8/8/2019 BSC First Responder
1/50
First Responder
Shukor Abd Razak
8/8/2019 BSC First Responder
2/50
Understand the roles of first responderUnderstand the roles of first responder
Identify first responder best practicesIdentify first responder best practices
Identify issues related to first responderIdentify issues related to first responder
2
8/8/2019 BSC First Responder
3/50
Process ofProcess of
collecting,collecting,
securing,securing, and transporting digital evidenceand transporting digital evidence
should not change the evidence condition.should not change the evidence condition.
3
8/8/2019 BSC First Responder
4/50
Digital evidence should be examined onlyDigital evidence should be examined onlyby those trained specifically for thatby those trained specifically for that
purpose.purpose. Everything done during the seizure,Everything done during the seizure,
transportation, and storage of digitaltransportation, and storage of digitalevidence should be fully documented,evidence should be fully documented,preserved, and available for review (topreserved, and available for review (toverify the integrity)verify the integrity)
4
8/8/2019 BSC First Responder
5/50
Search warrant or additional legalSearch warrant or additional legaldocuments need to be obtaineddocuments need to be obtained
FR must remember that computer data areFR must remember that computer data areusually volatile and fragile thus extra careusually volatile and fragile thus extra carewhen handling them is a mustwhen handling them is a must
5
8/8/2019 BSC First Responder
6/50
Precautions should be taken in thePrecautions should be taken in the
CollectionCollection
PreservationPreservation and transportation of digital evidence.and transportation of digital evidence.
First responders may follow the followingFirst responders may follow the followingsteps as guidelines for handling of digitalsteps as guidelines for handling of digitalevidence at crime scene:evidence at crime scene:
6
8/8/2019 BSC First Responder
7/50
Recognize, identify, seize, and secure allRecognize, identify, seize, and secure alldigital evidence at the scene.digital evidence at the scene.
Document the entire scene and theDocument the entire scene and thespecific location of the evidence found.specific location of the evidence found.
Collect, label, and preserve the digitalCollect, label, and preserve the digital
evidence.evidence. Package and transport digital evidence in aPackage and transport digital evidence in a
secure mannersecure manner
7
8/8/2019 BSC First Responder
8/50
Before collecting evidence at a crimeBefore collecting evidence at a crimescene, first responders should ensurescene, first responders should ensure
thatthat Legal authority exists to seize evidence.Legal authority exists to seize evidence.
The scene has been secured and documented.The scene has been secured and documented.
Appropriate personal protective equipment isAppropriate personal protective equipment is
used.used.
8
8/8/2019 BSC First Responder
9/50
FR should be able to identify sources ofFR should be able to identify sources ofevidenceevidence
Understand the computer systemUnderstand the computer systemhardware and softwarehardware and software
MonitorMonitor
Case/CPUCase/CPU
KeyboardKeyboard
MouseMouse
All the connected peripheralsAll the connected peripherals
9
8/8/2019 BSC First Responder
10/50
Many forms of computer systemsMany forms of computer systems
PCPC
LaptopLaptop What else?What else?
10
8/8/2019 BSC First Responder
11/50
Storage DevicesStorage Devices
Hard driveHard drive
External hard driveExternal hard drive Removable mediaRemovable media cd/floppy/dvdcd/floppy/dvd
Thumb driveThumb drive common and uncommoncommon and uncommon(weird shape)(weird shape)
Memory cardMemory card sd/mmc/mini sd/sticksd/mmc/mini sd/stick
11
8/8/2019 BSC First Responder
12/50
Handheld DevicesHandheld Devices
Mobile phoneMobile phone
PDAPDA Digital cameraDigital camera
GPSGPS
PagerPager
Digital media audio or videoDigital media audio or video
12
8/8/2019 BSC First Responder
13/50
Networking DevicesNetworking Devices
HubHub
FirewallFirewall RouterRouter
Wireless APWireless AP
ModemModem
AntennaAntenna
Networking devices might contain dataNetworking devices might contain datasuch as ...such as ...
13
8/8/2019 BSC First Responder
14/50
Other Potential DevicesOther Potential Devices
CCTVCCTV
Video games consoleVideo games console Satellite/cable receiverSatellite/cable receiver
What can you say about all these evidenceWhat can you say about all these evidenceresources?resources?
14
8/8/2019 BSC First Responder
15/50
Items or devices containing digitalItems or devices containing digitalevidence can be collected usingevidence can be collected using standardstandard
seizure tools and materials.seizure tools and materials. Caution when collecting, packaging, orCaution when collecting, packaging, or
storing digital devices to avoid altering,storing digital devices to avoid altering,
damaging, or destroying the digitaldamaging, or destroying the digitalevidence.evidence.
