If an incident occurs, the FBI recommends that the first responder preserve the state of the computer at the time of the incident by making a backup copy of any logs, any damaged or altered files, and any other files modified, viewed, or left by the intruder. This last part is critical. Hackers frequently use various tools and may leave traces of their presence. Furthermore, the FBI advises that if the incident is in progress, you should activate any auditing or recording software you might have available. Collect as much data about the incident as you can. In other words, this might be a case where you do not take the machine offline, but rather analyze the attack in progress.

The FBI computer forensics guidelines stress the importance of securing any evidence. They further stress that computer evidence can come in many forms. Here are a few common forms:

• Hard drives

• System logs

• Portable storage, such as USB drives and external drives

• Router logs

• Emails

• Chat room logs

• Smartphones and tablets

• SIM cards for cell phones and smartphones

• Logs from security devices, such as firewalls and intrusion detection systems

• Databases and database logs

What you secure will be dependent upon the nature of the cybercrime. For example, in the case of child predators, online stalkers, or online fraud, email may be very important, but router logs may be irrelevant. The FBI also stresses that you should work with a copy of the hard drive, not the original.

The FBI has a cybercrimes webpage, which is a very useful resource for learning more about trends in cybercrime and in computer forensics.

The U.S. Secret Service is the premier federal agency tasked with combating cybercrime. It has a website devoted to computer forensics that includes forensic courses. These courses are usually for law enforcement personnel.

The Secret Service also has released a guide for first responders to computer crime. The agency has listed its “golden rules” to begin the investigation. They are as follows:

• Officer safety: Secure the scene and make it safe.

• If you reasonably believe that the computer is involved in the crime you are investigating, take immediate steps to preserve the evidence.

• Determine whether you have a legal basis to seize the computer, such as plain view, search warrant, or consent.

• Do not access any computer files. If the computer is off, leave it off.

• If it is on, do not start searching through the computer. Instead, properly shut down the computer and prepare it for transport as evidence.

• If you reasonably believe that the computer is destroying evidence, immediately shut down the computer by pulling the power cord from the back of the computer.

• If a camera is available, and the computer is on, take pictures of the computer screen. If the computer is off, take pictures of the computer, the location of the computer, and any electronic media attached.

• Determine whether special legal or privacy considerations apply, such as those for doctors, attorneys, clergy, psychiatrists, newspapers, or publishers.

These are all important first steps to both preserving the chain of custody and ensuring the integrity of the investigation from the very first step.

The Regional Computer Forensics Laboratory (RCFL) program is a national network of forensic laboratories and training centers. The FBI provides startup and operational funding, training, staff, and equipment to the program. State, local, and other federal law enforcement agencies assign personnel to staff RCFL facilities.

Each of the 16 RCFLs examines digital evidence in support of criminal and national security investigations. The RCFL program provides law enforcement at all levels with digital forensics expertise. It works with a wide variety of investigations, including terrorism, child pornography, fraud, and homicide.

The RCFL program conducts digital forensics training. In 2008, for example, the program trained nearly 5000 law enforcement personnel in system forensics tools and techniques. For more information, see http://www.rcfl.gov.