BSC First Responder

8/8/2019 BSC First Responder

1/50

First Responder

Shukor Abd Razak


2/50

Understand the roles of first responderUnderstand the roles of first responder

Identify first responder best practicesIdentify first responder best practices

Identify issues related to first responderIdentify issues related to first responder

2


3/50

Process ofProcess of

collecting,collecting,

securing,securing, and transporting digital evidenceand transporting digital evidence

should not change the evidence condition.should not change the evidence condition.

3


4/50

Digital evidence should be examined onlyDigital evidence should be examined onlyby those trained specifically for thatby those trained specifically for that

purpose.purpose. Everything done during the seizure,Everything done during the seizure,

transportation, and storage of digitaltransportation, and storage of digitalevidence should be fully documented,evidence should be fully documented,preserved, and available for review (topreserved, and available for review (toverify the integrity)verify the integrity)

4


5/50

Search warrant or additional legalSearch warrant or additional legaldocuments need to be obtaineddocuments need to be obtained

FR must remember that computer data areFR must remember that computer data areusually volatile and fragile thus extra careusually volatile and fragile thus extra carewhen handling them is a mustwhen handling them is a must

5


6/50

Precautions should be taken in thePrecautions should be taken in the

CollectionCollection

PreservationPreservation and transportation of digital evidence.and transportation of digital evidence.

First responders may follow the followingFirst responders may follow the followingsteps as guidelines for handling of digitalsteps as guidelines for handling of digitalevidence at crime scene:evidence at crime scene:

6


7/50

Recognize, identify, seize, and secure allRecognize, identify, seize, and secure alldigital evidence at the scene.digital evidence at the scene.

Document the entire scene and theDocument the entire scene and thespecific location of the evidence found.specific location of the evidence found.

Collect, label, and preserve the digitalCollect, label, and preserve the digital

evidence.evidence. Package and transport digital evidence in aPackage and transport digital evidence in a

secure mannersecure manner

7


8/50

Before collecting evidence at a crimeBefore collecting evidence at a crimescene, first responders should ensurescene, first responders should ensure

thatthat Legal authority exists to seize evidence.Legal authority exists to seize evidence.

The scene has been secured and documented.The scene has been secured and documented.

Appropriate personal protective equipment isAppropriate personal protective equipment is

used.used.

8


9/50

FR should be able to identify sources ofFR should be able to identify sources ofevidenceevidence

Understand the computer systemUnderstand the computer systemhardware and softwarehardware and software

MonitorMonitor

Case/CPUCase/CPU

KeyboardKeyboard

MouseMouse

All the connected peripheralsAll the connected peripherals

9


10/50

Many forms of computer systemsMany forms of computer systems

PCPC

LaptopLaptop What else?What else?

10


11/50

Storage DevicesStorage Devices

Hard driveHard drive

External hard driveExternal hard drive Removable mediaRemovable media cd/floppy/dvdcd/floppy/dvd

Thumb driveThumb drive common and uncommoncommon and uncommon(weird shape)(weird shape)

Memory cardMemory card sd/mmc/mini sd/sticksd/mmc/mini sd/stick

11


12/50

Handheld DevicesHandheld Devices

Mobile phoneMobile phone

PDAPDA Digital cameraDigital camera

GPSGPS

PagerPager

Digital media audio or videoDigital media audio or video

12


13/50

Networking DevicesNetworking Devices

HubHub

FirewallFirewall RouterRouter

Wireless APWireless AP

ModemModem

AntennaAntenna

Networking devices might contain dataNetworking devices might contain datasuch as ...such as ...

13


14/50

Other Potential DevicesOther Potential Devices

CCTVCCTV

Video games consoleVideo games console Satellite/cable receiverSatellite/cable receiver

What can you say about all these evidenceWhat can you say about all these evidenceresources?resources?

14


15/50

Items or devices containing digitalItems or devices containing digitalevidence can be collected usingevidence can be collected using standardstandard

seizure tools and materials.seizure tools and materials. Caution when collecting, packaging, orCaution when collecting, packaging, or

storing digital devices to avoid altering,storing digital devices to avoid altering,

damaging, or destroying the digitaldamaging, or destroying the digitalevidence.evidence.