Request assistance from expert if situationRequest assistance from expert if situationat the crime scene beyond capabilitiesat the crime scene beyond capabilities
15
8/8/2019 BSC First Responder
16/50
Recommended kits to be carried to theRecommended kits to be carried to thecrime scenecrime scene
Cameras (photo and video).Cameras (photo and video). Packaging boxes.Packaging boxes.
Notepads.Notepads.
Gloves.Gloves. Evidence inventory logsEvidence inventory logs
16
8/8/2019 BSC First Responder
17/50
Recommended kits to be carried to theRecommended kits to be carried to thecrime scenecrime scene
Evidence bags.Evidence bags. Evidence stickers, labels, or tags.Evidence stickers, labels, or tags.
Antistatic bags.Antistatic bags.
Permanent markers.Permanent markers.
etc.etc.
17
8/8/2019 BSC First Responder
18/50
Selection of tools are mainly forSelection of tools are mainly forinvestigation and data acquisitioninvestigation and data acquisition
purposes including packaging andpurposes including packaging andtransportationtransportation
It is beyond the scope of FR to identifyIt is beyond the scope of FR to identify
and select tools for analysis, extraction,and select tools for analysis, extraction,and interpretationand interpretation it is analyst scope ofit is analyst scope ofworkwork
18
8/8/2019 BSC First Responder
19/50
Primary considerationPrimary consideration
officer safety and everyone at the crimeofficer safety and everyone at the crime
scene.scene.
All actions and activities carried outAll actions and activities carried out
should be in compliance withshould be in compliance withdepartmental/agency policy and lawsdepartmental/agency policy and laws
19
8/8/2019 BSC First Responder
20/50
After securing the scene first responderAfter securing the scene first respondershould visually identify all potentialshould visually identify all potential
evidenceevidence and ensure that the integrity of both theand ensure that the integrity of both the
digital and traditional evidence isdigital and traditional evidence is
preserved.preserved.
Integrity of physical evidence also need toIntegrity of physical evidence also need to
be preservedbe preserved 20
8/8/2019 BSC First Responder
21/50
8/8/2019 BSC First Responder
22/50
What need to be done at the crime sceneWhat need to be done at the crime scene
Follow agency policy for securing crimeFollow agency policy for securing crime
scenes.scenes. Immediately secure all electronic devices,Immediately secure all electronic devices,
including personal or portable devices.including personal or portable devices.
Ensure that no unauthorized person hasEnsure that no unauthorized person has
access to any electronic devices at the crimeaccess to any electronic devices at the crimescene.scene.
Refuse offers of help or technical assistanceRefuse offers of help or technical assistancefrom any unauthorized personfrom any unauthorized person
22
8/8/2019 BSC First Responder
23/50
What need to be done at the crime sceneWhat need to be done at the crime scene
Remove all persons from the crime scene orRemove all persons from the crime scene or
the immediate area from which evidence is tothe immediate area from which evidence is tobe collected.be collected.
Ensure that the condition of any electronicEnsure that the condition of any electronicdevice is not altered.device is not altered.
23
8/8/2019 BSC First Responder
24/50
What to do if a computer is switchedWhat to do if a computer is switchedoff when found?off when found?
Leave a computer or electronic device off if itLeave a computer or electronic device off if itis already turned off.is already turned off.
Components such as keyboard, mouse mayComponents such as keyboard, mouse mayhold latent evidence such as fingerprints,hold latent evidence such as fingerprints,
DNA, or other physical evidence that shouldDNA, or other physical evidence that shouldbe preserved.be preserved.
Appropriate steps should be taken to ensureAppropriate steps should be taken to ensurethat physical evidence is not compromisedthat physical evidence is not compromiseddurin documentation.durin documentation. 24
8/8/2019 BSC First Responder
25/50
WhatWhatIf a computer is on or the powerIf a computer is on or the powerstate cannot be determined?state cannot be determined?
Look and listen for indications that theLook and listen for indications that thecomputer is powered on.computer is powered on.
Listen for the sound of fans running, drivesListen for the sound of fans running, drivesspinning, or check to see if light emittingspinning, or check to see if light emitting
diodes (LEDs) are on.diodes (LEDs) are on. Check the display screen for signs that digitalCheck the display screen for signs that digital
evidence is being destroyed. Act fast.evidence is being destroyed. Act fast.
25
8/8/2019 BSC First Responder
26/50
WhatWhatIf a computer is on or the powerIf a computer is on or the powerstate cannot be determined? (cont)state cannot be determined? (cont)
Look for indications that the computer is beingLook for indications that the computer is beingaccessed from a remote computer or device.accessed from a remote computer or device.
