file000118

Module V - First Responder Procedures

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Scenario

Sam, a system administrator, was surprised to see critical files missing from his office server. He suspected that the server was compromised. He did not want to take a chance by investigating the system himself.

Sam reported the incident to Bob, an Information Security Officer employed with the same firm. Bob took note of the request from Sam. Being a CHFI, seizing Sam’s system and following the basic procedures in investigating the case was easy for Bob.

He investigated the image file of the hard disk of the server. His investigation revealed the presence of rootkit in one of the directories of the server

During the investigation process, Sam recalled downloading a patch management tool from the Internet from a third party source. He realized that the rootkit could have been bundled with the patch management tool.



News: Mobile Handsets Becoming A 'Smoking Gun'

Source: http://www.darkreading.com/

Rise in mobile devices in the enterprise adds new challenges to incident response Dec 01, 2008 | 02:42 PMBy Kelly Jackson Higgins

DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it. As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy.

"The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder."

But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference.

The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.



Module Objective

• Electronic Evidence• First Responder• Role of the First Responder• Electronic Devices: Types and Collecting Potential Evidence• First Responder Toolkit• Evidence Collecting Tools and Equipment• First Responder Procedures• Securing and Evaluating Electronic Crime Scene • Conducting Preliminary Interviews • Documenting Electronic Crime Scene • Collecting and Preserving Electronic Evidence• Packaging Electronic Evidence• Transporting Electronic Evidence• Reporting the Crime Scene• First Responder Common Mistakes

This module will familiarize you with:



Module Flow

Securing and Evaluating Electronic Crime Scene

Collecting and Preserving Electronic Evidence

Documenting Electronic Crime Scene

Reporting the Crime Scene

Transporting Electronic Evidence

Packaging Electronic Evidence

Conducting Preliminary Interviews

First Responder Common Mistakes

First ResponderElectronic Evidence

First Responder Procedures

Role of First Responder

Evidence Collecting Tools and Equipment

Electronic Devices: Types and Collecting Potential

EvidenceFirst Responder Toolkit



Electronic Evidence

• It is hidden, similar to fingerprint evidence or DNA evidence

• It can be broken, altered, damaged, or destroyed by improper handling

• It expires within a pre-set time

Properties of the electronic evidence:

“Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device”



First Responder

First responder is a person who arrives first at the crime scene and accesses the victim’s computer system after the incident

He may be network administrator, law enforcement officer, or investigation officer

He is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene



Roles of First Responder

Identifying the crime scene

Protecting the crime scene

Preserving temporary and fragile evidence

Collecting the complete information about the incident

Documenting all the findings

Packaging and transporting the electronic evidence



Electronic Devices: Types and Collecting Potential Evidence

• Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape

Computer systems:

• To collect the evidence, check text , picture, video, multimedia, database, and computer program files

Hard drive:

• To collect the evidence, check text, graphics, image, and picture files

Thumb drive:

• To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet

Memory card:



Electronic Devices: Types and Collecting Potential Evidence (cont’d)

• Evidence is found by recognizing or verifying the information of the card with the user, level of access, configurations, permissions, and in the device itself

Smart card, dongle, and biometric scanner:

• Evidence is found in voice recordings such as deleted messages, last number called, memo, phone numbers, and tapes

Answering machine:

• Evidence is found in images, removable cartridges, video, sound, time, and date stamp

Digital camera:

• To collect the evidence, check address information, text messages, e-mail, voice messages, and phone numbers

Pager:




• Evidence is found in address book, appointment calendars or information, documents, and e-mail

Personal digital assistants:

• Evidence is found through usage logs, time and date information, and network identity information

Printer:

• Evidence is found in the devices themselves

Removable storage devices tape, CD, DVD, floppy:

• Evidence is found through names, phone numbers, caller identification , information, and appointment information

Telephones:

• Evidence is found on the device itself

Modem:




• Evidence is found through names, phone numbers, caller identification, information, and appointment information

Scanner:

• Evidence is found in documents, user usage logs, and time and date stamps

Copiers:

• Evidence is found through card’s expiration date, user’s address, credit card numbers, and user’s name

Credit Card Skimmers:

• Evidence in found through address book, notes, appointment calendars, phone numbers, and emails

Digital Watches:

• Evidence is found through documents, phone numbers, film cartridge, and send or receive logs

Facsimile (Fax) Machines:



First Responder Toolkit



First Responder Toolkit

First responder toolkit is a set of tested tools which helps first responder in collecting genuine and presentable evidence

It helps first responder to understand the limitations and capabilities of electronic evidence at the time of collection



