Enviar búsqueda
Cargar
File000118
•
3 recomendaciones
•
3,329 vistas
Desmond Devendran
Seguir
Tecnología
Educación
Denunciar
Compartir
Denunciar
Compartir
1 de 92
Descargar ahora
Descargar para leer sin conexión
Recomendados
File000113
File000113
Desmond Devendran
File000114
File000114
Desmond Devendran
File000117
File000117
Desmond Devendran
File000120
File000120
Desmond Devendran
File000119
File000119
Desmond Devendran
File000116
File000116
Desmond Devendran
CHFI
CHFI
Desmond Devendran
File000172
File000172
Desmond Devendran
Recomendados
File000113
File000113
Desmond Devendran
File000114
File000114
Desmond Devendran
File000117
File000117
Desmond Devendran
File000120
File000120
Desmond Devendran
File000119
File000119
Desmond Devendran
File000116
File000116
Desmond Devendran
CHFI
CHFI
Desmond Devendran
File000172
File000172
Desmond Devendran
File000115
File000115
Desmond Devendran
File000166
File000166
Desmond Devendran
File000164
File000164
Desmond Devendran
File000176
File000176
Desmond Devendran
File000163
File000163
Desmond Devendran
File000168
File000168
Desmond Devendran
File000173
File000173
Desmond Devendran
File000162
File000162
Desmond Devendran
File000167
File000167
Desmond Devendran
File000170
File000170
Desmond Devendran
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
File000171
File000171
Desmond Devendran
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
Vi Tính Hoàng Nam
Lect 1 computer forensics
Lect 1 computer forensics
Kabul Education University
File000139
File000139
Desmond Devendran
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
Vi Tính Hoàng Nam
Computer forensics toolkit
Computer forensics toolkit
Milap Oza
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
Computer forensics and its role
Computer forensics and its role
Sudeshna Basak
CHFI
CHFI
Mohamed Ahmed Elnaiem
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
Más contenido relacionado
La actualidad más candente
File000115
File000115
Desmond Devendran
File000166
File000166
Desmond Devendran
File000164
File000164
Desmond Devendran
File000176
File000176
Desmond Devendran
File000163
File000163
Desmond Devendran
File000168
File000168
Desmond Devendran
File000173
File000173
Desmond Devendran
File000162
File000162
Desmond Devendran
File000167
File000167
Desmond Devendran
File000170
File000170
Desmond Devendran
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
gueste0d962
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
ArthyR3
File000171
File000171
Desmond Devendran
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
Vi Tính Hoàng Nam
Lect 1 computer forensics
Lect 1 computer forensics
Kabul Education University
File000139
File000139
Desmond Devendran
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
Vi Tính Hoàng Nam
Computer forensics toolkit
Computer forensics toolkit
Milap Oza
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
Computer forensics and its role
Computer forensics and its role
Sudeshna Basak
La actualidad más candente
(20)
File000115
File000115
File000166
File000166
File000164
File000164
File000176
File000176
File000163
File000163
File000168
File000168
File000173
File000173
File000162
File000162
File000167
File000167
File000170
File000170
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
File000171
File000171
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
Lect 1 computer forensics
Lect 1 computer forensics
File000139
File000139
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
Computer forensics toolkit
Computer forensics toolkit
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
Computer forensics and its role
Computer forensics and its role
Destacado
CHFI
CHFI
Mohamed Ahmed Elnaiem
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
Fire Safety & Generators
Fire Safety & Generators
Sohail AD
Fire
Fire
Institute of Hotel Management (IHM)Kolkata
Various types of Fire Extinguishers from Safelincs Ltd
Various types of Fire Extinguishers from Safelincs Ltd
Johan Donald
Fire extinguisher training
Fire extinguisher training
hawkmedoo
Computer Forensics Bootcamp
Computer Forensics Bootcamp
nCircle - a Tripwire Company
Interviewing PPT
Interviewing PPT
Eric Machan Howd
Destacado
(8)
CHFI
CHFI
