First Response Basics
Roles of first responder
identifying the crime scene
protecting the crime scene
preserving temporary and fragile evidence
collecting the complete information about the incident
documenting all the findings
packaging and transporting the electronic evidence
…
People for first response
system administrators
non-laboratory staff
laboratory forensics staff
First response for laboatory forensics staff
1 保護現場,securing and evaluating electronic crime scene
2 初步訪談,conducting preliminary interviews
3 現場記錄,documenting electronic crime scene
4 採證,collecting and preserving electronic evidence
5 證物打包,packaging electronic evidence
6 運回lab,transporting electronic evidence
First response for non-laboratory staff
contact a computer forensic examiner as soon as possible.
secure the scene until forensics staff advises.
make notes about the scene.
ps:
don’t try searching something, becasue timestamps of evidence can is changed.
….
Documenting an electronic crime scene
Document the physical scene
ex:the position of the mouse, the location of components near the system
Document related electronic components that are difficult to find.
Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer
………………………………………………………………………………………………………
Collecting and Preserving Electronic Evidence
Principle
Do not turn the computer off or on
Do not run any programs, or attempt to access data on a computer
Dealing with powered on computers
if monitor screen is viewable:
record the programs running on screen.
take a photograph.
if monitor shows some picture or screen saver:
move the mouse slowly without depressing any mouse button.
take a photograph.
if monitor is powered on and the display is blank
move the mouse slowly without depressing any mouse button.
take a photograph.
Dealing with powered off computers
if computer is switched off
leave it off
if only monitor is switched off and display is blank:
turn the monitor on, move the mouse slightly. observe the changes from a blank screen. if it is not change, do not perform any keystroke
take a photograph
ps:
if the computer boots up, some files are written to the computer and computer is changed
…
OS shutdown procedure
windows:
1.give a explaination if any program is running
2.unplug the power cord ( don’t click poweroff by windows OS)
Mac OS:
1.record time from the manu bar
2.click special -> shutdown
3.unplug the power cord
UNIX/Linux:
1. in console: sync;sync;halt
2. unplug the power cord
ps: if step1 can’t work, unplug the power cord
……………………………………………………………………………………………………………………..
Packaging and Transporting Electronic Evidence
Exhibit numbering for evidence
format: aaa/ddmmyy/nnnn/zz
aaa: ID of forensic analyst or law enforcement officer
ddmmyy: date
nnnn: project ID or SN of exhibits seized
zz: sequence number, like A could be CPU, B could be Moniter
…
Common mistakes for first responder
shutdown or reboot victim computer
access victim computer by command
not documenting the data collection process