Creating a First Responder Toolkit

• Choose the related operating system• Completely sanitize the forensics computer• Install the operating system and required software• Update and patch the forensics computer• Install a file integrity monitor to test the integrity of the

file system

Create a trusted forensic computer or testbedby:

• Version name and type of the operating system• Name and types of different software• Name and types of the installed hardware

Document the details of the forensics computer with:



Creating a First Responder Toolkit (cont’d)

• It helps the first responder to understand how a tool works• The summary comprises of:

• Acquisition of the tool• Detailed description of the tool• Working of the tool• Tool dependencies and the system affects

Document the summary of the collected tools:

• Test the collected tools on the forensics computer and examine the performance and output

• Examine the affects of the tool on the forensics computer

Test the tools:



Evidence Collecting Tools and Equipment

Documentation Tools:

• Cable tags• Indelible felt tip markers• Stick-on labels

Disassembly and Removal Tools:

• Flat-blade and Philips-type screwdrivers• Hex-nut drivers• Needle-nose pliers• Secure-bit drivers• Small tweezers• Specialized screwdrivers • Standard pliers• Star-type nut drivers• Wire cutter

Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, and markers)



• Antistatic bags• Antistatic bubble wrap• Cable ties• Evidence bags• Evidence tape• Label tag• Tape• Packing materials • Sturdy boxes of various sizes

Package and Transport Supplies:

• Gloves• Hand truck• Magnifying glass• Printer paper• Seizure disk• Unused floppy diskettes

Other Tools:

Evidence Collecting Tools and Equipment (cont’d)



Evidence Collecting Tools and Equipment (cont’d)

• Licensed software• Bootable CD• External hard drives• Network cables

Notebook Computers:

• DIBS® Mobile Forensic Workstation• AccessData's Ultimate Toolkit• TEEL Technologies SIM tools

Software Tools:

• Paraben Forensics Hardware• Digital Intelligence Forensic Hardware• Tableau Hardware Accelerator• Wiebetech forensics hardware tools• Logicube forensics hardware tools

Hardware Tools:



First Response Basics



First Response Rule

Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information

Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in files being inadmissible in legal or administrative proceedings



Incident Response: Different Situations

The three groups are:

• System administrators• Local managers or other non-forensic

staff• Laboratory forensic staff

First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident



First Response for System Administrators

The actions taken by the system administrator after discovery of a potential computer violation will play a vital role in the investigation

Once an incident has been discovered by a system administrator, they must report it according to the current organisational incident reporting procedures

The systems administrator should then not touch the system unless directed to by either the incident or duty manager or one of the forensic analysts assigned to the case



First Response by Non-Laboratory Staff

To secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises

Make notes about the scene that will eventually be handed over to the Forensic Team

The whole area surrounding a suspect computer and not just the computer itself is the incident scene



First Response by Laboratory Forensic Staff

• Search warrant for search and seizure• Plan for search and seizure• Conduct the initial search of the scene• Health and safety issues

1: Securing and evaluating electronic crime scene

• Ask questions• Check the consent issues• Witness signatures• Initial interviews

2: Conducting preliminary interviews

First response by laboratory forensic staff involves six stages:



First Response by Laboratory Forensic Staff (cont’d)

• Photographing the scene• Sketching the scene

3: Documenting electronic crime scene

• Evidence collection• Exhibit numbering• Dealing with powered OFF/ON computers at the seizure time• Seizing portable computers

4: Collecting and preserving electronic evidence

5: Packaging electronic evidence

• Handling and transportation to the Forensic Laboratory• Ensure the ‘Chain of custody’ is strictly followed

6: Transporting electronic evidence



Securing and Evaluating Electronic Crime Scene



Securing and Evaluating Electronic Crime Scene: A Check-list

Follow the policies of legal authority for securing the crime scene

Verify the type of the incident

Make sure that the scene is safe for you and for other responders

Isolate other persons who are present at the scene

Locate and help the victim

Verify the data related to offenders

Transmit additional flash messages to other responding units

Request for additional help at the scene if needed

Establish a security perimeter to see that the offenders still exist in the crime scene area



Securing and Evaluating Electronic Crime Scene: A Check-list (cont’d)

Protect the evidence that is at risk of being lost or signed as agreement

Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically

Make sure that the devices that contain perishable data is secured, documented, and/or photographed

Recognize the telephone lines that are connected to devices such as modems and caller ID boxes

Document, disconnect, and label telephone lines or network cables

Observe the situation at the scene and record those observations

Protect physical evidence or hidden fingerprints that is found on keyboards, mouse, diskettes, and CDs