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Fire Safety & Generators
Fire Safety & Generators
Fire
Fire
Various types of Fire Extinguishers from Safelincs Ltd
Various types of Fire Extinguishers from Safelincs Ltd
Fire extinguisher training
Fire extinguisher training
Computer Forensics Bootcamp
Computer Forensics Bootcamp
Interviewing PPT
Interviewing PPT
Similar a File000118
cyber forensics
cyber forensics
Ambuj Kumar
mobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Ambuj Kumar
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
gouriuplenchwar63
CYBERFORENSICS
CYBERFORENSICS
Dr. Prashant Vats
File000146
File000146
Desmond Devendran
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
FORnSECSolutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
What is Digital Forensics.docx
What is Digital Forensics.docx
AliAshraf68199
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
banerjeerohit
4.1.2 area 2016
4.1.2 area 2016
dilahkmpk
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Vi Tính Hoàng Nam
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
Paraben Corporation
Cyber forensics and auditing
Cyber forensics and auditing
Sweta Kumari Barnwal
Uc14 chap15
Uc14 chap15
Rashid Yahye
Uc14 chap15
Uc14 chap15
ayahye
Analysis of digital evidence
Analysis of digital evidence
rakesh mishra
Computer forensics
Computer forensics
Lalit Garg
Digital forensics Steps
Digital forensics Steps
gamemaker762
Uganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensics
Mustapha Mugisa
Similar a File000118
(20)
cyber forensics
cyber forensics
mobile forensic.pptx
mobile forensic.pptx
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
CYBERFORENSICS
CYBERFORENSICS
File000146
File000146
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
What is Digital Forensics.docx
What is Digital Forensics.docx
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
4.1.2 area 2016
4.1.2 area 2016
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
Cyber forensics and auditing
Cyber forensics and auditing
Uc14 chap15
Uc14 chap15
Uc14 chap15
Uc14 chap15
Analysis of digital evidence
Analysis of digital evidence
Computer forensics
Computer forensics
Digital forensics Steps
Digital forensics Steps
Uganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensics
Más de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
CHFI 1
CHFI 1
Desmond Devendran
File000175
File000175
Desmond Devendran
File000174
File000174
Desmond Devendran
File000169
File000169
Desmond Devendran
File000165
File000165
Desmond Devendran
File000161
File000161
Desmond Devendran
File000160
File000160
Desmond Devendran
File000159
File000159
Desmond Devendran
File000158
File000158
Desmond Devendran
File000157
File000157
Desmond Devendran
File000156
File000156
Desmond Devendran
File000155
File000155
Desmond Devendran
File000154
File000154
Desmond Devendran
Más de Desmond Devendran
(18)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
CHFI 1
CHFI 1
File000175
File000175
File000174
File000174
File000169
File000169
File000165
File000165
File000161
File000161
File000160
File000160
File000159
File000159
File000158
File000158
File000157
File000157
File000156
File000156
File000155
File000155
File000154
File000154
Último
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Último
(20)
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
File000118
1.
Module V -
First Responder Procedures
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Sam, a system administrator, was surprised to see critical files missing from his office server. He suspected that the server was compromised. He did not want to take a chance by investigating the system himself. Sam reported the incident to Bob, an Information Security Officer employed with the same firm. Bob took note of the request from Sam. Being a CHFI, seizing Sam’s system and following the basic procedures in investigating the case was easy for Bob. He investigated the image file of the hard disk of the server. His investigation revealed the presence of rootkit in one of the directories of the server During the investigation process, Sam recalled downloading a patch management tool from the Internet from a third party source. He realized that the rootkit could have been bundled with the patch management tool.
