Page 654 - StudyBook.pdf
P. 654

638    Chapter 11 • Operational and Organizational Security: Incident Response

             excluded, everything in an area should be considered a possible source of evidence.
             This includes functioning and nonfunctioning workstations, laptops, servers, hand-
             held PDAs, manuals, and anything else in the area of the crime. Until the scene has
             been processed, no one should be allowed to enter the area, and people who were
             in the area at the time of the crime should be documented.
                 The first responder should not touch anything that is within the crime scene.
             Depending on how the crime was committed, traditional forensics may also be
             used to determine the identity of the person behind the crime. In the course of the
             investigation, police may collect DNA, fingerprints, hair, fibers, or other physical
             evidence. In terms of digital evidence, it is important for the first responder not to
             touch anything or attempt to do anything on the computer(s), as it may alter,
             damage, or destroy data or other identifying factors.
                 Preserving volatile evidence is another important duty of the first responder. If
             a source of evidence is on the monitor screen, they should take steps to preserve
             and document it so it is not lost. For example, a computer that may contain evi-
             dence should be left on and have programs opened on the screen. If a power
             outage occurred, the computer would shut down and any unsaved information that
             was in memory would be lost. Photographing the screen or documenting what
             appeared on it would provide a record of what was displayed, and could be used
             later as evidence.

             The Investigator
             When the investigator arrives on the scene, it is important that the first responder
             provide as much information to them as possible. If the first responder touched
             anything, it is important that the investigator be notified so that it can be added to
             the report.Any observations should be mentioned, as this may provide insight into
             resolving the incident.
                 The investigator may be a member of law enforcement or the Incident
             Response Team. If a member of the Incident Response Team arrives first and col-
             lects some evidence, and the police arrive later, it is important that the person in
             charge of the team give all evidence and information dealing with the incident to
             the police. If more than one member of the team was involved in the collection of
             evidence, documentation needs to be provided to the investigator dealing with
             what each person saw and did.










          www.syngress.com
   649   650   651   652   653   654   655   656   657   658   659