Page 653 - StudyBook.pdf
P. 653
Operational and Organizational Security: Incident Response • Chapter 11 637
As shown in the paragraphs that follow and in Figure 11.5, each of these roles
have specific duties associated with them, which are vital to a successful investiga-
tion. In certain situations, such as those involving an internal investigation within a
company, a person may perform more than one of these roles.
Figure 11.5 Primary Roles in an Investigation Involving Computer Forensics
The First Responder
The first responder is the first person to arrive at a crime scene.This does not mean
the janitor who notices a server is making funny noises and calls someone else to
check it.While someone like this is still important, a first responder is someone
who has the knowledge and skill to deal with the incident.The first responder may
be an officer, security personnel, a member of the IT staff or Incident Response
Team, or any number of other individuals.The first responder is responsible for
identifying the scope of the crime scene, securing it, and preserving volatile evi-
dence. Securing a scene is important to both criminal investigations and internal
incidents—both use computer forensics to obtain evidence.The procedures for
investigating internal policy violations and criminal law violations are basically the
same, except that internal investigations may not require the involvement of law
enforcement. However, for the remainder of this discussion, the incident will be
addressed as a crime that has been committed.
Once the crime scene has been identified, the first responder must then estab-
lish a perimeter and protect it. Protecting the crime scene requires cordoning off
the area where evidence resides. Until it is established what equipment may be
www.syngress.com