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Mobile Handsets Becoming A 'Smoking Gun' Source: http://www.darkreading.com/ Rise in mobile devices in the enterprise adds new challenges to incident response Dec 01, 2008 | 02:42 PM By Kelly Jackson Higgins DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it. As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy. "The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder." But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference. The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Electronic Evidence • First Responder • Role of the First Responder • Electronic Devices: Types and Collecting Potential Evidence • First Responder Toolkit • Evidence Collecting Tools and Equipment • First Responder Procedures • Securing and Evaluating Electronic Crime Scene • Conducting Preliminary Interviews • Documenting Electronic Crime Scene • Collecting and Preserving Electronic Evidence • Packaging Electronic Evidence • Transporting Electronic Evidence • Reporting the Crime Scene • First Responder Common Mistakes This module will familiarize you with:
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Securing and Evaluating Electronic Crime Scene Collecting and Preserving Electronic Evidence Documenting Electronic Crime Scene Reporting the Crime Scene Transporting Electronic Evidence Packaging Electronic Evidence Conducting Preliminary Interviews First Responder Common Mistakes First ResponderElectronic Evidence First Responder Procedures Role of First Responder Evidence Collecting Tools and Equipment Electronic Devices: Types and Collecting Potential Evidence First Responder Toolkit
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Evidence • It is hidden, similar to fingerprint evidence or DNA evidence • It can be broken, altered, damaged, or destroyed by improper handling • It expires within a pre-set time Properties of the electronic evidence: “Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device”
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder First responder is a person who arrives first at the crime scene and accesses the victim’s computer system after the incident He may be network administrator, law enforcement officer, or investigation officer He is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles of First Responder Identifying the crime scene Protecting the crime scene Preserving temporary and fragile evidence Collecting the complete information about the incident Documenting all the findings Packaging and transporting the electronic evidence
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence • Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape Computer systems: • To collect the evidence, check text , picture, video, multimedia, database, and computer program files Hard drive: • To collect the evidence, check text, graphics, image, and picture files Thumb drive: • To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet Memory card:
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found by recognizing or verifying the information of the card with the user, level of access, configurations, permissions, and in the device itself Smart card, dongle, and biometric scanner: • Evidence is found in voice recordings such as deleted messages, last number called, memo, phone numbers, and tapes Answering machine: • Evidence is found in images, removable cartridges, video, sound, time, and date stamp Digital camera: • To collect the evidence, check address information, text messages, e-mail, voice messages, and phone numbers Pager:
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found in address book, appointment calendars or information, documents, and e-mail Personal digital assistants: • Evidence is found through usage logs, time and date information, and network identity information Printer: • Evidence is found in the devices themselves Removable storage devices tape, CD, DVD, floppy: • Evidence is found through names, phone numbers, caller identification , information, and appointment information Telephones: • Evidence is found on the device itself Modem:
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found through names, phone numbers, caller identification, information, and appointment information Scanner: • Evidence is found in documents, user usage logs, and time and date stamps Copiers: • Evidence is found through card’s expiration date, user’s address, credit card numbers, and user’s name Credit Card Skimmers: • Evidence in found through address book, notes, appointment calendars, phone numbers, and emails Digital Watches: • Evidence is found through documents, phone numbers, film cartridge, and send or receive logs Facsimile (Fax) Machines:
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit First responder toolkit is a set of tested tools which helps first responder in collecting genuine and presentable evidence It helps first responder to understand the limitations and capabilities of electronic evidence at the time of collection
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit • Choose the related operating system • Completely sanitize the forensics computer • Install the operating system and required software • Update and patch the forensics computer • Install a file integrity monitor to test the integrity of the file system Create a trusted forensic computer or testbed by: • Version name and type of the operating system • Name and types of different software • Name and types of the installed hardware Document the details of the forensics computer with:
