Computer Forensics Incident First Response: First, Do No Harm

Forensics is becoming a popular following, thanks to the multitude of TV shows that show crime scene technicians collecting evidence, spending a few minutes in the lab determining the guilt of the culprit, and wrapping up the case at the end of the show. But in real life, forensics, like other complex issues distilled on TV, is much more time-consuming, process intensive, and sometimes inconclusive. The art and science of computer forensics is no different. Digital forensics is gaining in popularity as the next must-have skill set in the IT job market arsenal. However, computer forensics technicians and analysts require some intensive and usually expensive training.

Since computer-related incidences are sometimes few and far between (the ones that are discovered, anyway), most companies don’t see an immediate return on investment by hiring someone exclusively devoted to that task. Only a few more see some value in expensive training for the support technicians and system administrators that are already working for them, since they may never have a need for these skills. As a result, when incidents do happen and are actually discovered, the company may find itself in a situation where the “server guy” or other support technician may be called upon to do the initial response to the incident. Despite lack of training or experience, this article is here to help you with a few critical points that can make or break your investigation and ensure that key evidence is not contaminated or rendered unusable in administrative or legal actions. We’re not going to make you a forensics expert, but you will at least be able to handle the critical first response tasks.