Request assistance from expert if situationRequest assistance from expert if situationat the crime scene beyond capabilitiesat the crime scene beyond capabilities

15


16/50

Recommended kits to be carried to theRecommended kits to be carried to thecrime scenecrime scene

Cameras (photo and video).Cameras (photo and video). Packaging boxes.Packaging boxes.

Notepads.Notepads.

Gloves.Gloves. Evidence inventory logsEvidence inventory logs

16


17/50

Recommended kits to be carried to theRecommended kits to be carried to thecrime scenecrime scene

Evidence bags.Evidence bags. Evidence stickers, labels, or tags.Evidence stickers, labels, or tags.

Antistatic bags.Antistatic bags.

Permanent markers.Permanent markers.

etc.etc.

17


18/50

Selection of tools are mainly forSelection of tools are mainly forinvestigation and data acquisitioninvestigation and data acquisition

purposes including packaging andpurposes including packaging andtransportationtransportation

It is beyond the scope of FR to identifyIt is beyond the scope of FR to identify

and select tools for analysis, extraction,and select tools for analysis, extraction,and interpretationand interpretation it is analyst scope ofit is analyst scope ofworkwork

18


19/50

Primary considerationPrimary consideration

officer safety and everyone at the crimeofficer safety and everyone at the crime

scene.scene.

All actions and activities carried outAll actions and activities carried out

should be in compliance withshould be in compliance withdepartmental/agency policy and lawsdepartmental/agency policy and laws

19


20/50

After securing the scene first responderAfter securing the scene first respondershould visually identify all potentialshould visually identify all potential

evidenceevidence and ensure that the integrity of both theand ensure that the integrity of both the

digital and traditional evidence isdigital and traditional evidence is

preserved.preserved.

Integrity of physical evidence also need toIntegrity of physical evidence also need to

be preservedbe preserved 20


21/50


22/50

What need to be done at the crime sceneWhat need to be done at the crime scene

Follow agency policy for securing crimeFollow agency policy for securing crime

scenes.scenes. Immediately secure all electronic devices,Immediately secure all electronic devices,

including personal or portable devices.including personal or portable devices.

Ensure that no unauthorized person hasEnsure that no unauthorized person has

access to any electronic devices at the crimeaccess to any electronic devices at the crimescene.scene.

Refuse offers of help or technical assistanceRefuse offers of help or technical assistancefrom any unauthorized personfrom any unauthorized person

22


23/50

What need to be done at the crime sceneWhat need to be done at the crime scene

Remove all persons from the crime scene orRemove all persons from the crime scene or

the immediate area from which evidence is tothe immediate area from which evidence is tobe collected.be collected.

Ensure that the condition of any electronicEnsure that the condition of any electronicdevice is not altered.device is not altered.

23


24/50

What to do if a computer is switchedWhat to do if a computer is switchedoff when found?off when found?

Leave a computer or electronic device off if itLeave a computer or electronic device off if itis already turned off.is already turned off.

Components such as keyboard, mouse mayComponents such as keyboard, mouse mayhold latent evidence such as fingerprints,hold latent evidence such as fingerprints,

DNA, or other physical evidence that shouldDNA, or other physical evidence that shouldbe preserved.be preserved.

Appropriate steps should be taken to ensureAppropriate steps should be taken to ensurethat physical evidence is not compromisedthat physical evidence is not compromiseddurin documentation.durin documentation. 24


25/50

WhatWhatIf a computer is on or the powerIf a computer is on or the powerstate cannot be determined?state cannot be determined?

Look and listen for indications that theLook and listen for indications that thecomputer is powered on.computer is powered on.

Listen for the sound of fans running, drivesListen for the sound of fans running, drivesspinning, or check to see if light emittingspinning, or check to see if light emitting

diodes (LEDs) are on.diodes (LEDs) are on. Check the display screen for signs that digitalCheck the display screen for signs that digital

evidence is being destroyed. Act fast.evidence is being destroyed. Act fast.

25


26/50

WhatWhatIf a computer is on or the powerIf a computer is on or the powerstate cannot be determined? (cont)state cannot be determined? (cont)

Look for indications that the computer is beingLook for indications that the computer is beingaccessed from a remote computer or device.accessed from a remote computer or device.

