© Nihad A. Hassan 2019
Nihad A. HassanDigital Forensics Basicshttps://doi.org/10.1007/978-1-4842-3838-7_4

4. Initial Response and First Responder Tasks

Nihad A. Hassan1 
(1)
New York, New York, USA
 

What you should do upon arriving to the crime scene

When an incident that involves digital evidence is reported, the entity (public agency or private laboratory) responsible for conducting the investigation will send one or more individuals to investigate the case; this person is called the “first responder,” and he/she is responsible for conducting the initial investigation of the incident to determine its root cause.

The first responder can come from different backgrounds: he/she might be a network administrator, system administrator, law enforcement officer, or investigating officer. First responders have usually followed some form of official training in the digital forensic field.

The main role of the first responder is to identify, collect, preserve, and transport digital evidence to the forensic lab in addition to identifying the root cause of an incident. To do this correctly and legally, the first responder must be fully aware of the relevant legislation within the jurisdiction where he is going to investigate the incident.

From a technical perspective, the first responder must have a thorough understanding of digital forensics procedures; he/she should know how to acquire digital evidence in a forensically sound manner, so acquired evidence can be used in a court of law. A first responder needs to have appropriate IT knowledge covering different computing domains, and s/he should also understand how to deal with different IT equipment, so s/he can know where to look for digital evidence.

Before the first responder arrives at the crime scene, he/she needs to identify their work scope clearly to avoid missing any detail related to the subject case. The first responder’s toolkit should be ready to be taken with him/her upon request: this toolkit—as we are going to see later—should contain the appropriate software and hardware tools to manage different scenarios that the first responder will face. For instance, the digital crime scene can be very complicated because it can contain different types of computing devices with different OS, servers, and network devices, and it can also span different geographical areas, even to cloud storage servers located in other jurisdictions.

The first thing a first responder needs to consider is how to understand exactly what is required from him/her in relation to the reported incident. The first responder needs to ask the reporting person/company some questions to determine the scope of work. The main questions include the following: Does the reporting body need to investigate the case officially so they can move it to court later? Or do they just want to confirm that an attack was made against their computerized systems and ensure that no further damage can happen? In many cases, the required task from the first responder is to investigate the root cause and type of attack and then work to return the systems to work as quickly as possible to avoid any business interruption.

Note!

The volume of digital data found at crime scene can become enormous these days, so the scope of investigation should be defined very well to avoid getting lost in the overload of data.

Before we begin talking about first responder tasks and challenges, we need to cover a key point in digital forensics investigations, which is the legal issue. Obtaining a search warrant or a consent to seize and investigate digital devices is a must for any type of investigation, as without such legal paper, the investigation can be considered unlawful and evidence acquired will not be admissible in a court of law.

Search and Seizure

Law enforcement officers need a search warrant to search and seize digital devices. In the United States, the Fourth Amendment limits the ability of government agents to search for and seize evidence without a warrant. Any evidence obtained in violation of the Fourth Amendment is inadmissible in a court of law.

The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Fourth Amendment was created to limit US law enforcement’s ability to search private premises without a proper search warrant. The search warrant should be very specific in terms of what areas can be searched and what items or persons can be seized from the crime scene.

This principle applies to digital crimes also; hence, any computing device which is capable of storing user data is considered private property that needs a search warrant in order to be searched and seized by law enforcement officials.

We will not delve deeply into the legal area; however, keep in mind that before collecting any digital evidence you need a form of legal consent to search or seize the evidence in question. In this section, we will list choices available for digital forensic examiners to search and seize digital evidence.

Consent to Search

In this type, the owner of the computing device cooperates with investigators and allows them to search and acquire digital evidence without an official search warrant. This usually happens when the owner of the device is not the suspect or when an employee has previously signed a search and seizure form as a condition for employment. In this case, you can acquire digital evidence without asking for any consent from him/her.

