Flashcards in Book One-Chapter Four Deck (9)
What is the chain of custody?
A method of documenting the history and possession of a sample from the time of it's collection to its final disposition. it is the responsibility of the person who recovers the evidence to ensure that nothing damages the evidence and no one tampers with it.
A written description created by individuals who are responsible for the evidnec from the begining until the end of the case. Contains the following information about the obtained evidence:
*Name, title address, and telephone number of the person from whom the evidence was received
*Location where obtained
*Reason for evidence being obtained
*Date/time evidence was obtained
*Name of the evidence
*Manufacturing company name
Describe the responsibilities of the first responder:
1. Identifying the crime scene: The first responder identifies the scope of the crime scene and establishes a perimeter. The perimater will include a particular area, room, several rooms, or even an entire building, depending on whether the computers are networked. The first responder should list the compter systems involved in the incident.
2. Protecting the crime scene: a search warrant is required for the search and seizure of digital and electronic evidence. The first responder should protect all computers and electronic devices while waiting for the officer in charge.
3. Preserving temporary and fragile evidence- The first responder takes photographs this evidence (does not wait for the officer in charge). In the case of temporary and fragile evidence that could change or disappear, such as screen info and running programs.
4. Collecting all information about the incident: First responder conducts preliminary interviews of all persons present at the crime scene and asks questions about the incident.
5. Documenting all findings- The first responder starts documenting all information about the collected evidence in the chain-of-custody document.
Describe the procedures for creating a first responder toolkit:
1. Create a trusted forensic computer or test bed: will be used to test the functionality of the collected tools. Prior to testing, the investigator should make sure that this is a trusted resource.
To create a trusted forensic computer:
a. Choose the operating system type. Create 2 different test bed machines: one for Windows and one for Linux.
b. Completely sanitize the forensic computer. This includes formatting the hard sik completely to remove any data, using software such as BCWipe for Windows or Wipe for Linux.
c. Install the OS and required software from trusted resources. If the OS is downloaded, verify the hashes prior to installation.
d. Update and patch the forensic computer
e. Install a file integrity monitor to test the integrity of the file system
2. Document the details of the forensic computer: This helps the forensic expert easily understand the situation and the tools used, and will help to reproduce results if they come into question for any reason.
The forensic computer or test bed documentation should include the following:
a. Version name and type of the operating system
b. Names and types of the different software
c. Names and types o the installed hardware
3. Document the summary of collected tools: This allows the first responder to become more familiar with and understand the working of each tool.
Information about the foloowing should be included while documenting the summary of tools:
a. Acquisition of the tool
b. Detailed description of the tool
c. Working of the tool
d. Tool dependencies and system effects
4. Test the tools: In order to examine the performance and output. Examiner should examine the effects of each tool on the forensic computer and monitor any changes in the forensic computer caused by the tools.
What information should be on the front of an evidence bag?
The panel on the front of evidence bags must contain the following details:
*Date/time of seizure
*Investigator who seized the evidence
*Names of the officers who took photographs or prepared a sketch
*Where the evidence was seized from
*Sites where individual items were found
*Names of the suspected persons
*A short summary of the details of the seizure
*Details of the contents of the evidence bag
What are the different groups of people that might be involved in a first response?
Maybe a network administrator, law enforcement officer, or investigating officer. The first responder is a person who comes from the forensic laboratory or from a particular agency for intial investigation.
Describe the order of volatility of electronic evidence:
Volatility is the measure of how perishable electronically stored data are. When collecting evidence, the order of collection should proceed from the most volatile to the least volatile:
1. Registers and cache
2. Routing table, process table, kernel statistics, and memory
3. Temporary file systems
4. Disks or other storage media
5. Remote logging and monitoring data that is related or significant to the system in question
6. Physical configuration and network topology
7. Archival media
Describe the format for exhibit numbering:
aaa are the initials of the forensic analyst or law enforement officer seizing the equipment
ddmmyy is the date of the seizure
nnnn is the sequential number of the exhibits seized by the analyst, starting with 001
zz is the sequence number for parts of the same exhibit (A would be the computer, B would be the monitor, C would be the keyboard, etc)
What information should be included in documentation concerning seized equipment?
*Photograph the computer and connected equipment
*Record which cables are connected to which ports
*Photograph the connectors at the back of the computer and individually label them
*Remove the battery