You are on page 1of 50


Shukor Abd Razak

m Understand the roles of first responder
m Identify first responder best practices
m Identify issues related to first responder

m Úrocess of
ƛ collecting,
ƛ securing,
ƛ and transporting digital evidence
m should not change the evidence condition.

m digital evidence should be examined only
by those trained specifically for that
m Everything done during the seizure,
transportation, and storage of digital
evidence should be fully documented,
preserved, and available for review (to
verify the integrity)

m earch warrant or additional legal
documents need to be obtained
m FR must remember that computer data are
usually volatile and fragile thus extra care
when handling them is a must

m Úrecautions should be taken in the
ƛ Collection
ƛ Úreservation
ƛ and transportation of digital evidence.

m Firstresponders may follow the following

steps as guidelines for handling of digital
evidence at crime scene:

m Recognize, identify, seize, and secure all
digital evidence at the scene.
m document the entire scene and the
specific location of the evidence found.
m Collect, label, and preserve the digital
m Úackage and transport digital evidence in a
secure manner

m xeforecollecting evidence at a crime
scene, first responders should ensure
that Ɯ
ƛ Legal authority exists to seize evidence.
ƛ The scene has been secured and documented.
ƛ Appropriate personal protective equipment is

m FR should be able to identify sources of
m Understand the computer system
hardware and software
ƛ Monitor
ƛ Case/CÚU
ƛ Keyboard
ƛ Mouse
ƛ All the connected peripherals
m Many forms of computer systems
ƛ ÚC
ƛ Laptop
ƛ What else?

m torage devices
ƛ Hard drive
ƛ External hard drive
ƛ Removable media ƛ cd/floppy/dvd
ƛ Thumb drive ƛ common and uncommon
(weird shape)
ƛ Memory card ƛ sd/mmc/mini sd/stick

m Handheld devices
ƛ Mobile phone
ƛ ÚdA
ƛ digital camera
ƛ GÚ
ƛ Úager
ƛ digital media audio or video

m etworking devices
ƛ Hub
ƛ Firewall
ƛ Router
ƛ Wireless AÚ
ƛ Modem
ƛ Antenna
m etworking devices might contain data
such as ...
m -ther Úotential devices
ƛ Video games console
ƛ atellite/cable receiver

m What can you say about all these evidence


m Items or devices containing digital
evidence can be collected using ? 
seizure tools and materials.
m Caution when collecting, packaging, or
storing digital devices to avoid altering,
damaging, or destroying the digital
m Request assistance from expert if situation
at the crime scene beyond capabilities
m Recommended kits to be carried to the
crime scene
ƛ Cameras (photo and video).
ƛ Úackaging boxes.
ƛ otepads.
ƛ Gloves.
ƛ Evidence inventory logs

m Recommended kits to be carried to the
crime scene
ƛ Evidence bags.
ƛ Evidence stickers, labels, or tags.
ƛ Antistatic bags.
ƛ Úermanent markers.
ƛ etc.

m election of tools are mainly for
investigation and data acquisition
purposes including packaging and
m It is beyond the scope of FR to identify
and select tools for analysis, extraction,
and interpretation ƛ it is analyst scope of

m Úrimary consideration
ƛ officer safety and everyone at the crime

m All actions and activities carried out

ƛ should be in compliance with
departmental/agency policy and laws

m After securing the scene first responder
should visually identify all potential
m and ensure that the integrity of both the
digital and traditional evidence is

m Integrityof physical evidence also need to

be preserved
m digitalevidence on computers and other
electronic devices can be easily altered,
deleted, or destroyed.

m First
responders should document,
photograph, and secure digital evidence as
soon as possible at the scene.

m What need to be done at the crime scene
ƛ Follow agency policy for securing crime
ƛ Immediately secure all electronic devices,
including personal or portable devices.
ƛ Ensure that no unauthorized person has
access to any electronic devices at the crime
ƛ Refuse offers of help or technical assistance
from any unauthorized person
m What need to be done at the crime scene
ƛ Remove all persons from the crime scene or
the immediate area from which evidence is to
be collected.
ƛ Ensure that the condition of any electronic
device is not altered.