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit (cont’d) • It helps the first responder to understand how a tool works • The summary comprises of: • Acquisition of the tool • Detailed description of the tool • Working of the tool • Tool dependencies and the system affects Document the summary of the collected tools: • Test the collected tools on the forensics computer and examine the performance and output • Examine the affects of the tool on the forensics computer Test the tools:
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment Documentation Tools: • Cable tags • Indelible felt tip markers • Stick-on labels Disassembly and Removal Tools: • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutter Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, and markers)
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Label tag • Tape • Packing materials • Sturdy boxes of various sizes Package and Transport Supplies: • Gloves • Hand truck • Magnifying glass • Printer paper • Seizure disk • Unused floppy diskettes Other Tools: Evidence Collecting Tools and Equipment (cont’d)
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment (cont’d) • Licensed software • Bootable CD • External hard drives • Network cables Notebook Computers: • DIBS® Mobile Forensic Workstation • AccessData's Ultimate Toolkit • TEEL Technologies SIM tools Software Tools: • Paraben Forensics Hardware • Digital Intelligence Forensic Hardware • Tableau Hardware Accelerator • Wiebetech forensics hardware tools • Logicube forensics hardware tools Hardware Tools:
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Basics
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Rule Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in files being inadmissible in legal or administrative proceedings
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response: Different Situations The three groups are: • System administrators • Local managers or other non-forensic staff • Laboratory forensic staff First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response for System Administrators The actions taken by the system administrator after discovery of a potential computer violation will play a vital role in the investigation Once an incident has been discovered by a system administrator, they must report it according to the current organisational incident reporting procedures The systems administrator should then not touch the system unless directed to by either the incident or duty manager or one of the forensic analysts assigned to the case
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Non-Laboratory Staff To secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises Make notes about the scene that will eventually be handed over to the Forensic Team The whole area surrounding a suspect computer and not just the computer itself is the incident scene
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff • Search warrant for search and seizure • Plan for search and seizure • Conduct the initial search of the scene • Health and safety issues 1: Securing and evaluating electronic crime scene • Ask questions • Check the consent issues • Witness signatures • Initial interviews 2: Conducting preliminary interviews First response by laboratory forensic staff involves six stages:
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff (cont’d) • Photographing the scene • Sketching the scene 3: Documenting electronic crime scene • Evidence collection • Exhibit numbering • Dealing with powered OFF/ON computers at the seizure time • Seizing portable computers 4: Collecting and preserving electronic evidence 5: Packaging electronic evidence • Handling and transportation to the Forensic Laboratory • Ensure the ‘Chain of custody’ is strictly followed 6: Transporting electronic evidence
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list Follow the policies of legal authority for securing the crime scene Verify the type of the incident Make sure that the scene is safe for you and for other responders Isolate other persons who are present at the scene Locate and help the victim Verify the data related to offenders Transmit additional flash messages to other responding units Request for additional help at the scene if needed Establish a security perimeter to see that the offenders still exist in the crime scene area
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list (cont’d) Protect the evidence that is at risk of being lost or signed as agreement Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically Make sure that the devices that contain perishable data is secured, documented, and/or photographed Recognize the telephone lines that are connected to devices such as modems and caller ID boxes Document, disconnect, and label telephone lines or network cables Observe the situation at the scene and record those observations Protect physical evidence or hidden fingerprints that is found on keyboards, mouse, diskettes, and CDs
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing the Crime Scene
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Warrant for Search and Seizure • Electronic storage device search warrant allows first responder to search and seize the victim’s computer components (such as: Hardware, Software, storage devices, and documentation) Electronic storage device search warrant • Service provider search warrant allows the first responder to get the victim’s computer information (such as: service records, billing records, subscriber information) from the service provider Service provider search warrant Search warrant allows the first responder to perform the search and seizure of the electronic evidence that are mentioned in the search warrant Search warrants for electronic devices basically focus on the following:
