use it. It’s one of the options out there, but there are toolkits that do more, do it better, and do it with tools that have been widely tested and that don’t rely on secrecy to protect them (from what? I don’t know, MS never said). Automating’s fine, and no one working in LE has the luxury of approaching every job with nothing but a hex editor and DD in their hand any more, but you’ve also got to be able to understand and validate your findings. That’s the message that they should have been trying to get across.

COFEE was never a tool for forensics people, it was a tool for untrained first responders, probation officers, sex offender units etc. The argument about whether these people should be touching a suspect’s computer is one for another day (and probably another blog), but my feeling is that if the circumstances dictate, the powers to search are there and it’s the difference between getting some vital evidence on an offender and not getting it, then the evidence should be got and the technical provenance can be discussed reasonably by the experts before court.

When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.

But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.

I was downloading some things from Microsoft Dreamspark, and I needed to mount an ISO without actually burning a DVD/CD.

I bounced around to several sites, and I found a couple of things.  There is an attractive project on sourceforge (windcdemu) that does not work in Windows 7.  You can find the project at http://wincdemu.sysprogs.org/ if you want to give it a shot. 

I went further and found Virtual Clone Drive: http://www.slysoft.com/en/download.html

This fellow has this in his list of software as the last item.  It is freeware.  I installed the software, and it required a reboot.

I mounted the drive by right clicking on the ISO:

And there I had it.  My ISO of Visual Studio 2010 worked like a champ!

I saw a reference to this in one article.  It appears to be a Microsoft CD ROM emulator. 

The Microsoft product did not work for me, but you can try it to see if the .sys file works for you.  It seems a little old, and it might not be Windows 7 compatible.  You can try it if you want:

For more information, see the Readme.txt file for Virtual CD-ROM Control Panel. This file is included in the Virtual CD-ROM Control Panel download.
The following file is available for download from the Microsoft Download Center:

Download the Microsoft Virtual CD-ROM Control Panel package now. (http://download.microsoft.com/download/7/b/6/7b6abd84-7841-4978-96f5-bd58df02efa2/winxpvirtualcdcontrolpanel_21.exe)

In generale, un ricercatore di computer forensic utilizzerà uno strumento per raccogliere dati da un sistema (ad esempio un computer o una rete di computer) senza alterare i dati su quel sistema. Questo aspetto di un'inchiesta, la cura per evitare di alterare i dati originali, è un principio fondamentale del computer esame medico-legale e di alcuni degli strumenti disponibili includono funzionalità specificamente progettato per sostenere questo principio. In realtà non è sempre facileraccogliere dati senza alterare il sistema in qualche modo (anche l'atto di chiusura di un computer al fine di trasporto, essa cambia causa più probabile che i dati su tale sistema), ma un investigatore esperto sarà sempre possibile per proteggere l'integrità dei dati originali quando possibile. Per fare questo, gli esami di computer forensic implicano la realizzazione di molti dei una copia esatta di tutti i dati su un disco. Questa copia è chiamato l'immagine e il processo di creazione di un'immagine èspesso definito come l'imaging. E 'questa l'immagine che di solito è l'oggetto di un successivo esame.

Un altro concetto chiave è che i dati cancellati, o parti di essi, possono essere recuperabile. In linea generale, quando i dati vengono eliminati, non è fisicamente cancellati dal sistema ma solo un riferimento alla posizione dei dati (su un disco rigido o altro supporto) viene rimosso. Così i dati possono essere ancora presente, ma il sistema operativo del computer non è più "sa" su di esso. Con l'imaginge l'esame di tutti i dati su un disco, piuttosto che solo le parti conosciute del sistema operativo, potrebbe essere possibile recuperare i dati che sono stati eliminati accidentalmente o intenzionalmente.

Sebbene la maggior parte di strumenti del mondo reale sono destinate a svolgere un compito specifico (il martello per piantare chiodi, il cacciavite per girare una vite, ecc), alcuni strumenti sono progettati per essere multi-funzionale. Allo stesso modo alcuni strumenti di computer forensic sono progettati con un solo obiettivo in mente, mentre altri possono offrire unintera gamma di funzionalità. La natura unica di ogni inchiesta dovrà stabilire quale strumento di toolkit per lo sperimentatore è il più adeguato per il compito in mano.

Così come in diverse funzionalità e la complessità, computer forensic strumenti differiscono anche in termini di costi. Alcuni dei leader di mercato commerciale dei prodotti costano migliaia di dollari, mentre altri strumenti sono completamente gratuiti. Ancora una volta, la natura dell'esame forense e l'obiettivo della inchiesta dovrà stabilire lapiù strumenti adeguati per essere utilizzati.

La collezione di strumenti a disposizione del ricercatore continua ad espandersi e molti strumenti vengono regolarmente aggiornati dai loro sviluppatori per consentire loro di lavorare con le ultime tecnologie. Inoltre, alcuni strumenti di fornire funzionalità simili, ma una diversa interfaccia utente, mentre altri sono unici nelle informazioni che forniscono al esaminatore. In questo contesto è compito dell'esaminatore computer forensic a giudicare quali strumenti sono lapiù adeguata per un accertamento, tenuto conto della natura delle prove che devono essere raccolti e il fatto che a un certo punto può essere presentata ad un tribunale. Senza dubbio, il numero crescente di entrambe le cause civili e penali in cui gli strumenti di computer forensic svolgere un ruolo importante fa di questo un campo affascinante per tutti i soggetti coinvolti.

