Professional Documents
Culture Documents
ñ
m Úrocess of
ƛ collecting,
ƛ securing,
ƛ and transporting digital evidence
m should not change the evidence condition.
{
m digital evidence should be examined only
by those trained specifically for that
purpose.
m Everything done during the seizure,
transportation, and storage of digital
evidence should be fully documented,
preserved, and available for review (to
verify the integrity)
3
m earch warrant or additional legal
documents need to be obtained
m FR must remember that computer data are
usually volatile and fragile thus extra care
when handling them is a must
J
m Úrecautions should be taken in the
ƛ Collection
ƛ Úreservation
ƛ and transportation of digital evidence.
m Recognize, identify, seize, and secure all
digital evidence at the scene.
m document the entire scene and the
specific location of the evidence found.
m Collect, label, and preserve the digital
evidence.
m Úackage and transport digital evidence in a
secure manner
¦
m xeforecollecting evidence at a crime
scene, first responders should ensure
thatƜ
that Ɯ
ƛ Legal authority exists to seize evidence.
ƛ The scene has been secured and documented.
ƛ Appropriate personal protective equipment is
used.
0
m FR should be able to identify sources of
evidence
m Understand the computer system
hardware and software
ƛ Monitor
ƛ Case/CÚU
ƛ Keyboard
ƛ Mouse
ƛ All the connected peripherals
m Many forms of computer systems
ƛ ÚC
ƛ Laptop
ƛ What else?
Ñ
m torage devices
ƛ Hard drive
ƛ External hard drive
ƛ Removable media ƛ cd/floppy/dvd
ƛ Thumb drive ƛ common and uncommon
(weird shape)
ƛ Memory card ƛ sd/mmc/mini sd/stick
ÑÑ
m Handheld devices
ƛ Mobile phone
ƛ ÚdA
ƛ digital camera
ƛ GÚ
ƛ Úager
ƛ digital media audio or video
Ññ
m etworking devices
ƛ Hub
ƛ Firewall
ƛ Router
ƛ Wireless AÚ
ƛ Modem
ƛ Antenna
m etworking devices might contain data
such as ...
Ñ{
m -ther Úotential devices
ƛ CCTV
ƛ Video games console
ƛ atellite/cable receiver
Ñ3
m Items or devices containing digital
evidence can be collected using ?
seizure tools and materials.
m Caution when collecting, packaging, or
storing digital devices to avoid altering,
damaging, or destroying the digital
evidence.
m Request assistance from expert if situation
at the crime scene beyond capabilities
ÑJ
m Recommended kits to be carried to the
crime scene
ƛ Cameras (photo and video).
ƛ Úackaging boxes.
ƛ otepads.
ƛ Gloves.
ƛ Evidence inventory logs
Ñ
m Recommended kits to be carried to the
crime scene
ƛ Evidence bags.
ƛ Evidence stickers, labels, or tags.
ƛ Antistatic bags.
ƛ Úermanent markers.
ƛ etc.
Ѧ
m election of tools are mainly for
investigation and data acquisition
purposes including packaging and
transportation
m It is beyond the scope of FR to identify
and select tools for analysis, extraction,
and interpretation ƛ it is analyst scope of
work
Ñ0
m Úrimary consideration
ƛ officer safety and everyone at the crime
scene.
Ñ
m After securing the scene first responder
should visually identify all potential
evidence
m and ensure that the integrity of both the
digital and traditional evidence is
preserved.
m First
responders should document,
photograph, and secure digital evidence as
soon as possible at the scene.
ñÑ
m What need to be done at the crime scene
ƛ Follow agency policy for securing crime
scenes.
ƛ Immediately secure all electronic devices,
including personal or portable devices.
ƛ Ensure that no unauthorized person has
access to any electronic devices at the crime
scene.
ƛ Refuse offers of help or technical assistance
from any unauthorized person
ññ
m What need to be done at the crime scene
ƛ Remove all persons from the crime scene or
the immediate area from which evidence is to
be collected.
