The company blue hire the company Red make a red team commitment in blue. Here, I will talk only about the physical part of the commitment, not social and cyber.
Red infiltrates successfully blue and provides detailed reports of what was done in the commitment. Example of part of the report:
... In building A: At door A101, we picked the lock. Techniques used in picking: Raking, Bump Key. At door A102, we picked the lock. Techniques used in picking: Raking. ...
The report includes details of the techniques used to explode and infiltrate.
One week after the engagement, blue he is attacked by real criminals and his data was extracted from building A. They had no camera images of each exploded door. It is confirmed that the installation of the doors and locks in building A is correct and has probably been chosen. However, those doors / locks have also been reported by Red during his engagement the previous week.
The locks being tested have been selected and exploited by both Red And the criminals. Forensic evidence would probably show traces of both or only RedThe commitment of Since the red team's commitments are to simulate real criminals as accurately as possible, it is difficult to differentiate between the evidence left by Red and those left by criminals.
blue He is very sure that those locks were chosen by the criminals, and suppose they are right about it. blue You want to investigate how exactly the criminals entered and locate those criminals. Additionally, blue He also wants to claim insurance for those locks that are being collected. (I heard that we can get insurance from the lock manufacturer if the locks are cut and we take damage from that)
How can forensic evidence be used in court locks (for insurance) and investigation? As should blue use such forensic evidence to claim your insurance and locate criminals when it is difficult to distinguish between the marks left by Red and the criminals?