See Figure 4-1 for a sample “consent to search” digital device form created by Regional Computer Forensics laboratory ( www.rcfl.gov/san-diego/documents-forms/consent-to-search/view ).
../images/465906_1_En_4_Chapter/465906_1_En_4_Fig1_HTML.jpg
Figure 4-1

Consent to search form created by RCFL ( www.rcfl.gov/san-diego/documents-forms/consent-to-search/view )

Subpoena

When you do not have a permit from the device owner to search and seize digital equipment related to the case at hand, you can ask to have a court order or a permit. Special care should be taken when asking for such permission, as the suspect will have enough time to destroy digital evidence because s/he will know in advance your request for a court permit to search/seize the digital devices of interest.

Subpoena is usually used when it is unlikely that informing the device owner will result in destroying digital evidence. For example, many organizations (e.g., banks) require permission from the court before handling any information to investigators. This does not mean that these organizations are refusing to cooperate with investigators; rather, their applied policies and internal regulations prevent them from handing over such information without a proper court order.

Search Warrant

This is the most powerful search and seizure procedure; investigators use this when there is a high probability that informing the subject person (e.g., when he is the owner of the digital device or is involved with the suspect) will result in destroying digital evidence. A search warrant will be executed without prior notice to the suspect, so he cannot do anything to destroy or hide digital evidence.

Bear in mind that search warrants are only available to law enforcement officers; if you are an independent digital forensic investigator, you cannot request this permission from courts.

Courts usually do not give search warrants easily; investigators should have reasonable clues that a specific person and specific computing devices related to him in some way are a part of a criminal activity in order to be issued such a warrant.

We can differentiate between two types of search warrants:
  1. 1.

    Electronic storage device search warrant: This allows seizing digital storage devices like computers, flash drives, external hard drives, CD/DVD from suspect premises, and so on.

     
  2. 2.

    Service provider search warrant: If the suspect has committed his crime through the Internet, digital forensic investigators need to investigate this through external providers like the suspect ISP, cloud storage providers, and online merchants.

     

First Responder Toolkit

After obtaining the consent/search warrant paper, the first responder will head into the crime scene; it is advisable for the first responder to know as much about the incident and the crime scene as possible beforehand; this will allow him/her to prepare needed equipment and software before arriving at the crime scene.

In general, the following items must be present in a first responder’s bag before investigating any crime scene that involves electronic evidence:
  1. 1.

    Crime scene tape.

     
  2. 2.

    Stick-on labels and ties.

     
  3. 3.

    Color marker pens.

     
  4. 4.

    Notepad.

     
  5. 5.

    Gloves.

     
  6. 6.

    Magnifying glass.

     
  7. 7.

    Flashlight.

     
  8. 8.

    Sealable bags of mixed size; should be antistatic bags to preserve evidence integrity.

     
  9. 9.

    Camera (can capture both video and images and must be configured to show the date/time when the capture happens).

     
  10. 10.

    Radio frequency-shielding material to prevent some types of seized devices (e.g., smartphones and tablets with SIM cards) from receiving calls or messages (also known as a Faraday shielding bag). This bag will also protect evidence against lightning strikes and electrostatic discharges.

     
  11. 11.

    Chain of custody forms.

     
  12. 12.

    Secure sanitized external hard drive to store image of any digital exhibits.

     
  13. 13.

    USB thumb drives (at least two).

     
  14. 14.

    USB hub.

     
  15. 15.

    Bootable CDs.

     
  16. 16.

    Network cables.

     
  17. 17.

    Different cables/connectors for computer.

     
  18. 18.

    Hardware write blocker.

     
  19. 19.

    RAM capturing tool.

     
  20. 20.

    Hard drive capture tool.

     
  21. 21.

    Forensics software to perform elementary analysis on the captured data if needed.

     
  22. 22.

    Power adapters of different sizes.

     
  23. 23.

    Multi protected power strip.

     
  24. 24.

    Specialized screwdrivers.

     
  25. 25.

    Standard pliers.

     
  26. 26.

    Wire cutters.

     
  27. 27.