Look for signs of active or ongoingLook for signs of active or ongoingcommunications with other computers orcommunications with other computers or
users such as instant messaging windows orusers such as instant messaging windows orchat rooms.chat rooms.
Take note of all cameras or Web camerasTake note of all cameras or Web cameras(Web cams) and determine if they are active.(Web cams) and determine if they are active.
26
8/8/2019 BSC First Responder
27/50
Conducting preliminary interviewConducting preliminary interview
In some cases first responder might need toIn some cases first responder might need to
gather a few information from surroundinggather a few information from surroundingpeople including suspectspeople including suspects
Information to gather includes: password of theInformation to gather includes: password of theprotected machine, login credentials to onlineprotected machine, login credentials to online
accounts, etc.accounts, etc. If we have to conduct interview, alwaysIf we have to conduct interview, always
consult with law enforcers to get peopleconsult with law enforcers to get peoplecooperation.cooperation.
27
8/8/2019 BSC First Responder
28/50
First step is to obtain the search warrantFirst step is to obtain the search warrant
Evidence collection requires FR skills inEvidence collection requires FR skills inidentifying relevant evidencesidentifying relevant evidences
Two possible scenarios:Two possible scenarios: collect the evidence and bring back to lab.collect the evidence and bring back to lab.
evidence cannot be collected and brought toevidence cannot be collected and brought to
lab, thus only can acquire on scenelab, thus only can acquire on scene 28
8/8/2019 BSC First Responder
29/50
To minimize alteration to evidence duringTo minimize alteration to evidence duringcollection, the following steps can becollection, the following steps can be
applied:applied: Document any activity on the computer,Document any activity on the computer,
components, or devices.components, or devices.
Confirm the power state of the computer.Confirm the power state of the computer.
Deal the power on and off computerDeal the power on and off computerdifferently.differently.
29
8/8/2019 BSC First Responder
30/50
Situation 1: The monitor is on.Situation 1: The monitor is on.
It displays a program, application, workIt displays a program, application, work
product, picture, eproduct, picture, e--mail, or Internet sitemail, or Internet siteon the screen.on the screen.
30
8/8/2019 BSC First Responder
31/50
1.1. Photograph the screen and record thePhotograph the screen and record theinformation displayed.information displayed.
2.2. Capture volatile memory if evidence visibleCapture volatile memory if evidence visibleon the screen.on the screen.
If no evidence shown on the screenIf no evidence shown on the screen bestbest
practice is to remove the power supplypractice is to remove the power supplyimmediatelyimmediately
31
8/8/2019 BSC First Responder
32/50
Immediate disconnection of power isImmediate disconnection of power isrecommended when:recommended when:
onscreen activity indicates that data is beingonscreen activity indicates that data is beingdeleted or overwritten.deleted or overwritten.
a destructive process is being performed ona destructive process is being performed onthe computers data storage devices.the computers data storage devices.
Pulling the power from the back of thePulling the power from the back of thecomputer will preserve information aboutcomputer will preserve information about
the last user to login, recent docs, etc.the last user to login, recent docs, etc. 32
8/8/2019 BSC First Responder
33/50
Immediate disconnection of power is NOTImmediate disconnection of power is NOTrecommended when:recommended when:
Evidence related to the crime is on screen andEvidence related to the crime is on screen andon volatile memoryon volatile memory
A lot of suspicious activities or applicationsA lot of suspicious activities or applicationsthat could be used as source of evidence arethat could be used as source of evidence are
found running on the screenfound running on the screen
33
8/8/2019 BSC First Responder
34/50
Situation 5: If the computer is offSituation 5: If the computer is off
1. Document, photograph, and sketch all1. Document, photograph, and sketch allwires, cables, and other devices connectedwires, cables, and other devices connectedto the computer.to the computer.
2. Label the power supply cord and all2. Label the power supply cord and allcables, wires, or USB drives attached tocables, wires, or USB drives attached tothe computer.the computer.
34
8/8/2019 BSC First Responder
35/50
8/8/2019 BSC First Responder
36/50
Situation 5: If the computer is offSituation 5: If the computer is off
5. Disconnect and secure all cables, wires,5. Disconnect and secure all cables, wires,and USB drives from the computer andand USB drives from the computer anddocument the device or equipmentdocument the device or equipment
connected at the opposite end.connected at the opposite end.6. Place tape over the floppy disk slot, if6. Place tape over the floppy disk slot, ifpresent.present.