Securing the Crime Scene



Warrant for Search and Seizure

• Electronic storage device search warrant allows first responder to search and seize the victim’s computer components (such as: Hardware, Software, storage devices, and documentation)

Electronic storage device search warrant

• Service provider search warrant allows the first responder to get the victim’s computer information (such as: service records, billing records, subscriber information) from the service provider

Service provider search warrant

Search warrant allows the first responder to perform the search and seizure of the electronic evidence that are mentioned in the search warrant

Search warrants for electronic devices basically focus on the following:



Planning the Search and Seizure

• Description of the incident• Incident manager running the incident• Case name/title for the incident• Location of the incident• Applicable jurisdiction and relevant legislation• Location of the equipment to be seized:

• Structure’s type and size• Where are the computer(s) located (all in one place, spread across the

building or floors)• Who will be present at the incident?• Is there a friendly atmosphere at the location?

A search and seizure plan contains the following details:



Planning the Search and Seizure (cont’d)

Details of what is to be seized (make, model, location, ID etc.):

• Type of the device & number to be seized• Will the computing be running at seizure or will they be shut down• Are they networked

• If so, what type of network, where is data stored on the network, where are the backups held, is the system administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of this action

Search and seizure type (overt / covert)

Local management involvement



Initial Search of the Scene

Isolate of a computer system (workstation, stand alone, or network server) and other media devices that can contain digital evidence

Include search and seizure evidence log which contain brief descriptions of all computers, devices or media located during the search for evidence

Make a note of the locations on the crime scene sketch as well

Photograph and sketch the crime scene, along with a detailed accounting of all computer evidence



Health and Safety Issues

It is important to consider the health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts

All forensic teams should wear protective latex gloves for searching and seizing operations on site

This is to protect both the staff and preserve any fingerprints that may be required to be recovered at a later date



Questions to ask When Client Calls the Forensic Investigator

Description of the incident

Incident manager running the incident

Case name / title for the incident

Location of the incident

What jurisdiction the case and/or seizure is to be performed under

Details of what is to be seized (make, model, location, ID etc.)

Other work to be performed at the scene (e.g. full search, evidence required, etc.)

Whether the search and seizure is to be overt or covert and whether local management should know



Consent

There are times that the user is present and that consent from the user of the hardware is required and also consent is given

In cases such as this, appropriate forms for the jurisdiction should be used and carried in the grab bag



Sample of Consent Search Form



Witness Signatures

Depending on the legislation of the jurisdiction, a signature (or two) may or may not be required to certify collection of evidence

Typically, where one signature is required, the Forensic Analyst or Law Enforcement Officer performs the seizure

Where two signatures are required, guidance should be sought to determine whose second signature should be taken into consideration

Whoever signs as witness, needs clear understanding of their role and may be required to provide a witness statement or attend court




Interview separately and identify all persons (witnesses and others) available at the scene and record their location at the time of entry

Be consistent with the departmental policies and applicable laws, and collect information from individuals like:

• Owners and/or users of electronic devices found at the scene• User names and Internet service provider• Passwords required to access the system, software, or data• Purpose of using the system• Unique security schemes or destructive devices• Any offsite data storage• Documents explaining the hardware or software installed on the system



Conducting Initial Interviews

If the suspect is present at the search and seizure time, the Incident Manager or the Laboratory Manager may consider asking some questions to the suspect, but these must comply with the relevant Human Resources or legislative guidelines for the jurisdiction

At initial interviews, the suspect often has little time to concoct any alibis etc, and often when asked questions, they answer truthfully even to such questions like ‘what are the passwords for the account’



Conducting Initial Interviews (cont’d)

An individual who has physical possession of a piece of evidence is responsible for its security

Evidence should be secured in such a manner that only the individual who has signed for it can gain access to it, though it is noted that this is not always possible

Typical questions could include:

• Are there any keys – some computer cases have physical key locks• What are the user IDs and passwords for the computer?• What email addresses are used and what are the user IDs and passwords for them?