    One laptop, in addition to portable forensic workstation.

     
  28. 28.

    VPN solution to protect the communications of the first responder.

     
  29. 29.

    Access to secure online repositories where more forensic tools are stored if needed at the crime scene.

     
  30. 30.

    Packing material.

     

It is also advisable for the first responder to carry a list of contacts for expert professionals with relevant experience in other computing domains like database, mobile, and networking, so s/he can seek their help in case s/he needs assistance during the initial investigation.

First Responder Tasks

After securing the crime scene and preventing unauthorized access, the first responder must follow general principles for the correct acquisition of digital devices holding the digital evidence. The following steps should be implemented in the correct order, considering the circumstances at the crime scene:

Remember!

  • As we already mentioned, an official search warrant or consent from the owner of the digital device must be available before the search/seizure of the suspect computing device.

  • It is advisable to have a trained computer forensics examiner to acquire digital evidence from the suspect device to avoid leaving—or even destroying—any traces without investigation.

  • Photograph the entire crime scene before searching and seizing any digital device.

  • Safety is a key consideration when investigating a crime scene: the safety of the first responder’s team and law enforcement officers and all people at the crime scene should be a top priority.

  1. 1.

    Upon arriving, if there was a surveillance camera, make sure to disconnect it before doing anything; you can also cover it if you cannot stop it instantly.

     
  2. 2.

    Sometimes, the computer might be destroying evidence (e.g., executing a specialized software to wipe clean hard drive and consequently destroy digital evidence). If you suspect something like that is happening (e.g., if the hard drive LED light is lighting continually and the fan is moving fast, then there is a high probability that read/write operations are being conducted on the drive), shut down the computer immediately. Do this by pulling the power cord (if the suspect computer is a laptop with nonremovable battery, press down and hold the power button till laptop is powered OFF. If the laptop has a removable battery, remove the battery first, then unplug the power cord) .

     
  3. 3.

    If the computer is OFF, do not turn it ON. Just seize it in antistatic bag and transport it securely to the forensic lab.

     
  4. 4.
    If the computer is ON and there are no clues that a destruction program is working, do the following:
    1. a.

      If the computer screen shows a login window (password prompt), power off the device by removing the power cord from the wall (perform hard shutdown); you can also try to crack the device’s password if necessary to obtain the volatile memory (more on this in the next chapter).

       
    2. b.

      If the computer screen is dark or showing a screen saver, move the mouse slowly, without pressing any buttons or rotating the mouse wheel, to show the screen.

       
    3. c.

      Photograph the computer screen to show running programs and opened files/folders, and to record system date/time.

       
    4. d.

      Acquire its volatile memory (RAM) using specialized tools, as we are going to see in the next chapter (acquiring RAM memory is also known as live memory dump). Capturing RAM memory is a key step before powering OFF the machine as it can contain a wealth of information like cryptographic keys, IM chat logs, unencrypted contents, clipboard contents, and process information, among other things.

       
    5. e.

      If the computer was attached to a networking device (router or switch), try to acquire its networking information first (IP address, open sessions, open ports, routing table, LAN addresses, broadcast address, and network interface card number). Some digital forensics experts argue that you should unplug the network cable to prevent any remote connection to the suspect device; however, this may destroy important evidence especially if the case was to investigate a network intrusion. Acquiring network information from the suspect computer (e.g., listing the active connections) can reveal other computers on the network which may possess evidence. Furthermore, the disconnecting target computer from the network may seriously impact business operations; for instance, disconnecting an e-mail server may bring great losses to the victim company. Handling a network computer should be done on a case-by-case basis; for instance, to stay safe, it is better to acquire networking information quickly. Then, if you see suspicious traffic through the network, you can disconnect the network cable to prevent unauthorized remote access. For servers that cannot get disconnected easily (e.g., Web and e-mail servers), you should conduct a risk assessment and seek expert knowledge.

       
    6. f.