See Also : Dewalt healthy i diet

There is something quintessentially British about the unique blend of gusto and gibberish which makes up a Gilbert and Sullivan operetta.  What is less well known, perhaps, is that Arthur Sullivan also wrote the music to the world-famous hymn ‘Onward Christian Solidiers’. 

It seems he also tried his hand at a lyric to the tune, which was later discarded.  Now, though, the sole surviving copy of that lyric has emerged – yet another extraordinary treasure recently found amongst a cache of forgotten manuscripts.

We are delighted to reproduce the full lyric here.

Tune:  St Gertrude by A. Sullivan

Hymn for the Unsung Heros

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.
Tableaus at the ready, armed against the foe,
Forward into battle see those White Hats* go!
(*LE singers may substitute “Blue lights” here. – AS.)

Refrain

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Dawn of retribution! Watch the suspects stare;
They and their Redeemer know what you’ll find there!
All their nasty surfing, docs and pix and more;
See, they fear the advent of the long arm of the Law.

Refrain

Image every hard drive, every USB,
Make a very detailed chain of custody,
There will be no tiny evidential fault
Bag and tag and walk the lot then slap it in the vault.

Refrain

Run it up in EnCase, data carve ‘til dawn
Bookmark hot and gmails, all the dodgy porn,
Short and sweet the statement witnessing the crime
Which gets them off the premises or even doing time.

Refrain

Like Olympic medalists going at full steam
Onward First Responders!  Ply that data stream!
Vanquish all the villains, work with all your might
Show the unbelievers just how ev’ry bit can byte

Arthur Sullivan at his other keyboard

All together now…

Onward First Responders, marching as to war,
With the ACPO Guidelines going on before.

Wow! I did not realize how fast time flies when you have so much to catch up on! Research Methods was tough but, I made it through with an A-. There is a lot of information to learn and it doesn’t seem as if there is enough time in the day to learn it all! I just finished midterms for the fall quarter in Criminal Evidence. I’m going to post my final project for Research Methods. =)

CAPITAL LETTERS!

Yep, this is the big one. The FINAL PROJECT for my degree. The largest piece of work on the degree, makimg up roughly 30% of the final classification, or so I’m told. Oh, I did a grade prediction today, by the way, and I’m predicted a First Class Honours, should things continue in the merry way they have been.

Since the degree is modular – as may now are – the project is draped over 3 modules: planning, implementation and evaluation. Meh. What’s important is what it’s subject is – I’ll quote my project aim:

‘investigate and critically evaluate the current effectiveness of methodologies in use by Digital Forensics Analysts with specific regard to digital evidence collection & management, identifying and implementing ways of improving efficiency and effectiveness’

If you see through the pseudo-intellectualist wording that modern education asks for, you see that what I’m going to do is look at evidence triage, common and brand new methods for collecting evidence, chain of custody, storage and pre-investigation prep. The eventual aim is to look at how things are done now – and improve or expand them, and write a new methodology detailing what we believe is safe, efficient and useful practise. I say ‘we’, as I’m doing this in partnership with Richard Heselwood, another student from my university group. The RH theme will bring greatness, I’m sure.

Now, I know some people have been surprised at our choice of subject. Some people expect forensic apps to be developed, or investigations to be carried out. The latter I did like the idea of: a large, complex, multi-source, multi-faceted case to get to grips with, requiring knowledge of different OSs, varied techniques and so on. But getting hold of the evidence that someone has staged for you is very difficult – you’d need to convince an experienced forensic analyst to spend a lot of time setting up multiple disks with multiple OSs, lots of settings, apps installed and then simulate months of usage in a short period of time. It’s difficult and unfair on the victim volunteer. Developing an application was the first thing I ruled out, mainly because I don’t want to overwhelm the forensic mindset with that of the programmer. I realise that to create a forensically sound application requires knowledge of forensics, but spending months programming would drive me to distraction.

So the idea of creating my own methodology for forensics cropped up, seemingly at random. It just so happened that Richard was having similar ideas, and on a year-defining walk to Greggs the Bakers near campus, for an inspirational Cornish Pasty, we revealed our ideas to each other and they went together like pastry and filling.

Post Christmas, we’ll have got the main research regarding how one actually writes a methodology out of the way. We’ll know what areas need attention, and can start giving them some. We’ll also have found virginal territory – things that Acpo haven’t touched on, for example. They will get the full cycle of research, ideas, implementation, testing, and alteration – a kind of bespoke development life cycle that we’ll use. I’ll be uploading a friendlier version of our plan, and I’ll blog to it – so each key point in the plan will have a post related to it – so you can see how we’re running education alongside self-propelled brilliance (ahem). Extras about the Enron work, a tad on the E-commerce site I’m developing and a LOT on the main forensics content (Jan onwards) will also follow in the New Year.

Note: I’m trying to stick to Wednesdays for posting, so it’s regular. Second posts in any given week will be on Saturday

Merry Christmas and a Happy New Year
Ryan

cd tutorial proactive

Komputer forensik adalah sebuah karier yang tumbuh cepat lapangan menawarkan potensi luar biasa untuk pekerjaan dalam penegakan hukum cd tutorial proactive militer badan intelijen perusahaan Cd Tutorial Java dan bisnis. Peluang pekerjaan meroket sepadan dengan lonjakan cepat dalam kejahatan komputer.