ƛ Ensure that the condition of any electronic
device is not altered.
ñ{
mu
??
ƛ Leave a computer or electronic device off if it
is already turned off.
ƛ Components such as keyboard, mouse may
hold latent evidence such as fingerprints,
dA, or other physical evidence that should
be preserved.
ƛ Appropriate steps should be taken to ensure
that physical evidence is not compromised
during documentation. ñ3
m Whatw
?
?
ƛ Look and listen for indications that the
computer is powered on.
ƛ Listen for the sound of fans running, drives
spinning, or check to see if light emitting
diodes (LEds) are on.
ƛ Check the display screen for signs that digital
evidence is being destroyed. Act fast.
ñJ
m Whatw
?
?
ƛ Look for indications that the computer is being
accessed from a remote computer or device.
ƛ Look for signs of active or ongoing
communications with other computers or
users such as instant messaging windows or
chat rooms.
ƛ Take note of all cameras or Web cameras
(Web cams) and determine if they are active.
ñ
m Conducting preliminary interview
ƛ In some cases first responder might need to
gather a few information from surrounding
people including suspects
Information to gather includes: password of the
protected machine, login credentials to online
accounts, etc.
ƛ If we have to conduct interview, always
consult with law enforcers to get people
cooperation.
ñ¦
m First step is to obtain the search warrant
ñ
m
?
ƛ w ??
w
?
?
{
Ñ. Úhotograph the screen and record the
information displayed.
2. Capture volatile memory if evidence visible
on the screen.
{Ñ
m Immediatedisconnection of power is
recommended when:
ƛ onscreen activity indicates that data is being
deleted or overwritten.
ƛ a destructive process is being performed on
the computerƞs data storage devices.
{{
m w
?
{
evidence is fragile and can easily
m digital
damaged due to
ƛ High temperature
ƛ Magnetic field
ƛ Úhysical hock
ƛ Humidity
ƛ etc
3
m Úackaging
ƛ Úack all digital evidence in antistatic
packaging.
ƛ Use paper bags and envelopes, cardboard
boxes, and antistatic containers
ƛ Avoid plastic materials - can produce or static
electricity, humidity and condensation that
may damage or destroy the evidence.
3Ñ
m Úackaging
ƛ Ensure packaging that prevent from being
bent or scratched
ƛ Label all containers used to package and store
digital evidence clearly and properly.
ƛ Collect all power supplies and adapters for all
electronic devices seized
3ñ
m Úackaging
ƛ For mobile phones, leave them in the power
state (on or off) in which they were found.
ƛ Úackage mobile phone in signal-
signal-blocking
material
faraday isolation bags,
radio frequency-
frequency-shielding material,
aluminium foil
ƛ to prevent data messages from being sent or
received by the devices.
3{
m Transporting
ƛ Keep digital evidence away from magnetic
fields
produced by radio transmitters,
speaker magnets,
magnetic mount emergency lights.
ƛ -ther potential hazards that the first
responder should be aware of include
seats heaters
and any device or material that can produce static
electricity. 33
m Transporting
ƛ Avoid keeping digital evidence in a vehicle for
prolonged periods of time.
Heat, cold, and humidity can damage or destroy
digital evidence.
ƛ Ensure that computers and electronic devices
are packaged and secured during
transportation to prevent damage from shock
and vibration.
3J
m Transporting
ƛ document the transportation of the digital
evidence and maintain the chain of custody on
all evidence transported.
3
m toring
ƛ Follow own agency best practice of storing
evidence
ƛ Ensure surrounding environments will not
have an impact towards evidence
preservation.
Temperature
Humidity
Magnetic fields
tatic electricity
etc 3¦
m -nce evidence is in the lab, preservation,
extraction and interpretation processes
can take place following the standard and
best practices.
30
m Reflection anyone?
3
m Assignment 2 ƛ First Responder activity