Friday, March 2, 2007

Actus Reus and Corpus Delecti

In criminology terms like Actus Reus and corpus delecti are used to determine if a crime has been committed. Actus Reus is the latin term used for "guilty deed" or "deed of crime", while Corpus delecti is actual proof that a crime has been committed i.e, the dead body.

When it comes to Incidents though we can use it as a means to validate that an incident has actually occured. Have you ever been called in on a false alarm? Someone calls in a panic that their system must have been compromised but as it turns out it's a simple failure of a key service?

Have you ever stopped to think about how you reach your conclusion about an incident? That what you say happened, actually happened in the way you claim.

One of the things I'm actively working on behind the scenes are techniques to determine that not only did an incident occur but it happened in the way the investigator thinks. I intend to adapt the scientific method to the incident response and forensics processes many of us use. My hope is that this scientific approach will be a boon to investigations in that it will create a verifiable, repeatable process that provides predictive power in future investigations. Another hope is that it helps the investigator rule out the theories that many of us develop during the investigation leaving us with the explanation that makes the most sense because the other theories don't.


Anonymous said...

In our organization we are searching for something similar: Criteria to use when deciding whether to activate the IR team and go into full investigation mode. I have been working on this idea... has there been or does there appear to be a threat to confidentiality of data, an intentional threat to the integrity or availability of the data?

Is this the sort of thing your are working on?

hogfly said...

This is indeed what I'm working on, but not just when to spin up the team but actually driving the thought process of the team as the incident progresses so that the right conclusion is reached based on something other than intuition.