Electronic Crime Scene Investigation Handbook
Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, National Institute of Justice, U.S. Department of Justice, April 2008.
Mostly basic stuff.
Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, National Institute of Justice, U.S. Department of Justice, April 2008.
Mostly basic stuff.
Andy Dingley • May 30, 2008 11:42 AM
“Photos used in this document are taken from public Web sites”
So, copyright’s OK so long as it’s a “public Web site” then. That’s a nice useful simplification 😎
Davi Ottenheimer • May 30, 2008 11:53 AM
“Types of computers” on page 2 is good for a laugh.
The intent is good, but it reminds me of how far from real “recognition models” we have come.
Those were the good old days:
http://www.commercemarketplace.com/home/CollectAir/Museum.html#brit
Good thing they included a visual differentiation of “SCSI HD 68-pin” and “SCSI IDC 50-pin” hard drives.
I know if I were a first responder, I’d wonder if a “SCSI IDC 50-pin” hard drive was of interest, or if only the 68-pin drives mattered for forensic evidence.
Spyware • May 30, 2008 12:26 PM
The thing phones home to http://www.ojp.usdoj.gov/nij every time it is opened. I guess they want to make sure no shady characters download it.
After all, this was made for the real criminals, the ones that feel they have the right to any computer they can get their hands on, regardless of who the owner is.
I’ve amassed a considerable amount of anti-forensics knowledge over the years. When I get the time, I’m going to tear these guys apart with my own publications on how to make any forensic investigation grind to a halt.
Just something to look forward to.
Jason • May 30, 2008 12:34 PM
It’s about time something like this was formalized.
The question now is: how many will actually follow it?
Davi Ottenheimer • May 30, 2008 12:52 PM
@ Jason
This is the second edition. First one came out in July 2001. NCJ 187736
http://www.ncjrs.gov/pdffiles1/nij/187736.pdf
There even was a txt version, although (sadly) it lacks ASCII art
http://www.ncjrs.gov/txtfiles1/nij/187736.txt
I’m sure it has been used extensively.
Spyware • May 30, 2008 1:04 PM
I just wanted to add a correction. It doesn’t phone home. My butterfingers probably accidentally clicked the link on the first page.
Spyware • May 30, 2008 1:22 PM
@ Davi
I like the little table (with the checkmarks) in the old version. It’s a nice basic list on how to cover your bases. I should include something like that in my publications.
moz • May 30, 2008 3:31 PM
@Spyware.
Wrong wrong wrong: “It seems that the phone home feature was time limited and it doesn’t do that any more. Whether this means that the DOJ has backdoors in all common operating systems or just a way of adding secret scripts to PDF documents is unknown at this time.” Enough of this admitting to honest mistakes.
Brandioch Conner • May 30, 2008 9:38 PM
Their “Network storage device” looks IDENTICAL to the external SCSI enclosure I have next to my desk at work.
DarkStar • May 30, 2008 10:32 PM
Quote:
“In the following situations, immediate disconnection of power is recommended:
■ Information or activity onscreen indicates that data is being deleted or overwritten.”
So all I need is a fake data shredder window running constantly. When they rush to turn the computer off, all the encrypted drives are closed. I can’t see how that helps…
Reader X • May 31, 2008 5:57 AM
Darkstar, you are correct. If there is a risk that open encrypted volumes of interest would close on power loss, it is preferable to employ a live forensic tool and not to cut the power. Yes, that’s a very tough call for a first responder to make. Then again, LE also has the option of arresting the perp and requesting/coercing the password.
Lewis Donofrio • May 31, 2008 10:35 PM
Som lets see hack from your iPhone or your Xbox360 and they will not know its a hacking device….humm. (-:
mbridge • June 5, 2008 11:28 AM
One question – why would they want communications devices (cell phones) found at the scene to stop receiving calls and text messages? Seems that may actually help the investigation. In fact during one of our investigations we were able to track an outgoing call (into a VPN device) as evidence against the perpetrator.
Overall a first-responder hand-book probably would be more useful if it included clips of CSI and 24. Visual lessons may be more easily recalled during an actual incident.
Brad • June 25, 2008 1:05 AM
@mbridge
You want to put any mobile communications device in a Faraday bag immediately. The possibility for remote deletion of data is there, and is of definite concern (this is a standard feature of enterprise iphone deployment afaik). If access to future text messages is really useful, one would assume the appropriate warrant presented to the cellphone carrier would precipitate the needed access.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
dude • May 30, 2008 11:16 AM
Makes you wonder how smart they think “first responders” are.
On another note: What do you do when all your computers are taken away? Do you get replacements?