dude May 30, 2008 11:16 AM

Makes you wonder how smart they think “first responders” are.

On another note: What do you do when all your computers are taken away? Do you get replacements?

Andy Dingley May 30, 2008 11:42 AM

“Photos used in this document are taken from public Web sites”

So, copyright’s OK so long as it’s a “public Web site” then. That’s a nice useful simplification 😎

Nyhm May 30, 2008 12:24 PM

Good thing they included a visual differentiation of “SCSI HD 68-pin” and “SCSI IDC 50-pin” hard drives.

I know if I were a first responder, I’d wonder if a “SCSI IDC 50-pin” hard drive was of interest, or if only the 68-pin drives mattered for forensic evidence.

Spyware May 30, 2008 12:26 PM

The thing phones home to every time it is opened. I guess they want to make sure no shady characters download it.

After all, this was made for the real criminals, the ones that feel they have the right to any computer they can get their hands on, regardless of who the owner is.

I’ve amassed a considerable amount of anti-forensics knowledge over the years. When I get the time, I’m going to tear these guys apart with my own publications on how to make any forensic investigation grind to a halt.

Just something to look forward to.

Jason May 30, 2008 12:34 PM

It’s about time something like this was formalized.

The question now is: how many will actually follow it?

Spyware May 30, 2008 1:04 PM

I just wanted to add a correction. It doesn’t phone home. My butterfingers probably accidentally clicked the link on the first page.

Spyware May 30, 2008 1:22 PM

@ Davi

I like the little table (with the checkmarks) in the old version. It’s a nice basic list on how to cover your bases. I should include something like that in my publications.

moz May 30, 2008 3:31 PM


Wrong wrong wrong: “It seems that the phone home feature was time limited and it doesn’t do that any more. Whether this means that the DOJ has backdoors in all common operating systems or just a way of adding secret scripts to PDF documents is unknown at this time.” Enough of this admitting to honest mistakes.

Brandioch Conner May 30, 2008 9:38 PM

Their “Network storage device” looks IDENTICAL to the external SCSI enclosure I have next to my desk at work.

DarkStar May 30, 2008 10:32 PM

“In the following situations, immediate disconnection of power is recommended:

■ Information or activity onscreen indicates that data is being deleted or overwritten.”

So all I need is a fake data shredder window running constantly. When they rush to turn the computer off, all the encrypted drives are closed. I can’t see how that helps…

Reader X May 31, 2008 5:57 AM

Darkstar, you are correct. If there is a risk that open encrypted volumes of interest would close on power loss, it is preferable to employ a live forensic tool and not to cut the power. Yes, that’s a very tough call for a first responder to make. Then again, LE also has the option of arresting the perp and requesting/coercing the password.

Lewis Donofrio May 31, 2008 10:35 PM

Som lets see hack from your iPhone or your Xbox360 and they will not know its a hacking device….humm. (-:

mbridge June 5, 2008 11:28 AM

One question – why would they want communications devices (cell phones) found at the scene to stop receiving calls and text messages? Seems that may actually help the investigation. In fact during one of our investigations we were able to track an outgoing call (into a VPN device) as evidence against the perpetrator.

Overall a first-responder hand-book probably would be more useful if it included clips of CSI and 24. Visual lessons may be more easily recalled during an actual incident.

Brad June 25, 2008 1:05 AM


You want to put any mobile communications device in a Faraday bag immediately. The possibility for remote deletion of data is there, and is of definite concern (this is a standard feature of enterprise iphone deployment afaik). If access to future text messages is really useful, one would assume the appropriate warrant presented to the cellphone carrier would precipitate the needed access.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.