Look for signs of active or ongoingLook for signs of active or ongoingcommunications with other computers orcommunications with other computers or

users such as instant messaging windows orusers such as instant messaging windows orchat rooms.chat rooms.

Take note of all cameras or Web camerasTake note of all cameras or Web cameras(Web cams) and determine if they are active.(Web cams) and determine if they are active.

26


27/50

Conducting preliminary interviewConducting preliminary interview

In some cases first responder might need toIn some cases first responder might need to

gather a few information from surroundinggather a few information from surroundingpeople including suspectspeople including suspects

Information to gather includes: password of theInformation to gather includes: password of theprotected machine, login credentials to onlineprotected machine, login credentials to online

accounts, etc.accounts, etc. If we have to conduct interview, alwaysIf we have to conduct interview, always

consult with law enforcers to get peopleconsult with law enforcers to get peoplecooperation.cooperation.

27


28/50

First step is to obtain the search warrantFirst step is to obtain the search warrant

Evidence collection requires FR skills inEvidence collection requires FR skills inidentifying relevant evidencesidentifying relevant evidences

Two possible scenarios:Two possible scenarios: collect the evidence and bring back to lab.collect the evidence and bring back to lab.

evidence cannot be collected and brought toevidence cannot be collected and brought to

lab, thus only can acquire on scenelab, thus only can acquire on scene 28


29/50

To minimize alteration to evidence duringTo minimize alteration to evidence duringcollection, the following steps can becollection, the following steps can be

applied:applied: Document any activity on the computer,Document any activity on the computer,

components, or devices.components, or devices.

Confirm the power state of the computer.Confirm the power state of the computer.

Deal the power on and off computerDeal the power on and off computerdifferently.differently.

29


30/50

Situation 1: The monitor is on.Situation 1: The monitor is on.

It displays a program, application, workIt displays a program, application, work

product, picture, eproduct, picture, e--mail, or Internet sitemail, or Internet siteon the screen.on the screen.

30


31/50

1.1. Photograph the screen and record thePhotograph the screen and record theinformation displayed.information displayed.

2.2. Capture volatile memory if evidence visibleCapture volatile memory if evidence visibleon the screen.on the screen.

If no evidence shown on the screenIf no evidence shown on the screen bestbest

practice is to remove the power supplypractice is to remove the power supplyimmediatelyimmediately

31


32/50

Immediate disconnection of power isImmediate disconnection of power isrecommended when:recommended when:

onscreen activity indicates that data is beingonscreen activity indicates that data is beingdeleted or overwritten.deleted or overwritten.

a destructive process is being performed ona destructive process is being performed onthe computers data storage devices.the computers data storage devices.

Pulling the power from the back of thePulling the power from the back of thecomputer will preserve information aboutcomputer will preserve information about

the last user to login, recent docs, etc.the last user to login, recent docs, etc. 32


33/50

Immediate disconnection of power is NOTImmediate disconnection of power is NOTrecommended when:recommended when:

Evidence related to the crime is on screen andEvidence related to the crime is on screen andon volatile memoryon volatile memory

A lot of suspicious activities or applicationsA lot of suspicious activities or applicationsthat could be used as source of evidence arethat could be used as source of evidence are

found running on the screenfound running on the screen

33


34/50

Situation 5: If the computer is offSituation 5: If the computer is off

1. Document, photograph, and sketch all1. Document, photograph, and sketch allwires, cables, and other devices connectedwires, cables, and other devices connectedto the computer.to the computer.

2. Label the power supply cord and all2. Label the power supply cord and allcables, wires, or USB drives attached tocables, wires, or USB drives attached tothe computer.the computer.

34


35/50


36/50


5. Disconnect and secure all cables, wires,5. Disconnect and secure all cables, wires,and USB drives from the computer andand USB drives from the computer anddocument the device or equipmentdocument the device or equipment

connected at the opposite end.connected at the opposite end.6. Place tape over the floppy disk slot, if6. Place tape over the floppy disk slot, ifpresent.present.