ƛ Leave a computer or electronic device off if it
is already turned off.
ƛ Components such as keyboard, mouse may
hold latent evidence such as fingerprints,
dA, or other physical evidence that should
be preserved.
ƛ Appropriate steps should be taken to ensure
that physical evidence is not compromised
during documentation. ñ3
m Whatw 
ƛ Look and listen for indications that the
computer is powered on.
ƛ Listen for the sound of fans running, drives
spinning, or check to see if light emitting
diodes (LEds) are on.
ƛ Check the display screen for signs that digital
evidence is being destroyed. Act fast.

m Whatw 
ƛ Look for indications that the computer is being
accessed from a remote computer or device.
ƛ Look for signs of active or ongoing
communications with other computers or
users such as instant messaging windows or
chat rooms.
ƛ Take note of all cameras or Web cameras
(Web cams) and determine if they are active.
m Conducting preliminary interview
ƛ In some cases first responder might need to
gather a few information from surrounding
people including suspects
Information to gather includes: password of the
protected machine, login credentials to online
accounts, etc.
ƛ If we have to conduct interview, always
consult with law enforcers to get people
m First step is to obtain the search warrant

m Evidence collection requires FR skills in

identifying relevant evidences

m Two possible scenarios:

ƛ collect the evidence and bring back to lab.
ƛ evidence cannot be collected and brought to
lab, thus only can acquire on scene ñ0
m To minimize alteration to evidence during
collection, the following steps can be
ƛ document any activity on the computer,
components, or devices.
ƛ Confirm the power state of the computer.
ƛ deal the power on and off computer

ƛ w ? ? 
w  ? 

Ñ. Úhotograph the screen and record the
information displayed.
2. Capture volatile memory if evidence visible
on the screen.

If no evidence shown on the screen ƛ best

practice is to remove the power supply

m Immediatedisconnection of power is
recommended when:
ƛ onscreen activity indicates that data is being
deleted or overwritten.
ƛ a destructive process is being performed on
the computerƞs data storage devices.

m Úulling the power from the back of the

computer will preserve information about
the last user to login, recent docs, etc. {ñ
m Immediate
disconnection of power is -T
recommended when:
ƛ Evidence related to the crime is on screen and
on volatile memory
ƛ A lot of suspicious activities or applications
that could be used as source of evidence are
found running on the screen

m   w  

Ñ. document, photograph, and sketch all

wires, cables, and other devices connected
to the computer.
2. Label the power supply cord and all
cables, wires, or Ux drives attached to
the computer.
m   w  

{. Úhotograph the labelled cords, cables,

wires, and Ux drives and the
corresponding labelled connections.
4. Remove and secure the power supply
cord from the back of the computer and
from the wall outlet, power strip, or
battery backup device.
m   w  

J. disconnect and secure all cables, wires,

and Ux drives from the computer and
document the device or equipment
connected at the opposite end.
6. Úlace tape over the floppy disk slot, if

m   w  

¦. Make sure that the Cd or dVd drive

trays are retracted into place; note
whether these drive trays are empty,
contain disks, or are unchecked; and tape
the drive slot closed to prevent it from
8. Úlace tape over the power switch.

m   w  

Œ. Record the make, model, serial

numbers, and any user-
user-applied markings
or identifiers.
Ñ . Úackage all evidence collected
following agency procedures to prevent
damage or alteration during transportation
and storage.
m -ther forms of evidence
ƛ Look also for papers or documents containing
passwords, information, serial number, etc.
than can be used to operate software or
applications on the seized computer systems

evidence is fragile and can easily
m digital
damaged due to
ƛ High temperature
ƛ Magnetic field
ƛ Úhysical hock
ƛ Humidity
ƛ etc

m Úackaging
ƛ Úack all digital evidence in antistatic
ƛ Use paper bags and envelopes, cardboard
boxes, and antistatic containers
ƛ Avoid plastic materials - can produce or static
electricity, humidity and condensation that
may damage or destroy the evidence.

m Úackaging
ƛ Ensure packaging that prevent from being
bent or scratched
ƛ Label all containers used to package and store
digital evidence clearly and properly.
ƛ Collect all power supplies and adapters for all
electronic devices seized

m Úackaging
ƛ For mobile phones, leave them in the power
state (on or off) in which they were found.
ƛ Úackage mobile phone in signal-
faraday isolation bags,
radio frequency-
frequency-shielding material,
aluminium foil
ƛ to prevent data messages from being sent or
received by the devices.
m Transporting
ƛ Keep digital evidence away from magnetic
produced by radio transmitters,
speaker magnets,
magnetic mount emergency lights.
ƛ -ther potential hazards that the first
responder should be aware of include
seats heaters
and any device or material that can produce static
electricity. 33
m Transporting
ƛ Avoid keeping digital evidence in a vehicle for
prolonged periods of time.
Heat, cold, and humidity can damage or destroy
digital evidence.
ƛ Ensure that computers and electronic devices
are packaged and secured during
transportation to prevent damage from shock
and vibration.

m Transporting
ƛ document the transportation of the digital
evidence and maintain the chain of custody on
all evidence transported.

m toring
ƛ Follow own agency best practice of storing
ƛ Ensure surrounding environments will not
have an impact towards evidence
Magnetic fields
tatic electricity
etc 3¦
m -nce evidence is in the lab, preservation,
extraction and interpretation processes
can take place following the standard and
best practices.

m Reflection anyone?

m Assignment 2 ƛ First Responder activity