{"id":365,"date":"2019-10-19T00:11:00","date_gmt":"2019-10-18T16:11:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=365"},"modified":"2023-10-31T00:12:19","modified_gmt":"2023-10-30T16:12:19","slug":"first-responder","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/365","title":{"rendered":"First Responder"},"content":{"rendered":"\n

First Response Basics<\/strong><\/h2>\n\n\n\n

Roles of first responder<\/strong>
identifying the crime scene
protecting the crime scene
preserving temporary and fragile evidence
collecting the complete information about the incident
documenting all the findings
packaging and transporting the electronic evidence<\/p>\n\n\n\n

… <\/p>\n\n\n\n

People for first response<\/strong>
system administrators
non-laboratory staff
laboratory forensics staff<\/p>\n\n\n\n


First response for laboatory forensics staff<\/strong>
1 \u4fdd\u8b77\u73fe\u5834,securing and evaluating electronic crime scene
2 \u521d\u6b65\u8a2a\u8ac7,conducting preliminary interviews
3 \u73fe\u5834\u8a18\u9304,documenting electronic crime scene
4 \u63a1\u8b49,collecting and preserving electronic evidence
5 \u8b49\u7269\u6253\u5305,packaging electronic evidence
6 \u904b\u56delab,transporting electronic evidence<\/p>\n\n\n\n

First response for non-laboratory staff<\/strong>
contact a computer forensic examiner as soon as possible.
secure the scene until forensics staff advises.
make notes about the scene.
ps:
don’t try searching something, becasue timestamps of evidence can is changed.

….<\/p>\n\n\n\n

Documenting an electronic crime scene<\/strong>
Document the physical scene
ex:the position of the mouse, the location of components near the system
Document related electronic components that are difficult to find.
Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer<\/p>\n\n\n\n

………………………………………………………………………………………………………<\/p>\n\n\n\n

Collecting and Preserving Electronic Evidence<\/strong><\/h2>\n\n\n\n

Principle<\/strong>
Do not turn the computer off or on
Do not run any programs, or attempt to access data on a computer<\/p>\n\n\n\n

Dealing with powered on computers<\/strong>
if monitor screen is viewable:
\u3000record the programs running on screen.
\u3000take a photograph.
if monitor shows some picture or screen saver:
\u3000move the mouse slowly without depressing any mouse button.
\u3000take a photograph.
if monitor is powered on and the display is blank
\u3000move the mouse slowly without depressing any mouse button.
\u3000take a photograph.<\/p>\n\n\n\n

Dealing with powered off computers<\/strong>
if computer is switched off
\u3000leave it off
if only monitor is switched off and display is blank:
\u3000turn the monitor on, move the mouse slightly. observe the changes from a blank screen. if it is not change, do not perform any keystroke
\u3000take a photograph
ps:
if the computer boots up, some files are written to the computer and computer is changed
…<\/p>\n\n\n\n

OS shutdown procedure<\/strong><\/p>\n\n\n\n

windows:<\/strong>
1.give a explaination if any program is running
2.unplug the power cord ( don’t click poweroff by windows OS)<\/p>\n\n\n\n

Mac OS:<\/strong>
1.record time from the manu bar
2.click special -> shutdown
3.unplug the power cord<\/p>\n\n\n\n

UNIX\/Linux:<\/strong>
1. in console: sync;sync;halt
2. unplug the power cord
ps: if step1 can’t work, unplug the power cord<\/p>\n\n\n\n

……………………………………………………………………………………………………………………..<\/p>\n\n\n\n

Packaging and Transporting Electronic Evidence<\/strong><\/h2>\n\n\n\n

Exhibit numbering for evidence<\/strong>
format: aaa\/ddmmyy\/nnnn\/zz
\u3000aaa: ID of forensic analyst or law enforcement officer
\u3000ddmmyy: date
\u3000nnnn: project ID or SN of exhibits seized
\u3000zz: sequence number, like A could be CPU, B could be Moniter<\/p>\n\n\n\n

…<\/p>\n\n\n\n

Common mistakes for first responder<\/strong>
shutdown or reboot victim computer
access victim computer by command
not documenting the data collection process<\/p>\n","protected":false},"excerpt":{"rendered":"

First Response Basics Roles of …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-365","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=365"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/365\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}