Witness Statement Checklist



Witness Statement Checklist (cont’d)



Documenting the Electronic Crime Scene



Documenting Electronic Crime Scene

Documentation of the scene creates an unchanging historical record of the scene

Document the physical scene, such as the position of the mouse and the location of components near the system

Document related electronic components that are difficult to find

Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer

Take a photograph of the computer’s screen and write notes on what you have seen on the screen



Photographing the Scene

Photographing a scene should be the first step taken by the Forensic Team on arrival

Photographing of the crime scene should be done in a manner not to alter or damage the scene

The ideal situation is to first take several photographs that will establish the location of the scene, followed by an entry photograph, followed by a series of ‘360 degree’ photographs

‘360 degree’ photographs are simply overlapping photographs depicting the entire crime scene

The key to remember in crime scene photography is to go from the overall scene down to the smallest piece of evidence



Photographing the Scene (cont’d)

Photographs should also be taken of the immediate work area to include computer disks, handwritten notes, and other computer equipment (printers and external drives)

Photographs should also be taken of the rear of the computer to accurately display how the leads are connected

If this cannot be done, then all cables must be labelled and the PC reconnected back at the Forensic Laboratory should be photographed



Sketching the Scene

A crime scene sketch should be prepared which details the overall scene

This should include the locations of items within the office area

Again, the rule of thumb for crime scene sketching is to go from the overall scene to the smallest piece of evidence

This may require several sketches to accurately depict the scene



Video Shooting the Crime Scene




When an incident is reported where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item sized. This is wrong.

The scene should be searched in a circular motion with the concept of the computer being at the centre of the circle

Items of evidence, as located, should be photographed, identified within notes and then collected

Evidence should be identified, recorded, seized bagged, and tagged on site with no attempts to determine contents or status



Order of Volatility

When collecting evidence, the collection should proceed from the most volatile to the least volatile. The list below is the order of volatility for a typical system:

• Registers, cache• Routing table, process table, kernel statistics, and memory• Temporary file systems• Disk or other storage media• Remote logging and monitoring data that is relevant to the

system in question• Physical configuration, network topology• Archival media



Dealing with Powered OFF Computers at Seizure Time

If equipment is switched OFF – leave it OFF



Dealing with Powered ON Computers

The first step to take when approaching an active, powered on, and running computer is:

• STOP and THINK• The contents of RAM in an active computer system

undoubtedly hold some information and occasionally this can be important to a case• For example, data which is likely to be found

encrypted on a disk might be found in an unencrypted state in memory, or a running process might need to be identified and examined before power is removed

• Any such information in memory will be lost when the power supply to the device is removed



Dealing with a Powered ON Computers (cont’d)

If a computer is switched on and the screen is viewable, then the following must be done:

• Record the programs running on screen• Photograph the screen



Dealing with Networked Computer

Unplug the network cable from the router and modem

If computer is off, leave it off

If the computer is ON, photograph the screen

If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen

Label all the connected devices and cords for later identification

Unplug all the cords and devices connected to the computer



Dealing with Open Files and Startup Files

• Open the recently created document from startup or system32 folder for Window and rc.local file for Linux

• Note down the date and time of the files• Examine the open file for sensitive data such as password, image

etc.• Search for unusual MAC times on vital folders and startup files

Follow the listed procedures to find the evidence:

Malware attacks on the computer system create some files in the startup folder to run the malware program



Operating System Shutdown Procedure

• Take a photograph of the screen• If any program is running, give a brief explanation• Unplug the power cord from the wall socket

MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0 operating system:

It is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files

Different operating systems have different shut down procedures



Operating System Shutdown Procedure (cont’d)

• Right click Menu -> click Console• If root user’s prompt is set to #sign mode:

• Enter the password if available and type sync;sync;halt to shutdown the system• If password is not available, unplug the power cord from the wall socket

• If it is set to console #sign mode:• Enter the user ‘s ID and press Enter • If the user‘s ID is root, type sync;sync;halt to shutdown the system• If user’s ID is not root, unplug the power cord from the wall socket

UNIX/Linux Operating Systems

• Record time from the menu bar• Click Special -> Shutdown• Unplug the power cord from the wall socket

MacOS Operating System



Computers and Servers

Photograph the computer and ancillary (connected) equipment

Photograph the connectors behind the computer and individually label them

Record the cables and the respective ports to which they are connected

Seal the power socket with tape to prevent inadvertent use

Disconnect the monitor, keyboard, mouse, and CPU



Preserving Electronic Evidence

Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals

Take a photo of the monitor screen if the computer is in “on” state

Photograph the connections of the computer and the corresponding cables and label them individually

If any electronic devices such as PDA, cell phone are present, take a photograph, label the device and collect all the cables, and transport them along with the device



Seizing Portable Computers

Photograph the portable and ancillary (connected) equipment

Photograph the connectors in the back of the portable and individually label them

Record which cables are connected to what ports in the portable

Remove the battery



Switched ON Portables

Portables with their power on should be handled in the same way as a powered on PC

