I like the reference to EMT's for IR - that is a totally accurate description.
I am of the opinion that IR and CF are two distinct functions. The relationship between these functions should/must be defined early on in the IR protocol. For example, an incident occurred and management has already determined the course of action – identify the incident, verify the incident, analyze the incident data, develop mitigation response and implement mitigation response. In otherwords, management is not interested in pursing any legal recourse.
I agree that if IR is not handled properly then there is little chance of any meaningful or worthwhile CF investigation. However, the need or likelyhood of a CF investigation should have been defined initially!
More than likely CF will be involved in analyzing the incident data in order to determine a mitigation approach. However, this should not mean that the data collection and analysis should be done haphazard when the strigent audit and documentation controls required for an legal proceeding are not needed.
CF does not require that the IR protocol be implemented first. A boss finds porn on computer and wants proof of who, what and when!
I understand the example - the Chief Surgeon arrives and kills the victim. I do not agree with that statement. I have been involved in numerous incidents where the victim remained living. The Chief Surgeon was not allowed to pull the plug. We acquired live snapshots of the running systems - "yes LE wanted - even demanded that the systems were to be shut down and imaged", but they settled for snapshots.
So, I would agree that traditional CF techniques did apply when there was no one arguing for victims rights! What would be your guess of the percentage of investigations in which the killing of the victim was not acceptable! Of course we are talking mechanical or electronic victims!
I do completely agree that CF needs to develop a dictionary of terms so we all have a common reference point. Maybe we should start with the FRE and DOJ Guidelines.