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure • Description of the incident • Incident manager running the incident • Case name/title for the incident • Location of the incident • Applicable jurisdiction and relevant legislation • Location of the equipment to be seized: • Structure’s type and size • Where are the computer(s) located (all in one place, spread across the building or floors) • Who will be present at the incident? • Is there a friendly atmosphere at the location? A search and seizure plan contains the following details:
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure (cont’d) Details of what is to be seized (make, model, location, ID etc.): • Type of the device & number to be seized • Will the computing be running at seizure or will they be shut down • Are they networked • If so, what type of network, where is data stored on the network, where are the backups held, is the system administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of this action Search and seizure type (overt / covert) Local management involvement
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Initial Search of the Scene Isolate of a computer system (workstation, stand alone, or network server) and other media devices that can contain digital evidence Include search and seizure evidence log which contain brief descriptions of all computers, devices or media located during the search for evidence Make a note of the locations on the crime scene sketch as well Photograph and sketch the crime scene, along with a detailed accounting of all computer evidence
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Health and Safety Issues It is important to consider the health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts All forensic teams should wear protective latex gloves for searching and seizing operations on site This is to protect both the staff and preserve any fingerprints that may be required to be recovered at a later date
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Questions to ask When Client Calls the Forensic Investigator Description of the incident Incident manager running the incident Case name / title for the incident Location of the incident What jurisdiction the case and/or seizure is to be performed under Details of what is to be seized (make, model, location, ID etc.) Other work to be performed at the scene (e.g. full search, evidence required, etc.) Whether the search and seizure is to be overt or covert and whether local management should know
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Consent There are times that the user is present and that consent from the user of the hardware is required and also consent is given In cases such as this, appropriate forms for the jurisdiction should be used and carried in the grab bag
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample of Consent Search Form
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Signatures Depending on the legislation of the jurisdiction, a signature (or two) may or may not be required to certify collection of evidence Typically, where one signature is required, the Forensic Analyst or Law Enforcement Officer performs the seizure Where two signatures are required, guidance should be sought to determine whose second signature should be taken into consideration Whoever signs as witness, needs clear understanding of their role and may be required to provide a witness statement or attend court
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews Interview separately and identify all persons (witnesses and others) available at the scene and record their location at the time of entry Be consistent with the departmental policies and applicable laws, and collect information from individuals like: • Owners and/or users of electronic devices found at the scene • User names and Internet service provider • Passwords required to access the system, software, or data • Purpose of using the system • Unique security schemes or destructive devices • Any offsite data storage • Documents explaining the hardware or software installed on the system
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews If the suspect is present at the search and seizure time, the Incident Manager or the Laboratory Manager may consider asking some questions to the suspect, but these must comply with the relevant Human Resources or legislative guidelines for the jurisdiction At initial interviews, the suspect often has little time to concoct any alibis etc, and often when asked questions, they answer truthfully even to such questions like ‘what are the passwords for the account’
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews (cont’d) An individual who has physical possession of a piece of evidence is responsible for its security Evidence should be secured in such a manner that only the individual who has signed for it can gain access to it, though it is noted that this is not always possible Typical questions could include: • Are there any keys – some computer cases have physical key locks • What are the user IDs and passwords for the computer? • What email addresses are used and what are the user IDs and passwords for them?
