First Responder Procedures Akbar Raspati Iskandar
Introduction to First Responder Procedures
First responder adalah orang yang pertama kali sampai ditempat kejadian perkara dan bisa mengakses system korban.
apabila kejahatannya menyerang server perusahaan, diharapakan segera menghubungi investigator. Mereka akan mengirim orang untung menjaga barang bukti dari tempat kejadian perkara. first responder harus memiliki basic pengetahuan computer forensik investigation. Mereka harus mengetahui hukum agar barang bukti untuk persidangan semakin kuat
Role of the First Responder o
Identifying the crime scene
Protecting the crime scene
Preserving temporary and fragile evidence
Collecting all information about the incident
Documenting all findings
Packaging and transporting the electronic evidence
First Response Basics
Under no circumstances should anyone except qualified forensic analysts make any attempts to collect
or recover data from any computer system or device that holds electronic information.
Any information present inside the collected electronic devices is potential evidence and should be
Any attempts to recover data by untrained persons could either compromise the integrity of the files or
result in the files being inadmissible in administrative or legal proceedings.
The workplace or office must be secured and protected to maintain the integrity of the crime scene and
the electronic storage media.
Questions to Ask When a Client Calls the Forensic Investigator What happened? Who is the incident manager? What is the case name or title for the incident?
What is the location of the incident? Under what jurisdiction are the case and seizure to be performed?
What is to be seized (make, model, location, and ID)? What other work will need to be performed at the scene (e.g., full search and evidence required)? Is the search and seizure to be overt or covert, and will local management be informed?
Packaging and Transporting Electronic Evidence Evidence Bag Contents List
Date and time of seizure
Investigator who seized the evidence
Names of the officers who took photographs or prepared a sketch
Where the evidence was seized from
Sites where individual items were found
Names of the suspected persons
A short summary of the details of the seizure
Details of the contents of the evidence bag
Packaging Electronic Evidence Make sure the gathered electronic evidence is correctly documented, labeled, and listed before packaging. Pay special attention to hidden or trace evidence, and take the necessary actions to safeguard it. Pack magnetic media in antistatic packaging. Do not use materials such as plastic bags for packaging because they may produce static electricity. Avoid folding and scratching storage devices such as diskettes, CD-ROMs, and tapes. Make sure that all containers that contain evidence are labeled in the appropriate way.
Chain of Custody Chain of Custody Documentation A chain of custody document contains the following information about the obtained evidence:
Name, title, address, and telephone number of the person from whom the evidence was received
Location where obtained
Reason for evidence being obtained
Date/time evidence was obtained
Name of the evidence
Manufacturing company name
Packaging information Simple Format of the Chain of Custody Document
First Responder Common Mistakes
Shutting down or rebooting the victim’s computer. In this case, all volatile data is lost. The processes that are running on the victim’s computer are also lost.
Assuming that some components of the victim’s computer may be reliable and usable. In this case, using some commands on the victim’s computer may activate Trojans, malware, and time bombs that delete vital data.
Not having access to baseline documentation about the victim’s computer.
Not documenting the data collection process.
Electronic evidence is material of investigative value that is transferred by or stored on electronic devices.
Health and safety issues are important in all of the work carried out in all phases of forensic procedures.
Sometimes the user is present, and consent from the user is required.
Documentation of an electronic crime scene is a continuous process during an investigation.
The chain of custody is a written description created by individuals who are responsible for evidence from the beginning until the end of the case.