Kejahatan komputer pada awalnya hanya punya kejadian sporadis. Sekarang itu telah menjadi kenyataan hidup Cd Tutorial Gratis yang harus ditangani oleh lembaga penegak hukum. Sebagai aplikasi komputer dan Internet Cd Tutorial Flash telah menjadi bagian tak terpisahkan dari kehidupan contoh-contoh perbuatan salah dengan bantuan komputer adalah urutan hari. Cd Tutorial Web Design

Untuk mengatasi kejahatan komputer sendiri harus dipindai Cd Tutorial Php secara menyeluruh untuk menentukan apakah mereka telah digunakan untuk kegiatan ilegal atau tidak sah atau penipuan.

Ini dapat dilakukan hanya oleh ahli forensik Cd Tutorial Autocad komputer yang memperoleh alat melalui on-the-pengalaman kerja program sertifikasi dan kualifikasi lainnya.

Forensik komputer profesional dikenal oleh banyak gelar seperti penyidik forensik komputer analis media digital dan digital detektif forensik. Setiap Cd Tutorial Photoshop satu menggambarkan karier yang sama seperti yang berkaitan dengan penyelidikan media digital.

Komputer spesialis forensik mendapatkan gaji mulai dari . sampai . per tahun tergantung pada satu S keterampilan dan pengalaman dan perusahaan dan organisasi yang bekerja untuk. Perusahaan swasta menawarkan gaji lebih menguntungkan daripada lembaga penegak hukum.

Seorang sarjana dalam forensik komputer dapat membantu memajukan karier membuat satu memenuhi syarat untuk posisi sebagai pemimpin tim forensik atau biro pengawas. Lima puluh persen dari pekerjaan FBI memerlukan Cd Tutorial Joomla aplikasi forensik komputer.

Consulting adalah bidang yang cd tutorial proactive menarik untuk forensik komputer profesional karena mereka independen dan bebas agen. Mereka mengambil tugas di akan dan biaya dalam jumlah besar dan kuat untuk menghabiskan waktu mereka dalam pekerjaan. Mereka tagihan klien per jam. Remunerasi per jam berkisar dari sampai tergantung pada jenis pekerjaan mereka selesai.

Akan ada terus meningkatnya permintaan untuk memenuhi syarat keamanan dan komputer forensik profesional. Keterampilan komputer dan jaringan tidak lagi mencukupi sebagai jaminan sangat penting untuk server stasiun kerja atau router.

Donald Eugene Gates

The conviction of Donald Eugene Gates, 58, was based largely on the testimony of an FBI forensic analyst whose work later came under fire and a hair analysis technique that has been discredited.

“I feel beautiful,” Gates told The Associated Press by telephone after leaving the U.S. penitentiary in Tucson, Ariz.

Just hours before, the same judge who had presided over Gates’ trial years ago in D.C. Superior Court ordered his release.

Prosecutors had agreed Gates should be released. However, at their request, Senior Judge Fred B. Ugast delayed Gates’ formal exoneration until next week to give the government a chance to conduct one more round of DNA testing.

Ben Friedman, a spokesman for the U.S. attorney’s office in Washington, said Gates would be the first D.C. defendant who spent significant time in prison to be exonerated based on DNA evidence.

Gates was convicted of the 1981 rape and murder of Catherine Schilling, a 21-year-old Georgetown University student, in Washington’s Rock Creek Park. He was sentenced to 20 years to life in prison.

But the conviction was based largely on the testimony of FBI hair analyst Michael P. Malone whose work came under fire in 1997. At that time, the FBI’s inspector general found that Malone gave false testimony in proceedings that led to the impeachment and ouster of U.S. District Judge Alcee Hastings in 1989.

Ugast was incredulous that prosecutors had failed to inform him after Malone’s work was called into question. He ordered the U.S. attorney’s office to review all its cases in which Malone testified – something he said should have been done earlier.

Sandra K. Levick, one of Gates’ attorneys from the D.C. Public Defender Service, said she came across the inspector general’s report while doing her own research for the case. She then obtained more information through a Freedom of Information Act request that showed the FBI had issued warnings about the work of Malone and 12 other analysts who were criticized by the inspector general. As part of a review requested by the FBI, prosecutors confirmed they had relied on Malone’s work to obtain Gates’ conviction.

read more:

News Report from:

Fla. man exonerated by DNA after 35 years in jail

BARTOW, Fla. (AP) — A Florida man who spent 35 years in prison has been freed after DNA evidence exonerated him. James Bain was sentenced to life in prison in 1974 for kidnapping and raping a 9-year-old boy. He’s been pushing for DNA testing and he finally got it after the Innocence Project of Florida got involved in his case.

Tests released last week showed he could not have committed the crime. A judge ordered him freed on Thursday and he walked out of a courthouse a free man.

source:

YALSA’s award selection committee has spent the year reviewing nonfiction books for young adults, ages 12–18, published between November 1, 2008 and October 31, 2009. As a result, five nonfiction titles make up the first Award for Excellence in Nonfiction for Young Adults.

