First Responder

First Response Basics

Roles of first responder
identifying the crime scene
protecting the crime scene

preserving temporary and fragile evidence
collecting the complete information about the incident
documenting all the findings
packaging and transporting the electronic evidence

... 

People for first response
system administrators
non-laboratory staff
laboratory forensics staff


First response for laboatory forensics staff
1 保護現場,securing and evaluating electronic crime scene

2 初步訪談,conducting preliminary interviews
3 現場記錄,documenting electronic crime scene
4 採證,collecting and preserving electronic evidence
5 證物打包,packaging electronic evidence

6 運回lab,transporting electronic evidence

First response for non-laboratory staff
contact a computer forensic examiner as soon as possible.
secure the scene until forensics staff advises.
make notes about the scene.
ps:
don't try searching something, becasue timestamps of evidence can is changed.


....

Documenting an electronic crime scene
Document the physical scene
ex:the position of the mouse, the location of components near the system
Document related electronic components that are difficult to find.
Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer.


....................................................................................................................

 

Collecting and Preserving Electronic Evidence

Principle
Do not turn the computer off or on
Do not run any programs, or attempt to access data on a computer

Dealing with powered on computers
if monitor screen is viewable:
 record the programs running on screen.
 take a photograph.
if monitor shows some picture or screen saver:
 move the mouse slowly without depressing any mouse button.
 take a photograph.
if monitor is powered on and the display is blank
 move the mouse slowly without depressing any mouse button.
 take a photograph.

Dealing with powered off computers
if computer is switched off
 leave it off

if only monitor is switched off and display is blank:
 turn the monitor on, move the mouse slightly. observe the changes from a blank screen. if it is not change, do not perform any keystroke
 take a photograph
ps:
if the computer boots up, some files are written to the computer and computer is changed
...

OS shutdown procedure

windows:
1.give a explaination if any program is running
2.unplug the power cord ( don't click poweroff by windows OS)

Mac OS:
1.record time from the manu bar
2.click special -> shutdown
3.unplug the power cord

UNIX/Linux:
1. in console: sync;sync;halt
2. unplug the power cord
ps: if step1 can't work, unplug the power cord

......................................................................................................................................

Packaging and Transporting Electronic Evidence

 

Exhibit numbering for evidence
format: aaa/ddmmyy/nnnn/zz
 aaa: ID of forensic analyst or law enforcement officer
 ddmmyy: date
 nnnn: project ID or SN of exhibits seized
 zz: sequence number, like A could be CPU, B could be Moniter

...

Common mistakes for first responder
shutdown or reboot victim computer
access victim computer by command
not documenting the data collection process

 

 

2015-10-19 14:39:02發表 0000-00-00 00:00:00修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識

資訊安全解決方案
資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net