Computer Forensics Incident First Response: First, Do No Harm

Once you have photographed the system and disconnected everything, inventorying and chain of custody documentation is next. Get a comprehensive inventory of everything you seize: CPU unit, monitor, external devices, and removable media. Document make, model, serial numbers and quantity of all equipment. List quantities, brands and any titles listed on removable media. Once your inventory is complete, have a witness physically verify it and sign the inventory sheet as well. If this is done, there will be little doubt as to what was taken, in case there are any questions later.

Chain of custody establishes a verifiable audit trail as to when the equipment was seized and by whom, and then every action that happened to the evidence with regards to storage, transfer, analysis, and disposition. You should sign for the evidence from an individual having responsibility over it and authority to release it to you (department manager or assigned equipment custodian) to begin the chain of custody. Then document the details of storage and any transfer to any other individual. Any one transferring or receiving the evidence must sign and date the chain of custody form so that a constant accountability trail can be established for the item.

Once you have secured the evidence and inventoried it, and the chain of custody has been established, then you should remove it from the scene. It should be stored in a controlled access storage area that is restricted to only those individuals that have a legitimate need to access the area. This access must be documented, possibly through the use of entry control logs, and any removal from or return of the evidence to storage should be documented on the chain of custody form. The evidence will remain in storage unless it is removed for analysis or transferred to another responsible party, such as law enforcement.

When securing the evidence, your goal is to prevent any data loss on the machine that could be of evidentiary value or tampering. Even if the analysis portion is done at some other location or by another technician, it’s your responsibility to ensure that the evidence is preserved for analysis and use in the case. If you have not been trained in the area of analysis, do yourself a favor and do not attempt it. The practice of just “taking a look to see what’s on there” by untrained technicians is one of the worse things that can happen at the start of an investigation. You can unintentionally alter or even delete valuable evidence by even looking through directories or powering the machine off/on, and render the evidence invalid, as it cannot be verified that it was not altered in any way. Although there are differing opinions on the value of evidence gained/lost by shutting a machine down or powering it up, the general rule of thumb I like to obey is: If it’s off, leave it off. If it’s on, leave it on.

If the first case is true and the computer is powered off, then photograph and secure the evidence as described above. If the computer was left on, and running, then that opens up another set of issues. Valuable evidence can be gained from conducting what is known as a “live response” from a running machine, but only if circumstances warrant it and you have been specially trained to do so. An untrained person will only cause loss of data and evidence and gain nothing from the action. In part 2 of this tutorial, we’ll discuss the basics of a live response and the precautions you must take.