Computer Forensics Incident First Response: First, Do No Harm

The initial response is the most critical part of any investigation, whether it is a hacking attempt into your systems, prohibited usage of computer assets, or illegal activity.

The reason it is the most critical is that at this stage of the investigation, evidence must be secured and adequately protected, authenticated, and a chain of custody must be started. Documentation of all of the available facts of the case and all action taken must be accomplished. The investigation timeline must be started as well. The reason that these tasks are so critical is that you will never get a second chance to redo them, and if they are not done properly, you run the great risk of having your evidence thrown out or the entire investigation dismissed, due to poor procedures.

The first and most important thing you should do is secure the scene and evidence. When securing the evidence, your goal is to prevent any data loss on the machine that could be of evidentiary value or tampering. Even if the analysis portion is done at some other location or by another technician, it’s your responsibility to ensure that the evidence is preserved for analysis and use in the case.

Securing the scene may be problematic in a corporate environment for a couple of reasons. First, as an IT technician you may not have the authority to conduct an investigation in the area where the machine is located. Make sure you get written authorization from the relevant management levels to start your investigation. Another problem is discretion. Usually, the investigation is known only by those staff members in upper management and other key personnel (legal, human resources, and IT security departments). The general populace should not be aware of the investigation, so it may be a good idea to secure the evidence after normal work hours.

Evidence that should be immediately secured from tampering are, at minimum, the computer itself, any removable media, and any equipment that is connected to the system. Before disconnecting any cables, photograph the system and the connections. This way, if there is any question as to what was connected to the machine later (such as illegal modems or prohibited removable media such as portable USB drives); you have photographic record to back you up instead of relying on memory.