You have been invited to accompany a detective to a nearby school that received a bomb threat in an anonymous email in your capacity as a computer investigator for the local sheriff’s office. The anonymous email was sent from a home in the vicinity of the school, according to information the investigator already possesses from a subpoena served on the last known ISP where it originated.
The detective reveals that the school’s principal also claimed that an unidentified computer attacker had vandalized the school’s Web server. A warrant has recently been acquired by the investigator to search the home the ISP specified and seize a PC there. Make a list of the components that should be in an emergency field kit to protect computer data.
Overview
Examiners have to go to different places to respond to occurrences or collect evidence. Additionally, the examiner occasionally needs to conduct all or part of the test on-site. These locations, which may include the homes or businesses of suspects, are frequently hostile in character. An examiner needs a toolbox for computer forensics. As technology advances, the best practices for this kind of crisis response are continuously evaluated.
For instance, there was a period when examiners would turn off the majority of equipment in order to preserve the evidence in the condition that it was discovered. The original evidence on the hard disk would be kept, but all data in memory would be destroyed. As a result, the lost data—128, 256, or even 512 megabytes—was sacrificed. Nowadays, thanks to advancements in technology, computers frequently contain one or more gigabytes of RAM, which is a huge quantity of data. Before this evidence is lost when the power to the computer is disconnected, examiners must adapt and devise methods to preserve it.
The examiner needs to be virtually as technically capable to perform an examination on-site as they would be in a lab setting. Many examiners use reaction kits since it is frequently hard to know what is going to be behind the suspect’s door. A short list of what may be in an incident response kit is shown below. Oh, and don’t forget the business credit card since you will always forget something!
Contents of an Incident Response Kit
Power supplies and forensic laptops
collection of tools
folder for a digital camera case
void forms
materials for gathering and packing evidence
Software
a wireless Internet access card
cables for transferring data (network, crossover, USB, etc.)
media such as empty hard disks
write-blocking hardware