36


37/50


7. Make sure that the CD or DVD drive7. Make sure that the CD or DVD drivetrays are retracted into place; notetrays are retracted into place; notewhether these drive trays are empty,whether these drive trays are empty,

contain disks, or are unchecked; and tapecontain disks, or are unchecked; and tapethe drive slot closed to prevent it fromthe drive slot closed to prevent it fromopening.opening.

8. Place tape over the power switch.8. Place tape over the power switch.37


38/50


9. Record the make, model, serial9. Record the make, model, serialnumbers, and any usernumbers, and any user--applied markingsapplied markingsor identifiers.or identifiers.

10. Package all evidence collected10. Package all evidence collectedfollowing agency procedures to preventfollowing agency procedures to preventdamage or alteration during transportationdamage or alteration during transportationand storage.and storage.

38


39/50

Other forms of evidenceOther forms of evidence

Look also for papers or documents containingLook also for papers or documents containing

passwords, information, serial number, etc.passwords, information, serial number, etc.than can be used to operate software orthan can be used to operate software orapplications on the seized computer systemsapplications on the seized computer systems

39


40/50

Digital evidence is fragile and can easilyDigital evidence is fragile and can easilydamaged due todamaged due to

High temperatureHigh temperature Magnetic fieldMagnetic field

Physical ShockPhysical Shock

HumidityHumidity

etcetc

40


41/50

PackagingPackaging

Pack all digital evidence in antistaticPack all digital evidence in antistatic

packaging.packaging. Use paper bags and envelopes, cardboardUse paper bags and envelopes, cardboard

boxes, and antistatic containersboxes, and antistatic containers

Avoid plastic materialsAvoid plastic materials -- can produce or staticcan produce or static

electricity, humidity and condensation thatelectricity, humidity and condensation thatmay damage or destroy the evidence.may damage or destroy the evidence.

41


42/50

PackagingPackaging

Ensure packaging that prevent from beingEnsure packaging that prevent from being

bent or scratchedbent or scratched Label all containers used to package and storeLabel all containers used to package and store

digital evidence clearly and properly.digital evidence clearly and properly.

Collect all power supplies and adapters for allCollect all power supplies and adapters for all

electronic devices seizedelectronic devices seized

42


43/50

PackagingPackaging

For mobile phones, leave them in the powerFor mobile phones, leave them in the power

state (on or off) in which they were found.state (on or off) in which they were found. Package mobile phone in signalPackage mobile phone in signal--blockingblocking

materialmaterial

faraday isolation bags,faraday isolation bags,

radio frequencyradio frequency--shielding material,shielding material, aluminium foilaluminium foil

to prevent data messages from being sent orto prevent data messages from being sent orreceived by the devices.received by the devices.

43


44/50

TransportingTransporting

Keep digital evidence away from magneticKeep digital evidence away from magnetic

fieldsfields produced by radio transmitters,produced by radio transmitters,

speaker magnets,speaker magnets,

magnetic mount emergency lights.magnetic mount emergency lights.

Other potential hazards that the firstOther potential hazards that the firstresponder should be aware of includeresponder should be aware of include

seats heatersseats heaters

and any device or material that can produce staticand any device or material that can produce static

electricity.electricity. 44


45/50


46/50

TransportingTransporting

Document the transportation of the digitalDocument the transportation of the digitalevidence and maintain the chain of custody onevidence and maintain the chain of custody onall evidence transported.all evidence transported.

46


47/50

StoringStoring

Follow own agency best practice of storingFollow own agency best practice of storingevidenceevidence

Ensure surrounding environments will notEnsure surrounding environments will nothave an impact towards evidencehave an impact towards evidencepreservation.preservation.

TemperatureTemperature

HumidityHumidity

Magnetic fieldsMagnetic fields

Static electricityStatic electricity

etcetc 47


48/50

Once evidence is in the lab, preservation,Once evidence is in the lab, preservation,extraction and interpretation processesextraction and interpretation processescan take place following the standard andcan take place following the standard andbest practices.best practices.

48


49/50

Reflection anyone?Reflection anyone?

49


50/50

Assignment 2Assignment 2 First Responder activityFirst Responder activity

50

BSC First Responder

Documents

Transcript of BSC First Responder