Almost Astronauts: 13 Women Who Dared to Dream

by Tanya Lee Stone.

When NASA was launched in 1958, 13 women proved they had as much of the right stuff as men to be astronauts, but their way to space was blocked by prejudice, insecurity, and a scrawled note written by one of Washington’s most powerful men. This is the fascinating, frustratingly true story of the Mercury 13 women. Today, dreams of space exploration are a reality for women who meet the challenge. We’ve come a long way, baby!

Charles and Emma: The Darwins’ Leap of Faith

by Deborah Heiligman

The teaching the Darwin’s evolution theory in schools causes intense controversy today, as it did in Darwin’s time. This debate raged within Charles Darwin himself, and played an important part in his marriage and family life. His deeply religious wife, Emma,  gave Charles a lot to think about as he worked on his theory. This biography is a thought-provoking, humanizing account of the man behind Darwin’s famous theory, and his great love for his faith-filled wife. History, science, religion and romance –there is much here for readers to appreciate.

Claudette Colvin: Twice Toward Justice

by Phillip Hoose

Every young American student learns about Rosa Parks, and the spark that led to desegregaton of city buses in the heart of 1950’s Alabama. How many know the largely untold story of Claudette Colvin?  Nine months before Parks staged her own bus ride protest, 15-year old Colvin was arrested and jailed after refusing to give her up seat on a bus to a white woman. Interviews with Colvin shed light on both the  Montgomery bus boycott and the landmark  Browder v. Gayle case, in which she was a key defendant.

The Great and Only Barnum: The Tremendous, Stupendous Life of Showman P. T. Barnum

by Candace Fleming, illustrated by Ray Fenwick

Part colorful performer, part flimflam man, P.T. Barnum is an undisputed American legend.  Fleming’s book gives a fun historical account of the ultimate showman and his life. To sweeten the deal, photos and illustrations provide a  feast for the eyes that is difficult to resist.

Written in Bone: Buried Lives of Jamestown and Colonial Maryland

by Sally M. Walker

In a fascinating story of forensic archaeology, author Sally M. Walker assists as scientists investigate colonial-era graves near Jamestown, Virginia: a teenage boy, a ship’s captain, an indentured servant, a colonial official and his family, and an enslaved African girl. All are reaching beyond the grave to tell us their stories, which are written in bone.

~DJC

I’ve recently been involved in a couple of discussions for different ways for identifying malware. One of the possibilities that has been brought up a couple of times is fuzzy hashing, intended to locate files based on similarities to known files. I must admit that I don’t fully understand the maths and logic behind creating fuzzy hash signatures or comparing them. If you’re curious Dustin Hurlbut has released a paper on the subject, Hurlbut’s abstract does a better job of explaining the general idea behind fuzzy hashing.

Fuzzy hashing allows the discovery of potentially incriminating documents that may not be located using traditional hashing methods. The use of the fuzzy hash is much like the fuzzy logic search; it is looking for documents that are similar but not exactly the same, called homologous files. Homologous files have identical strings of binary data; however they are not exact duplicates. An example would be two identical word processor documents, with a new paragraph added in the middle of one. To locate homologous files, they must be hashed traditionally in segments to identify the strings of identical data.

I have previously experimented with a tool called ssdeep, which implements the theory behind fuzzy hashing. To use ssdeep to find files similar to known malicious files you can run ssdeep against the known samples to generate a signature hash, then run ssdeep against the files you are searching, comparing with the previously generated sample.

One scenarios I’ve used ssdeep for in the past is to try and group malware samples collected by malware honeypot systems based on functionality. In my attempts I haven’t found this to be a promising line of research, as different malware can typically have the same and similar functionality most of the samples showed a high level of comparison whether actually related or not.

Another scenario that I had developed was running ssdeep against a clean WinXP install with a malicious binary. In the tests I had run I haven’t found this to be a useful process, given the disk capacity available to modern systems running ssdeep against a large HDD can be a time consuming process. It can also generate a good number of false positives when run against the OS.

After recently reading Leon van der Eijk’s post on malware carving I have been mulling a method for combining techniques to improve fuzzy hashing’s ability to identify malicious files, while reducing the number of false positives and workload required for an investigator. The theory was that, while any unexpected files on a system are not desirable, if they aren’t running in memory then they are less threatening than those that are active.

To test the theory I infected an XP SP2 victim with a sample of Blaster that had been harvested by my Dionaea honeypot and dumped the RAM following Leon’s methodology. Once the image was dissected by foremost I ran ssdeep against extracted resources. Ssdeep successfully identified the malicious files with a 100% comparison to the maliciuos sample. So far so good.

With my previous experience with ssdeep I ran a control test, repeating the procedure against the dumped memory of a completely clean install. Unsurprisingly the comparison did not find a similar 100% match, however it did falsely flag several files and artifacts with a 90%+ comparison so there is still a significant risk of false positives.

From the process I have learnt a fair deal (reading and understanding Leon’s methodolgy was no comparison to putting it into practice) but don’t intend to utilise the methods and techniques attempted in real-world scenarios any time soon. Similar, and likely faster, results can be achieved by following Leon’s process completely and running the files carved by Foremost against an anti-virus scan.