      Perform a hard shutdown (unplug the power cord from the wall socket). If the device is a laptop, remove the battery first and then unplug the power cord. If you cannot remove the laptop battery, press down and hold the power button for 20 seconds to power it OFF.

       
    7. g.

      Finally, document all steps taken to seize the suspected computer device so it is available if someone asks for it later.

       
     
  5. 5.

    When seizing a portable device with wireless communication capabilities, make sure to put it in an impermeable bag that can block wireless communications to the device.

     

How to turn-off suspect computing device when it is ON

When the suspect computing device is ON, you need to power it OFF before moving it to the forensic laboratory. From a digital forensic perspective, there are two methods to power off devices with varying consequences and effects on the target computing device. Select the one that best fits your needs, taking into account the following considerations.
  1. 1.

    Hard shutdown (remove battery/power cord): This will preserve system files, prevent wiping programs from activating upon shutdown, and prevent changes to files’ time stamps and other attributes. However, this method will remove unsaved open files and may corrupt system files and the user’s open documents.

     
  2. 2.

    Graceful shutdown (powering off the computer using the ordinary preferred way): The advantages of this method include discovering open files and programs upon shutting down and preventing any corruption to system files in addition to allowing running applications to write any artifacts to hard drive so we can recover them later. The disadvantages include: launching destructive programs configured to run at shutdown, overwriting data on the hard drive, activating user-created scripts that can perform different tasks like removing system logs, clearing system pagefile (if the computer is configured to do so upon normal shutdown), and changing some attributes of files.

     

Note!

If the subject computer was running and you suspect there is an FDE implemented, make sure to acquire an HDD image before shutting down the computer.

Other important notes to consider when investigating the crime scene:
  1. 1.

    Identify any clues that can reflect suspect knowledge of computing technology; for example, if a suspect has a book about “digital steganography” on his/her bookshelf, you should suspect that this suspect may employ such techniques to hide incriminating data.

     
  2. 2.

    Photograph the area surrounding the suspect computer to show all devices that were connected to it (e.g., USB thumb drives, printer, scanner, USB camera, and microphone). You should also search for any handwritten notes around the computer or pasted on its screen; some people store their passwords on such notes, and finding a password in this way can save you a lot of effort if the suspect was using encryption to protect his data. Bear in mind that handwritten notes relative to the investigation should be documented in a similar way to any other digital evidence.

     
  3. 3.

    Physical evidence should not be compromised during crime scene documentation (e.g., use gloves when touching the suspect computing device to avoid destroying any existing fingerprints). The first responder should image the storage device (acquire digital forensic image) before sending it to the crime lab for DNA and fingerprint investigation.

     
  4. 4.

    If the crime scene contains advanced IT equipment that exceeds the first responder’s expertise, s/he should seek advice/help from an investigator with greater expertise.

     
  5. 5.

    Do not move an electronic device while it is ON; this may damage/corrupt digital evidence within it.

     

Note!

Some digital media devices (like USB thumb drives) are designed to look like toys, pen, keys, jewelry, and so forth to conceal their true purpose. First responders performing digital media seizure must take note of this to avoid leaving important clues behind.

Order of Volatility

It is the job of the first responder to determine the order in which the digital evidence will be collected. They should begin with the most volatile and go to the least volatile. The following order is suggested by many digital forensic processes, beginning with the most volatile:
  1. 1.

    CPU, registers, and system cache.

     
  2. 2.

    Routing table, ARP cache, process table, kernel statistics.

     
  3. 3.

    RAM memory.

     
  4. 4.

    Temporary file systems.

     
  5. 5.

    Swap space or virtual memory (named “pagefile” in Windows OS). This is a file on the hard drive that extends the amount of RAM available to a computer.

     
  6. 6.

    Hard drive and/or other removable media storage.

     
  7. 7.

    Remote logging and monitoring data.

     
  8. 8.

    Physical configuration, network topology.

     
  9. 9.

    Backup data and printouts.