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist (cont’d)
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting the Electronic Crime Scene
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting Electronic Crime Scene Documentation of the scene creates an unchanging historical record of the scene Document the physical scene, such as the position of the mouse and the location of components near the system Document related electronic components that are difficult to find Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer Take a photograph of the computer’s screen and write notes on what you have seen on the screen
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene Photographing a scene should be the first step taken by the Forensic Team on arrival Photographing of the crime scene should be done in a manner not to alter or damage the scene The ideal situation is to first take several photographs that will establish the location of the scene, followed by an entry photograph, followed by a series of ‘360 degree’ photographs ‘360 degree’ photographs are simply overlapping photographs depicting the entire crime scene The key to remember in crime scene photography is to go from the overall scene down to the smallest piece of evidence
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene (cont’d) Photographs should also be taken of the immediate work area to include computer disks, handwritten notes, and other computer equipment (printers and external drives) Photographs should also be taken of the rear of the computer to accurately display how the leads are connected If this cannot be done, then all cables must be labelled and the PC reconnected back at the Forensic Laboratory should be photographed
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sketching the Scene A crime scene sketch should be prepared which details the overall scene This should include the locations of items within the office area Again, the rule of thumb for crime scene sketching is to go from the overall scene to the smallest piece of evidence This may require several sketches to accurately depict the scene
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Video Shooting the Crime Scene
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence When an incident is reported where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item sized. This is wrong. The scene should be searched in a circular motion with the concept of the computer being at the centre of the circle Items of evidence, as located, should be photographed, identified within notes and then collected Evidence should be identified, recorded, seized bagged, and tagged on site with no attempts to determine contents or status
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Order of Volatility When collecting evidence, the collection should proceed from the most volatile to the least volatile. The list below is the order of volatility for a typical system: • Registers, cache • Routing table, process table, kernel statistics, and memory • Temporary file systems • Disk or other storage media • Remote logging and monitoring data that is relevant to the system in question • Physical configuration, network topology • Archival media
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered OFF Computers at Seizure Time If equipment is switched OFF – leave it OFF
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered ON Computers The first step to take when approaching an active, powered on, and running computer is: • STOP and THINK • The contents of RAM in an active computer system undoubtedly hold some information and occasionally this can be important to a case • For example, data which is likely to be found encrypted on a disk might be found in an unencrypted state in memory, or a running process might need to be identified and examined before power is removed • Any such information in memory will be lost when the power supply to the device is removed
57.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with a Powered ON Computers (cont’d) If a computer is switched on and the screen is viewable, then the following must be done: • Record the programs running on screen • Photograph the screen
58.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Networked Computer Unplug the network cable from the router and modem If computer is off, leave it off If the computer is ON, photograph the screen If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen Label all the connected devices and cords for later identification Unplug all the cords and devices connected to the computer
59.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Open Files and Startup Files • Open the recently created document from startup or system32 folder for Window and rc.local file for Linux • Note down the date and time of the files • Examine the open file for sensitive data such as password, image etc. • Search for unusual MAC times on vital folders and startup files Follow the listed procedures to find the evidence: Malware attacks on the computer system create some files in the startup folder to run the malware program
60.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure • Take a photograph of the screen • If any program is running, give a brief explanation • Unplug the power cord from the wall socket MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0 operating system: It is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files Different operating systems have different shut down procedures
61.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure (cont’d) • Right click Menu -> click Console • If root user’s prompt is set to #sign mode: • Enter the password if available and type sync;sync;halt to shutdown the system • If password is not available, unplug the power cord from the wall socket • If it is set to console #sign mode: • Enter the user ‘s ID and press Enter • If the user‘s ID is root, type sync;sync;halt to shutdown the system • If user’s ID is not root, unplug the power cord from the wall socket UNIX/Linux Operating Systems • Record time from the menu bar • Click Special -> Shutdown • Unplug the power cord from the wall socket MacOS Operating System
62.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computers and Servers Photograph the computer and ancillary (connected) equipment Photograph the connectors behind the computer and individually label them Record the cables and the respective ports to which they are connected Seal the power socket with tape to prevent inadvertent use Disconnect the monitor, keyboard, mouse, and CPU
63.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Electronic Evidence Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals Take a photo of the monitor screen if the computer is in “on” state Photograph the connections of the computer and the corresponding cables and label them individually If any electronic devices such as PDA, cell phone are present, take a photograph, label the device and collect all the cables, and transport them along with the device