36
8/8/2019 BSC First Responder
37/50
Situation 5: If the computer is offSituation 5: If the computer is off
7. Make sure that the CD or DVD drive7. Make sure that the CD or DVD drivetrays are retracted into place; notetrays are retracted into place; notewhether these drive trays are empty,whether these drive trays are empty,
contain disks, or are unchecked; and tapecontain disks, or are unchecked; and tapethe drive slot closed to prevent it fromthe drive slot closed to prevent it fromopening.opening.
8. Place tape over the power switch.8. Place tape over the power switch.37
8/8/2019 BSC First Responder
38/50
Situation 5: If the computer is offSituation 5: If the computer is off
9. Record the make, model, serial9. Record the make, model, serialnumbers, and any usernumbers, and any user--applied markingsapplied markingsor identifiers.or identifiers.
10. Package all evidence collected10. Package all evidence collectedfollowing agency procedures to preventfollowing agency procedures to preventdamage or alteration during transportationdamage or alteration during transportationand storage.and storage.
38
8/8/2019 BSC First Responder
39/50
Other forms of evidenceOther forms of evidence
Look also for papers or documents containingLook also for papers or documents containing
passwords, information, serial number, etc.passwords, information, serial number, etc.than can be used to operate software orthan can be used to operate software orapplications on the seized computer systemsapplications on the seized computer systems
39
8/8/2019 BSC First Responder
40/50
Digital evidence is fragile and can easilyDigital evidence is fragile and can easilydamaged due todamaged due to
High temperatureHigh temperature Magnetic fieldMagnetic field
Physical ShockPhysical Shock
HumidityHumidity
etcetc
40
8/8/2019 BSC First Responder
41/50
PackagingPackaging
Pack all digital evidence in antistaticPack all digital evidence in antistatic
packaging.packaging. Use paper bags and envelopes, cardboardUse paper bags and envelopes, cardboard
boxes, and antistatic containersboxes, and antistatic containers
Avoid plastic materialsAvoid plastic materials -- can produce or staticcan produce or static
electricity, humidity and condensation thatelectricity, humidity and condensation thatmay damage or destroy the evidence.may damage or destroy the evidence.
41
8/8/2019 BSC First Responder
42/50
PackagingPackaging
Ensure packaging that prevent from beingEnsure packaging that prevent from being
bent or scratchedbent or scratched Label all containers used to package and storeLabel all containers used to package and store
digital evidence clearly and properly.digital evidence clearly and properly.
Collect all power supplies and adapters for allCollect all power supplies and adapters for all
electronic devices seizedelectronic devices seized
42
8/8/2019 BSC First Responder
43/50
PackagingPackaging
For mobile phones, leave them in the powerFor mobile phones, leave them in the power
state (on or off) in which they were found.state (on or off) in which they were found. Package mobile phone in signalPackage mobile phone in signal--blockingblocking
materialmaterial
faraday isolation bags,faraday isolation bags,
radio frequencyradio frequency--shielding material,shielding material, aluminium foilaluminium foil
to prevent data messages from being sent orto prevent data messages from being sent orreceived by the devices.received by the devices.
43
8/8/2019 BSC First Responder
44/50
TransportingTransporting
Keep digital evidence away from magneticKeep digital evidence away from magnetic
fieldsfields produced by radio transmitters,produced by radio transmitters,
speaker magnets,speaker magnets,
magnetic mount emergency lights.magnetic mount emergency lights.
Other potential hazards that the firstOther potential hazards that the firstresponder should be aware of includeresponder should be aware of include
seats heatersseats heaters
and any device or material that can produce staticand any device or material that can produce static
electricity.electricity. 44
8/8/2019 BSC First Responder
45/50
8/8/2019 BSC First Responder
46/50
TransportingTransporting
Document the transportation of the digitalDocument the transportation of the digitalevidence and maintain the chain of custody onevidence and maintain the chain of custody onall evidence transported.all evidence transported.
46
8/8/2019 BSC First Responder
47/50
StoringStoring
Follow own agency best practice of storingFollow own agency best practice of storingevidenceevidence
Ensure surrounding environments will notEnsure surrounding environments will nothave an impact towards evidencehave an impact towards evidencepreservation.preservation.
TemperatureTemperature
HumidityHumidity
Magnetic fieldsMagnetic fields
Static electricityStatic electricity
etcetc 47
8/8/2019 BSC First Responder
48/50
Once evidence is in the lab, preservation,Once evidence is in the lab, preservation,extraction and interpretation processesextraction and interpretation processescan take place following the standard andcan take place following the standard andbest practices.best practices.
48
8/8/2019 BSC First Responder
49/50
Reflection anyone?Reflection anyone?
49
8/8/2019 BSC First Responder
50/50
Assignment 2Assignment 2 First Responder activityFirst Responder activity
50
Top Related