The date and time when the portable "wakes up" must be recorded

Prior to pulling the power on a portable, the battery must be removed

If it is not possible to remove the battery, pressing down on the power on/off switch for 30 seconds or so will force a hard power off



Collecting and PreservingElectronic Evidence



Packaging and Transporting Electronic Evidence



Evidence Bag Contents List

The panel on the front of evidence bags must be filled in with at least the following details:

Date and time of seizure

Seized by whom

Exhibit number

Seized from which place

Details of the contents of the evidence bag




Make sure that the collected electronic evidence is properly documented, labeled, and listed before packaging

Focus on hidden or trace evidence and take necessary actions to preserve it

Pack the magnetic media in antistatic packaging

Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives

Make sure that all the containers that hold the evidence is labeled in an appropriate way



Exhibit Numbering

• aaa/ddmmyy/nnnn/zz• Where,• aaa are the initials of the Forensic Analyst or

Law Enforcement Officer seizing the equipment

• dd/mm/yy is the date of the seizure• nnnn is the sequential number of the exhibits

seized by aaa- starting with 001 and going to nnnn

• zz is the sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ –the Monitor, ‘C’ – the keyboard etc.)

All evidence collected should be marked as exhibits using this format:



Transporting Electronic Evidence

Keep electronic evidence away from magnetic sources while transporting

Store the evidence in a secure area that is away from high temperature and humidity

Avoid storing electronic evidence in vehicles for a longer period

Make sure that computers and other electronic components are not packed in containers

Maintain the chain of custody on the evidence that is to be transported



Handling and Transportation to the Forensics Laboratory

Avoid turning the computer upside down or laying it on its side during transport

When transporting a computer or other computer devices, they should not be placed in a car trunk or any other area where there is the possibility of possible dramatic temperature and humidity changes

In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner where the computer will not fall if break is applied suddenly or quick maneuver

All evidence must avoid any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence



Storing Electronic Evidence

Ensure that the electronic evidence is listed in accordance with the departmental policies

Store the electronic evidence in a secure area and weather controlled environment

Protect the electronic evidence from magnetic field, dust, vibration, and other factor that may damage the integrity of the electronic evidence



Chain of Custody

‘Chain of Custody’ refers to a written account of individuals who had the sole physical custody of a piece of evidence from the time it was seized until the end of the case

By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence, an individual has the responsibility to secure it in a manner which can later stand legal scrutiny in case that there is a claim of evidence tampering



Chain of Custody (cont’d)

• Case number• Name and title from whom received• Address and telephone number• Location from where the evidence is obtained• Date/time of evidence• Item number/quantity/description of items

It contains the following information:

Chain of custody document contains the complete information about the obtained evidence



Simple Format of the Chain of Custody Document



Chain of Custody Form



Chain of Custody Form (cont’d)

Media Model

Media Model

Media Model

Media Model

Media Model

Media Model

Media Model

Media Model

Media Model

Media Model

Serial No

Serial No

Serial No

Serial No

Serial No

Serial No

Serial No

Serial No

Serial No

Serial No



Chain of Custody Form (cont’d)



Chain of Custody on Property Evidence Envelope or Bag



Chain of Custody Property Sign-out Sheet



Reporting the Crime Scene

• Date and time of the crime• Model, size, and partition of the hard disk to find hidden or missing data• Name and version of the operating system running on the victim’s computer• Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any

data found• Result of the virus scanning process• Software present on the victim’s computer• List of files stored on the victim’s computer with creation and updating time• Name and version of the software used in the processing of computer evidence• Name of the interviewed person and his views

The report should include:

First responder creates a final report after completing the forensics process that contains complete information of the forensics process



Note Taking Checklist

Crime Scene Checklist Crime Scene Checklist



Note Taking Checklist (cont’d)

Crime Scene Checklist

Crime Scene Checklist



First Responder Common Mistakes

Most of the time, system or network administrator work as a first responder at the crime scene

They cannot handle the security incidents in a proper way because they do not know the first responder procedure

Common mistakes committed by the first responder are as follows:

• Shutting down or rebooting the victim’s computer• Assuming that some components of the victim’s computer

may be reliable and usable• Not having access to baseline documentation about the victim

computer• Not documenting the data collection process



Summary

Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device

There are times that the user is present and that consent from the user of the hardware is required and also consent is given

Documentation of the scene creates an unchanging historical record of the scene

The ‘Chain of Custody’ refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case

file000118

Technology

responder evidence

responder electronic

responder toolkit evidence

potential evidence

responderelectronic

fingerprint evidence

dna evidence

electronic crime scene