64.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seizing Portable Computers Photograph the portable and ancillary (connected) equipment Photograph the connectors in the back of the portable and individually label them Record which cables are connected to what ports in the portable Remove the battery
65.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Switched ON Portables Portables with their power on should be handled in the same way as a powered on PC The date and time when the portable "wakes up" must be recorded Prior to pulling the power on a portable, the battery must be removed If it is not possible to remove the battery, pressing down on the power on/off switch for 30 seconds or so will force a hard power off
66.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
67.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
68.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
69.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
70.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging and Transporting Electronic Evidence
71.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Bag Contents List The panel on the front of evidence bags must be filled in with at least the following details: Date and time of seizure Seized by whom Exhibit number Seized from which place Details of the contents of the evidence bag
72.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence Make sure that the collected electronic evidence is properly documented, labeled, and listed before packaging Focus on hidden or trace evidence and take necessary actions to preserve it Pack the magnetic media in antistatic packaging Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives Make sure that all the containers that hold the evidence is labeled in an appropriate way
73.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence
74.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exhibit Numbering • aaa/ddmmyy/nnnn/zz • Where, • aaa are the initials of the Forensic Analyst or Law Enforcement Officer seizing the equipment • dd/mm/yy is the date of the seizure • nnnn is the sequential number of the exhibits seized by aaa- starting with 001 and going to nnnn • zz is the sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ – the Monitor, ‘C’ – the keyboard etc.) All evidence collected should be marked as exhibits using this format:
75.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Transporting Electronic Evidence Keep electronic evidence away from magnetic sources while transporting Store the evidence in a secure area that is away from high temperature and humidity Avoid storing electronic evidence in vehicles for a longer period Make sure that computers and other electronic components are not packed in containers Maintain the chain of custody on the evidence that is to be transported
76.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling and Transportation to the Forensics Laboratory Avoid turning the computer upside down or laying it on its side during transport When transporting a computer or other computer devices, they should not be placed in a car trunk or any other area where there is the possibility of possible dramatic temperature and humidity changes In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner where the computer will not fall if break is applied suddenly or quick maneuver All evidence must avoid any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence
77.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Storing Electronic Evidence Ensure that the electronic evidence is listed in accordance with the departmental policies Store the electronic evidence in a secure area and weather controlled environment Protect the electronic evidence from magnetic field, dust, vibration, and other factor that may damage the integrity of the electronic evidence
78.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody ‘Chain of Custody’ refers to a written account of individuals who had the sole physical custody of a piece of evidence from the time it was seized until the end of the case By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence, an individual has the responsibility to secure it in a manner which can later stand legal scrutiny in case that there is a claim of evidence tampering
79.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody (cont’d) • Case number • Name and title from whom received • Address and telephone number • Location from where the evidence is obtained • Date/time of evidence • Item number/quantity/description of items It contains the following information: Chain of custody document contains the complete information about the obtained evidence
80.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Simple Format of the Chain of Custody Document
81.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form
82.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d) Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No
83.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d)
84.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody on Property Evidence Envelope or Bag
85.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Property Sign- out Sheet
86.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting the Crime Scene • Date and time of the crime • Model, size, and partition of the hard disk to find hidden or missing data • Name and version of the operating system running on the victim’s computer • Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any data found • Result of the virus scanning process • Software present on the victim’s computer • List of files stored on the victim’s computer with creation and updating time • Name and version of the software used in the processing of computer evidence • Name of the interviewed person and his views The report should include: First responder creates a final report after completing the forensics process that contains complete information of the forensics process
87.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist Crime Scene Checklist Crime Scene Checklist
88.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist (cont’d) Crime Scene Checklist Crime Scene Checklist
89.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Common Mistakes Most of the time, system or network administrator work as a first responder at the crime scene They cannot handle the security incidents in a proper way because they do not know the first responder procedure Common mistakes committed by the first responder are as follows: • Shutting down or rebooting the victim’s computer • Assuming that some components of the victim’s computer may be reliable and usable • Not having access to baseline documentation about the victim computer • Not documenting the data collection process
90.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device There are times that the user is present and that consent from the user of the hardware is required and also consent is given Documentation of the scene creates an unchanging historical record of the scene The ‘Chain of Custody’ refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case
91.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
92.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Descargar ahora