Being able to test scenarios similar to this was the main reason for me to build up the my test and development lab which I have described previously. In particular, if I had run the investigation on physical hardware I would likely not have rebuilt the environment for the control test with a clean system, losing the additional data for comparison, virtualisation snap shots made re-running the scenario trivial.

–Andrew Waite

P.S. Big thanks to Leon for writing up the memory capture and carving process used as a foundation for testing this scenario.

http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation,_Sep_2009

Years ago I had to write this extensive paper for to earn a GIAC Certified Forensics Analyst title.

Christopher Vera – SANS GCFA Practical v.1.3
Analysis of Unknown Binary, Forensic Tool Validation, and Legal Issues of Incident Handling for GIAC Certified Forensic Analyst Certification, Version 1.3
Abstract: The investigator: analyzes an unknown binary using several Linux and Windows forensic tools revealing an ICMP Backdoor; Tests Dependency Walker as a forensic tool for analyzing unknown Windows binaries; Explores the legal issues of a system administrator of an imaginary ISP sharing possible forensic evidence with a government agent acting under color of law.

November 03, 2009

• I have moved from Grace Mansion to Central Residence on the 1^st of September 2009. It is small but it has it’s own bathroom. It has radiated heat and it is on so hopefully they will keep it on during the winter months. It is run by the City of Vancouver. So far I have no complaints with it other than it is small.
• I received my single bed from Welfare (Wraggs) and the bedding and pillow to go with it. I wasn’t going to bother with a bed until my next address, because then I definitely need somebody with a Van or Truck or I will have to hire someone to move. As it was, it cost me $60 to move into here and I have nothing but two tables, my computer, a chair, clothing, books, and cookware. And now I have a bed to boot! This place is small but it has it’s own bathroom (shower & toilet) which is why I took it in the first place. But, it beats sleeping on the floor, especially since I am going to be starting the Hep “C” treatment shortly.

November 06, 2009:

• I received the regular flu shot and the H1N1 flu shot today at the Pender Street Clinic. No line-up or hurry or fright. I suspect my arm to be sore for a few days at least?
• I started the treatment for Hep “C” on November 06, 2009 and am to get an injection of PEGASYS RBV ® or Peginterferon Alfa – 2A once a week for the next year. In addition to this shot, I am to take Ribavirin or COPEGUS ® twice a day for a year. I am enrolled as a guinea pig in a German study taken through UBC at the Pender Street Clinic to treat Hep “C”. I was not accepted as a “normal” in the Government paid programs, and as such enrolled in this treatment study. I have nothing to lose and my health to, again, have in plenty if I succeed.
• As of yet I have noticed no side effects in regards to this medication. NOTHING. I do realize that I may yet pay for no side effects at the moment later in the program, but for now I am treating these treatments as successful. I have blood work to give on December 04, 2009 and will have the results back roughly two weeks later, where they will be checking my liver enzymes to see how much of the Hep “C” virus is detectable in my blood, or something to that effect?
• If I am undetectable after one month of treatment then I will only have to take the medication for six months instead of a year, but that is highly unlikely but not unheard of. So I am prepared for the full year treatment program.
• Before I began treatment I had a quick eye exam done; 2 E.C.G.’s; a liver biopsy; and 2 Ultrasounds of my liver. I also agreed to go back on some anti-depressants as is recommended in the Study brochure.
• I am taking CITALOPRAM 10 mg. PMS. This is the low dosage and as of yet I haven’t noticed any noticeable difference in my mood. I did not go on the anti-depressant because I was expecting a rough year in terms of my Depression, but rather because it was noticed in prior subjects that they had symptoms of feeling low and had suicides, so to be on the safe side I agreed to go back on this anti-depressant.
• The whole idea of getting treated for Hep “C” is my doing because I want another chance at my health, and yet I have to report to the Pender Street Clinic once a week for my shot and to refill my other medications for this treatment as well as attend their support group once or twice a week. Then I have to report to either Dave Bernier or Dr. Levy or both and repeat again what I had said at the Pender Street Clinic. Bah Humbug!

November 18, 2009

• Dave Bernier did another home visit with me. Well it was actually a meeting at a local coffee shop. He asked the same stupid questions as he does all the time. I would have thought he would have come up with some new questions? He asked about my Hep “C” treatment program and any side effects that I may be having. NO SIDE EFFECTS. Yeah! So far?! Bah Humbug!

December 01, 2009

• I had my Review Board today and wouldn’t you know I received another Conditional Discharge! Bah Humbug! I think I will appeal this decision but will discuss this with my Legal Aid Lawyer.

December 10, 2009

• I got the results back from my previous blood tests and it is looking promising. It has dropped from millions of copies of the virus in my blood to 25 copies of the virus in my blood. Hopefully my next blood tests will show “0″ counts or copies in my blood and if that is the case then I only have to take this medication for 6 months as apposed to a year.
• Overall I am feeling good. No Side Effects to report from the Hep “C” treatment yet. My depression is not present yet this year and hopefully it won’t show up.

In my last post, I touched briefly on performance indicators. For those of you who slept during that bit, they’re the areas in which a police force has to score to win the approval of the Home Office – things like ‘crimes detected’, ‘acquisitive crime rate’, ‘public satisfaction’ etc. A force gets points for doing well in these areas, and these points allow the force to ‘level up’ and unlock new weapons, characters and secret missions. Or something. I fell asleep in that bit and may have dreamt some of my impressions of what PIs are about.

