Electronic Crime Scene Investigation Handbook

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, National Institute of Justice, U.S. Department of Justice, April 2008.

Mostly basic stuff.

Posted on May 30, 2008 at 11:01 AM • 17 Comments

Comments

dudeMay 30, 2008 11:16 AM

Makes you wonder how smart they think "first responders" are.

On another note: What do you do when all your computers are taken away? Do you get replacements?

Andy DingleyMay 30, 2008 11:42 AM

"Photos used in this document are taken from public Web sites"

So, copyright's OK so long as it's a "public Web site" then. That's a nice useful simplification 8-)

NyhmMay 30, 2008 12:24 PM

Good thing they included a visual differentiation of "SCSI HD 68-pin" and "SCSI IDC 50-pin" hard drives.

I know if I were a first responder, I'd wonder if a "SCSI IDC 50-pin" hard drive was of interest, or if only the 68-pin drives mattered for forensic evidence.

SpywareMay 30, 2008 12:26 PM

The thing phones home to http://www.ojp.usdoj.gov/nij every time it is opened. I guess they want to make sure no shady characters download it.

After all, this was made for the real criminals, the ones that feel they have the right to any computer they can get their hands on, regardless of who the owner is.

I've amassed a considerable amount of anti-forensics knowledge over the years. When I get the time, I'm going to tear these guys apart with my own publications on how to make any forensic investigation grind to a halt.

Just something to look forward to.

JasonMay 30, 2008 12:34 PM

It's about time something like this was formalized.

The question now is: how many will actually follow it?

SpywareMay 30, 2008 1:04 PM

I just wanted to add a correction. It doesn't phone home. My butterfingers probably accidentally clicked the link on the first page.

SpywareMay 30, 2008 1:22 PM

@ Davi

I like the little table (with the checkmarks) in the old version. It's a nice basic list on how to cover your bases. I should include something like that in my publications.

mozMay 30, 2008 3:31 PM

@Spyware.

Wrong wrong wrong: "It seems that the phone home feature was time limited and it doesn't do that any more. Whether this means that the DOJ has backdoors in all common operating systems or just a way of adding secret scripts to PDF documents is unknown at this time." Enough of this admitting to honest mistakes.

Brandioch ConnerMay 30, 2008 9:38 PM

Their "Network storage device" looks IDENTICAL to the external SCSI enclosure I have next to my desk at work.

DarkStarMay 30, 2008 10:32 PM

Quote:
"In the following situations, immediate disconnection of power is recommended:

■ Information or activity onscreen indicates that data is being deleted or overwritten."


So all I need is a fake data shredder window running constantly. When they rush to turn the computer off, all the encrypted drives are closed. I can't see how that helps...

Reader XMay 31, 2008 5:57 AM

Darkstar, you are correct. If there is a risk that open encrypted volumes of interest would close on power loss, it is preferable to employ a live forensic tool and not to cut the power. Yes, that's a very tough call for a first responder to make. Then again, LE also has the option of arresting the perp and requesting/coercing the password.

Lewis DonofrioMay 31, 2008 10:35 PM

Som lets see hack from your iPhone or your Xbox360 and they will not know its a hacking device....humm. (-:

mbridgeJune 5, 2008 11:28 AM

One question - why would they want communications devices (cell phones) found at the scene to stop receiving calls and text messages? Seems that may actually help the investigation. In fact during one of our investigations we were able to track an outgoing call (into a VPN device) as evidence against the perpetrator.

Overall a first-responder hand-book probably would be more useful if it included clips of CSI and 24. Visual lessons may be more easily recalled during an actual incident.

www.MBridge.com

BradJune 25, 2008 1:05 AM

@mbridge

You want to put any mobile communications device in a Faraday bag immediately. The possibility for remote deletion of data is there, and is of definite concern (this is a standard feature of enterprise iphone deployment afaik). If access to future text messages is really useful, one would assume the appropriate warrant presented to the cellphone carrier would precipitate the needed access.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..