     

Remote data existing on networking devices (like proxy servers, routers, intrusion detection systems, and firewalls) will also have a volatility order. For instance, it is worth mentioning that network caches and remote logs can be volatile and should be acquired by the first responder if it is accessible and related to the case in hand.

Documenting the Digital Crime Scene

As a digital forensics investigator, you should keep in mind that approaching a crime scene with digital evidence is similar to a traditional crime scene; hence, you need to document the crime scene in detail using photos and notes. This will effectively help you avoid leaving any evidence behind and will aid you in preparing your final report and in remembering the crime scene when testifying in court later. The following key points should be documented clearly:
  1. 1.

    When you entered the crime scene, how long you stayed there, and with whom.

     
  2. 2.

    Name all people who accessed the crime scene and list each one’s role. For example, who took photos of the crime scene? Who seized the computing device? At what time was the evidence obtained? Did you capture volatile memory (if the computing device was ON), and if so, by what method/tool?

     
  3. 3.

    The first responder must also document all items related to the case in hand that have been discovered at and acquired from the crime scene; each acquired item must be fully documented in a chain of custody form as we already described in Chapter 1.

     
  4. 4.

    Create a sketch of the crime scene showing where the digital devices were located in addition to any attached peripherals; the sketch can also include other details like computing device type and model number.

     
  5. 5.

    Photograph all areas of the crime scene; you can also use video for this purpose. Photography should be conducted twice, once upon entering the scene and the second before leaving (after seizing the digital device[s]).

     
  6. 6.

    Write notes describing everything related to the case at hand in detail; these notes will help you remember what you have seen at the crime scene when testifying in court later.

     
  7. 7.

    If the laws prohibit the first responder from searching and seizing some digital devices, he should mention this in the documentation of the crime scene.

     

As a final note, everything you see at the crime scene is worth documenting; an investigator should not leave the crime scene without documenting everything.

Packaging and Transporting Electronic Devices

After you have finished documenting the crime scene and you shut down the digital device (if it was ON), you are ready to package and transport it to the lab.

Start by unplugging the cables, but before doing this make sure to put a tag that contains a number on each cable and on the corresponding port on the computer. Finally, photograph the cables before unplugging them so you know later where each cable was attached. This will help investigators to reconstruct the system again in the lab if needed.

Begin the packaging process by putting a tape over the power switch, so the device will not power on accidentally while in transit, and then put the digital device in antistatic bags. Finally, put the acquired device(s) in a suitable evidence bag, seal it using tape, and record your name and date/time on it. The evidence bag must contain a panel that holds the following details about its contents:
  1. 1.

    Contents of the bag.

     
  2. 2.
    Names of investigators who:
    1. a.

      Seized the evidence.

       
    2. b.

      Photographed evidence and crime scene.

       
    3. c.

      Created the crime scene sketch diagram.

       
    4. d.

      Packaged the evidence in the bag.

       
     
  3. 3.

    Location where evidence was found and seized.

     
  4. 4.

    Suspect information and criminal record if applicable.

     
  5. 5.

    Date and time of seizure.

     
  6. 6.

    Passwords of seized devices (if available).

     
  7. 7.

    Any additional notes.

     

Note!

For digital devices that can receive network signals (like smartphones and other mobile communication devices), use a Faraday bag to prevent this.

Do not forget to seize the power adapters and cables of the acquired digital devices.

While transporting the electronic evidence bags, make sure to put them securely in the back seat of the car and tie them down to avoid exposing the bags to physical shock and vibration. The climate in the transportation vehicle should be dry, cool, and away from magnetic sources (e.g., speaker magnets, radio transmitters, and heated seats in cars) and dust. Do not leave the evidence bag exposed to high temperature or humidity because you may damage digital evidence within it. Finally, document the transportation of digital evidence in the chain of custody forms and make sure that these forms remain in a safe location while in transit, so all movement of digital evidence can be tracked back to maintain its integrity in a court of law.