Whether dreams or reality though, most of them were pretty uninspiring. If I were to be moving to a new force, I certainly wouldn’t be looking at the PIs to give me an idea of what it might be like to work there. With this in mind, I thought it was high time that computer forensics labs had some performance indicators of their own. Feel free to rate your own workplace according to these criteria – it should apply to private folk as well as the 5-0. Marks are given out of 10.

HMIC’s Performance Indicators for HTCUS

(‘HMIC’ here stands for ‘Happy Monkey’s Inspectorate of Computerforensicsunits’. No similarity to Her Majesty’s Inspectorate of Constabularies is intended or should be inferred).

1. Craic. On walking into the office, is there a good vibe? Are staff talking to each other or sitting in sullen silence? The latter may indicate that the office is going through a civil war, which happens from time to time. Is there laughter? Don’t be discouraged if one member of staff is chasing another around the room with a knife in hand – this is common practice in some HTCUs and should be taken as a sign of affection. ‘Vibe’ is difficult to measure quantitatively and an expert may be called in to assist. We suggest Bez from the Happy Mondays.
2. Coffee. Do staff have access to drinkable coffee? Although it is not unknown for some public sector employees to dismiss decent coffee as a bourgeois frippery and claim a preference for instant, it is important that good coffee is on hand. Coffee may be filtered, steamed or pressed, but there should be access to a grinder. Facilities for roasting beans will gain a unit an ‘exceptional’ rating for this indicator, but it is not essential. Access to a Starbucks, Neros or similar does not score for this indicator. A range of interesting teas will attract bonus points.
3. Eyecandy. While it is not important for the unit to contain a given proportion of attractive staff (indeed it has proved infeasible to impose a quota on even normal-looking practitioners in this field), an office should have access to a source of totty, whether in a canteen, corridors of admin offices or a snack van shared with other organisations. Inspectors of both sexes should be sent to judge this indicator but should not engage any of the totty in conversation.
4. Equipment. Do staff have at least two decent-sized monitors? Is there enough desk space? Is there adequate Internet provision?
5. Relaxation Venues. The availability of a nearby pub or bar is essential. Preferably one where the landlord won’t bar patrons after overhearing a ‘what’s the weirdest thing you’ve seen this week’ competition.
6. Good music. Always a contentious issue. Commercial radio makes this monkey’s ears bleed, and Radio 4 doesn’t really cut it in a busy, noisy office.  Spotify can save the day, but it’s important to have a regular shout for requests, to make sure everyone’s happy. Their ads are getting increasingly irritating though – almost enough to make one subscribe. Almost.
7. War Stories. Are there people with enough varied experience to be able to supply a steady stream of war stories over the years? Veracity of the stories is not measured in this indicator and repetition of stories is acceptable, if the story is funny enough.
8. Biscuits. Is there a well-stocked biscuit tin? If some disturbed freak keeps putting digestives in there, this will score minus points. What sort of person sees a shelf full of biscuits and chooses digestives, ffs? Even the name’s wrong, it sounds like something old people eat to help them with their bowel movements.

The Office of Monkey scores:

1. 9
2. 8
3. 8
4. 8
5. 0 (Nearest hostelry smells of wee)
6. 5 (varies between elevator music and cock-rock)
7. 8
8. 9 (Although there’s someone who think it’s amusing to buy Netto digestives and pass them off as his tea kitty contribution, the tea kitty administrator generally does sterling work with biscuits.

Giving a grand total of 55 out of a possible 80! This isn’t fantastic, and shows a need for improvement in some areas.

So start totting up your own scores! I want a representative sample of UK computer forensics offices in the comments – it’d be good to see how the figures compare between LE/Private as well, so please say what sort of place you work in. Feel free to post suggestions for other indicators, too.

This post was brought to you with the help of The Damned, The Cult, Sisters of Mercy, Bauhaus and OMD (I was really reliving my youth tonight!) Also some generic plonk from Bargain Booze and a bag of Twiglets. Nom.

The independent Investigative team consisting of Mr. Chris Cobb-Smith and myself was contacted by Atty. Harry Roque of Centerlaw for the purpose of an independent account based on forensic evidence on behalf of the victims. The mission was conducted in partnership with the Commission on Human Rights which has the constitutional mandate to conduct investigations of human rights involving civil and political rights.
The team arrived in Cotabato City on November 29, 2009 and returned to Manila on December 7. We stayed in the area gathering information from direct inspection, talking to relatives, potential witnesses, law enforcement officers and Civil Society activists. This is by no means an exhaustive account of the reconstruction of the facts since for the time being we have not received all documentation collected by different agencies. Our visit however allowed us to have a better understanding of the circumstances in which the crime occurred as well as allow us to piece together some factual information presented in this briefing.

INTERVIEWS
During our time in the area we were able to talk to members of the PNP, victim families, confidential sources and Civil Society organizations.

SITE INSPECTION
The site where 57 bodies were recovered the previous week is located on the top a small hill some three kilometers from the main highway at Barangay San Juan y Ampatuan city.
The site occupies an area of some 500 square meters were three graves of various dimensions were excavated. Upon arrival the site still shown large heaps of dirt extracted during the excavation of the graves and a large number of personal artifacts, car pieces, newspapers and assorted rubbish strewn across the surface. It was cleared that the site had been severely disturbed since discovery and a number of artifacts, primarily recovery by-products such as gloves, empty water bottles and the like, were added.

