As a computing investigator for your local sheriff’s department, you have been asked to go with a detective to a local school that received a bomb threat in an anonymous email. The detective already has information from a subpoena sent to the last know ISP where the anonymous email originated, and the message was sent from a residence in the school neighborhood. The detective tells you that the school principle also stated that the school’s web server had been defaced by an unknown computer attacker. The detective has just obtained a warrant for the search and seizure of a computer at the residence that the ISP identified. Prepare a list of items that should be included in an initial response field kit to ensure that the preservation of computer evidence is maintained when the warrant is executed.
Google "Electronic Crime Scene" it will be in pdf format by U.S. Department of Justice, Office of Justice Programs
National Institute of Justice and contains what you need to know to help you answer this question
To ensure the preservation of computer evidence when executing the warrant, here is a list of items that should be included in the initial response field kit:
1. Cameras: High-resolution digital cameras to capture images of the crime scene, including the computer system, physical setup, and any relevant surroundings.
2. External hard drives or USB storage devices: These can be used to create forensic images of the suspect's computer(s) without altering the original evidence.
3. Write-blockers: Hardware devices that prevent any write operations to the suspect's computer storage media, ensuring that the evidence remains intact and unaltered during the investigation.
4. Forensic software: Specialized tools like EnCase, FTK Imager, or Sleuth Kit, which facilitate the acquisition and analysis of digital evidence. These tools assist in imaging, hashing, and keyword searching.
5. Evidence bags: These are used to store and transport any physical evidence collected during the search, such as storage media, peripherals, or written materials.
6. Labels and markers: To properly label and document each evidence item collected, including its source, location, and time of collection.
7. Forensic bootable USB: A specially created bootable USB drive with a forensic operating system (e.g., DEFT, Kali Linux) installed to conduct live analysis or examination of suspect systems without modifying the original hard drives.
8. Forensic write-once CDs/DVDs: Blank media for creating forensic copies or images of data, if needed.
9. Anti-static gloves and bags: To prevent static electricity from damaging the electronic equipment and to safeguard against accidental data alteration or destruction.
10. Documentation materials: Notebooks, pens, evidence logs, and chain of custody forms to ensure proper documentation of all actions taken during the investigation.
Remember to follow proper chain of custody protocols and consult with legal experts or forensic examiners to ensure that the evidence collection process meets legal requirements and is admissible in court.
When preparing an initial response field kit for the execution of a search warrant to preserve computer evidence, it is essential to have the following items:
1. External Hard Drive: This will be used to create a bit-for-bit forensic image of the computer's hard drive while ensuring the integrity of the original evidence.
2. Write-Blocker: It is crucial to prevent any accidental modification of data on the suspect's computer during the data acquisition process. A write-blocker ensures that the computer's hard drive is read-only, preventing any changes or writes.
3. Digital Camera: A digital camera should be included to document the physical setup and condition of the computer and its surroundings before any search or seizure takes place. These photographs can be valuable in court proceedings.
4. Forensic Software Tools: Tools like forensic imaging software (e.g., FTK Imager, EnCase) and data recovery software (e.g., Recuva, TestDisk) should be included in the field kit. These tools assist in creating disk images, recovering deleted files, and analyzing the acquired evidence.
5. Evidence Bags and Labels: Properly labeled evidence bags are required to store any seized storage media or peripherals securely. Each bag should have, at the very least, the case number, date, and description of the item.
6. USB Thumb Drives: These can be used to copy and store smaller amounts of data discovered during the search. It is necessary to label the thumb drives with appropriate information for future reference.
7. Surge Protector: A surge protector should be used to ensure the safety of the suspect's computer and connected equipment during the seizure process. This protects against electrical surges or fluctuations.
8. Disposable Gloves: Wearing disposable gloves minimizes the risk of transferring any potential physical evidence from the investigators to the seized computer.
9. Incident Log and Evidence Custody Forms: It is important to maintain a detailed log of all actions taken during the search and seizure, including dates, times, locations, and the individuals involved. Evidence custody forms should accompany each item seized, documenting chain of custody.
10. Tools and Screwdrivers: Basic tools and screwdrivers might be necessary to disconnect cables, open the computer case, or perform any other required tasks during the investigation.
Remember, it is crucial for investigators to follow proper protocols and legal procedures when conducting searches and seizures to ensure the admissibility and integrity of the collected evidence in court.