Conducting Interview

Upon receiving a call from the reporting person/company about the subject incident, a first responder will have to ask questions to clarify the case s/he is going to investigate. In this section, we will put the most common questions that should be asked by the first responder before arriving at the crime scene and after arriving and talking with witnesses (e.g., site custodians and administrators) and possible suspects.

First Responder Questions When Contacted by a Client

When a client contacts the first responder to investigate an incident, the client should be asked the following initial questions by the first responder:
  1. 1.

    What is the problem?

     
  2. 2.

    If the client is a company, who is responsible for handling digital crime incidents in the target company?

     
  3. 3.

    What is the location of the incident?

     
  4. 4.

    Under which jurisdiction (authority) will the evidence be searched and seized?

     
  5. 5.

    What types of computing devices are going to be seized at the crime scene?

     
  6. 6.

    What tasks are expected to be performed at the scene? For example, do we need to perform live memory capture/analysis? Have there been any networking devices involved in the incident that need to be searched and/or seized?

     
  7. 7.

    What type of Internet access does the target organization have?

     
  8. 8.

    What is the ISP name?

     
  9. 9.

    Has there been any offsite storage?

     

Witness Interview Questions

Different digital crimes require different interview questions; for instance, questioning witnesses and possible suspects about a child pornography incident is different from the questions asked when the incident is related to fraud or hacking.

Upon arriving at the crime scene, the first responder should take as much information as he can from the people who were available at the time when the incident took place. People who were at the crime scene should be questioned about the following:
  1. 1.

    What they saw, and also where and how.

     
  2. 2.

    The names of all people who were at the crime scene, in addition to their phone numbers, e-mail addresses, and roles/jobs in the target organization.

     
  3. 3.

    Their work account usernames and passwords (jurisdiction rules apply here).

     
  4. 4.

    Social profiles and IM chat screen names for all employee of interest.

     
  5. 5.

    Identity of any administrator/site manager who can identify devices and custodians at the crime scene.

     
  6. 6.

    The number, types, and models of devices involved in incident.

     
  7. 7.

    The type of digital data (e.g., e-mail, databases, images, documents, etc.) expected to be involved in the incident.

     
  8. 8.

    The type of operating system involved in the incident.

     
  9. 9.

    Whether any of the digital data owned by target organization is stored outside its premises (e.g., cloud storage, remote locations, etc.).

     
  10. 10.

    Identity of any contractors who have remote access ability to target the organization’s network.

     
  11. 11.

    Whether data access restriction is in place.

     
  12. 12.

    Any suspicious about who may have conducted the attack (e.g., a disgruntled ex-employee).

     

After returning to the lab and analyzing the primary information collected, more questions can be prepared to ask the possible suspects/witnesses.

Witness Signature

Sometimes a witness signature is required to verify the information collected from the crime scene; this procedure is not applied in all jurisdictions, especially if the person collecting the digital evidence is a law enforcement officer. However, take this point into consideration where applicable.

Chapter Summary

The purpose of this chapter is to present the mission and services provided by the first responder for any investigation that involves digital evidence.

A first responder is the first person who appears at the crime scene: his main duty is to identify, collect, preserve, and transport digital evidence to the forensic lab following a predefined digital forensic methodology, so that acquired evidence is admissible in a court of law.

Before a first responder can search or seize any digital device from the crime scene, he needs to have a legal permit from the court or from the owner of the digital device; this permit is named a “consent to search” when it is voluntary or a “search warrant” when it is forced by the law. Without this legal paper, any acquired evidence is considered inadmissible in a court of law.

First responders can come from different work backgrounds: the majority are network or system administrators. However, they all must be trained in proper procedure in the digital forensics field and understand relevant enforced criminal law before searching or seizing any evidence.

The complexity of today’s digital crime scene and the different types of computing and networking devices can make this work very challenging, and the first responder may need assistance from different professionals with more expertise.

Now that we understand the role of the first responder in digital investigation, it’s time to begin learning how to collect digital evidence from computing devices, and this is what we are going to cover in the next chapter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.165.246