Upon our arrival to the site it was clear that there still were a number of valuable pieces of evidence that should be collected. We undertook two full examinations using metal detectors in order to locate shell casings and slugs that may assist in determining the minimal number of shooters at the scene. The location of the slugs would facilitate determining whether some of the victims were shot outside the vehicles and then placed back inside likely to be buried in them.
We excavated the three graves to ascertain whether any mortal remains would have been left behind due to the hastiness with which the original exhumation was performed. We also used a cadaver-sniffing dog to verify the empty graves and associated backfill and the surrounding area to exclude the existence of further remains. This way we determined that the scene did not contain any further bodies.
At the site, in our two visits, we recovered over 30 shell casings (5.66 x 45mm). In addition some 4 slugs were also recovered and their position recorded. This is in addition to the over 120 recovered by the police when they processed the scene.
While searching the scene we also came across personal effects, clothes and an intact partial upper denture. The denture was identified by the dentist, family and fiancé of journalist Robert Momay as belonging to Momay.
We examined the available documentation to determine that there were three cadavers still unidentified. The three unidentified bodies had all their teeth or complete upper and lower dentures. This affirms that the mortal remains of Momay were not at the site. However, since his ID and denture were found at the site it was likely that he was originally disposed there.
The vehicles recovered in grave 3 were mangled into a mass of metal. We had access to observe them at the PNP base in General Santos. It was still possible to observe that the back rest of both the passenger’s and rear right seats showed some perforations that could have been caused by a shotgun. One of the vehicles Tamaraw FX was being driven by Mr. Jephon Cadagdagon, a businessman from General Santos we raise the question as to whether he was travelling indeed alone or may have been taking passengers in his way through the area.
Based on the above we have the following preliminary observations and hypotheses, which need further consideration and investigation:
1. The event has been defined by the bodies recovered and not by the number of alleged victims reported.
2. In talking with various persons present at the scene after the killings occur it is clear that the presence of the AFP as a security force while welcome was also a disrupting element in the processing of the scene. Likewise desperate relatives also participated in the recovery process making the situation still more complex.
3. The process of examination of the mortal remains was not centralized; it was spread through a number of funeral homes and undertaken by PNP and NBI teams. A preliminary review of autopsy reports from each of those teams show in some cases considerable differences in detail and description of injuries related to the cause and manner of death.
4. It seems apparent that the identification of the bodies relied heavily on the recognition by their relatives despite the fact that many of them sustained high velocity gunshot wounds in the face and/or were heavily decomposed making them definition unrecognizable. The delay in recovering the bodies made them less recognizable due to the advance decomposition.
5. It is likely that the body of Mr. Robert Momay was handed over to a different family.
6. This would imply that there is at least one more victim, not recovered nor reported and associated to this event.
7. The preliminary observations regarding the seats of the Tamaraw FX carcass found in grave 3 raises the possibility that the driver of the vehicle was not alone.
8. If the latter is true the number of victims could still be higher buried or hidden at another location (since they were not in the 3 graves).

EARLY RECOMMENDATIONS (Based on the observations on the 12 day mission)
In the regrettable scenario that future cases of this kind occur it is recommended that primary responders do not cause irreversible damage to the scene obliterating the recovery of important evidence
1. It is necessary ascertaining whether the versions indicating that upon arrival to the scene and despite the presence of AFP personnel there were other armed men presumably linked to the alleged perpetrators which only allow the recovery of the mortal remains of the immediate family of Buluan vice-mayor, Esmael Mangudadatu.
2. No attempts to define a possible universe of victims and to collect Ante Mortem data for each using common formats such as the Disaster Victim Identification (DVI-Interpol) system were used. By doing that at an early stage some of the problems outlined here could have been avoided. It is clear that the event has been defined by the bodies recovered and not by the number of alleged victims reported.
3. In the future it is more efficient to pool resources together rather than atomize them duplicating efforts or simply by carrying parallel but not necessary complementary investigations. The data collected, the results and the hypothesis of each investigation, such as it has been discussed here are difficult to collate.
4. Any attempt to perform an efficient investigation in a case of this magnitude needs the rapid deployment of experts; while the deployment of international experts in this case was substantially short considering the circumstances it occurred almost a week after the facts.

Biblical scholars have hailed the most recent find amongst a cache of  lost literary works as nothing short of miraculous.  Now read on…

Exifodus, Chapter III

1. And there was, at that time, in the Land of Geek-i-on two nations.

2. And their names were the El-ee-ites and the Pri-vat-ites.

Moses with his netbook

3. Now the nations and the tribes thereof did live in that place as neighbours, yet they would not dwell together.

4. Worshipped they also at the the same temple, sharing the practices and rituals of their creed, Day-Tar-An-al-ysis.  Yet was there no love lost between them.

5. Thus went they about their business, ignoring each other for the most part.

6. But it came to pass that the Pri-vat-ites were fruitful and increased abundantly and multiplied and the land was filled with them.

7. Moreover, they grew rich off the fat of the land.

8. Then said the El-ee-ites to one another, the Pri-vat-ites getteth themselves a stack of shekels whilst we must labour hard and long to make a fraction thereof.

9. And they waxed wroth.

10. And there were those among them who rose up saying: Is not this land ours alone?  Did not the Lord give it to our forefathers forever, even unto the end of time?

11. For we are the peace-keepers in His house and the watchmen at His gate. And none may leave our courts unless we sign off countless reams of paperwork.

12. And there were others who said, this is right-wise galling.  Locketh we not away the evil-doers and the runners of red lights?  Where is our just reward?

13. But the Lord gave them no respite.

14. So it came to pass that many El-ee-ites took up their golden handshake and went out from their own lands and into the lands of the Pri-vat-ites.

15. And in the process of time, their numbers increased manyfold. For they perceived that their bretheren also grew rich in that place.

16. Thus it was that the throng increased until it became a multitude and there was an exodus of epic proportions.

17. Yea, even in every sense of that word.

18. Now many El-ee-ites found work for their hands.  Yet also did many fall by the wayside.

19. For though they set up on their own or with others of their kind, they found the game was in no wise as cushy as it first appearèd.

20. Verily, the days were many when the phone rangeth not at all.

21. For the followers of Day-Tar-An-al-ysis had become so great in number that the market-place was exceeding full.

22. Then was there a wailing and a gnashing of teeth, for a recession came also to the land of Geek-i-on.

23. And many that had jobs before now lost them, and those that were new to the field were left high and dry.

24. Then did the El-ee-ites mourn in their exile for their own lands, saying Was there not an over-abundance of stuff to be looked at every day? Even a Welsh mountain full of dodgy boxes?

25. And was there not also tea, cake, biscuits and canned drinks in abundance at all hours?

26. And they went unto their temples to call upon the Lord for guidance but there was no access day to day for any to come therein.

27. A great wilderness opened out before them and they became as strangers in a strange land.

28. Even the tribes of Re-cru-ter-ites who had once welcomed them now turned them from their doors saying Knowest thou not that For-en-sics is finishèd?  Therefore go we up into the pastures of e-discovery, for there the land runneth with milk and honey.

29. And they went on their way rejoicing.

Recently, I’ve met a lot of first year students, several of which have asked me why I chose to study Computer Forensics.

I prefer not to think of what I’m doing as studying CF. To me, I’m preparing for a career, not studying in isolation from the future. Every schoolchild is groomed for further and higher education, with a view to gaining skills for jobs, and that is precisely what I’m doing. Putting aside the fact that I attribute huge value to the ‘life of the mind’ type of education that is available at Oxbridge, most obviously, I am quite happy with the idea of ‘learn to earn’. It’s realistic, useful.

So, why a CF career? Of all the types of computing career, or the types of law enforcement career – why CF? Well, I’ve known since I was old enough to understand the concept of a career, that I wanted to be involved in fighting crime. This changed from the 7 years old’s James Bond fantasy, to Computer Forensics – via ideas of being a Police Officer, Armed Response or Intelligence. The computing area of forensics – arguably the lion’s share of the field of computer forensics – works for me almost by default. I simply found I was good at using a computer as a child, and that I understood the lower layers of computing as I began programming and networking at secondary school. I picked up programming languages quicky, I ‘got’ the OSI Model – it came naturally.

But Computing does not stimulate me in the way langauge, writing, journalism and crucially, fighting crime do. It amazes me, challenges me and interests me – but I could NEVER work in a career that is purely about computing problems. I don’t mind wrestling with programming or scripting – but I don’t want to release applications, I want to write EnScripts, timelining apps. I don’t want to design networks for big business, but I might want to streamline the office network to get more out of distributed processing. I know the power of knowledge of computing, and how it can make the fight against crime a broader one. It delights me when I apply my knowledge of this File System or that logging method, to carry out the act of forensics successfully – but the file system itself bores me stupid. I will happily study it for hours on end though, because it helps me with forensics. That’s the way I approach the career: knowledge for the end-purpose of forensics and fighting crime. The elephant in the room is defence work of course – I shall deal with that in another post.

CF allows me to ensure my computing mindset isn’t wasted, and that my real interest in forensics and investigating crime is satisfied. If the world was kind to idealists, I would write for a living, but I think one needs a career that is reliable, with a supplementary interest that you can afford to not work. I do believe that you can do a job that you good at, but that is not your number one desire – that’s my situation, but as people have remarked, I am HUGELY passionate about Computer Forensics, and I’m determined & dedicated to succeed in my career.

I had the pleasure of seeing the film “Up in the Air” last night (very good film, by the way) and it got me thinking about how companies need to follow the proper procedures when laying off employees. That’s where I come in…

Earlier this year I was working on a Computer Forensics case for a large corporation who was laying off a big group of employees. Because of the size of the group (over 700) they decided to lay off everyone at once instead of in face-to-face meetings. They herded people into the lunch room to explain the situation and severance packages, and some people immediately got up during the meeting and went back to their cubicles, presumably to pack their belongings. However, many of these “early departers” were also found to be copying lots of company confidential data to CD’s and USB flash drives.  Based on the registry data on the hard drive and the timestamps of the user’s folder, I was able to determine what files were copied at the last minute, and HR was able to pursue the proper actions with the laid-off employees.