Incident Response and Digital Forensics — Comprehensive Study Notes (Markdown)

Initial Response and First Responder Tasks

  • The first responder is the first person who appears at the crime scene. Main duty: Identification, Collection, Preservation, documentation and transportation of digital evidence to the forensic lab.
  • Purpose of the material: Present the mission and services provided by the first responder for any investigation involving digital evidence.
  • Context: Part of the course material on Incident Response and Digital Forensics by Anas Aliyu Usman (dated 27/08/2025).

Search and Seizure

  • Law enforcement officers need a search warrant to search and seize digital devices.
  • In the United States, the Fourth Amendment limits the ability of government agents to search for and seize evidence without a warrant.
  • Any evidence obtained in violation of the Fourth Amendment is inadmissible in court.

Contd… (Fourth Amendment details)

  • The Fourth Amendment was created to limit US law enforcement’s ability to search private premises without a proper search warrant.
  • A search warrant should be very specific in terms of what areas can be searched and what items or persons can be seized from the crime scene.
  • This principle applies to digital crimes as well; hence, any computing device capable of storing user data is private property that requires a search warrant to be searched and seized by law enforcement officials.

Consent to Search

  • In this type, the owner of the computing device cooperates with investigators and allows them to search and acquire digital evidence without an official search warrant.
  • This usually happens when the device owner is not the suspect or when an employee has previously signed a search and seizure form as a condition for employment.
  • In this case, investigators can acquire digital evidence without asking for consent from the owner.

Consent to Search (Explicit Form)

  • The document template typically reads: I, CONSENT TO SEARCH MOBILE DEVICE/COMPUTER EQUIPMENT / ELECTRONIC DATA, hereby authorize [authority] to remove, take possession of and copy (image) and/or conduct a complete search of the following systems and data storage devices, including but not limited to:
    • Computer systems, electronic data storage devices, computer data storage diskettes or CD-ROMs, or any other electronic equipment capable of storing, retrieving and/or accessing data pertinent to the investigation.
    • The search may include the recovery of deleted files and the bypassing or cracking of passwords or encryption.
    • The officer may copy and keep any documents, images, or data found deemed pertinent to the investigation.
  • Specific consent terms may include:
    • A period for possession of equipment for a set number of business days or an unlimited period to make a forensic copy (image).
    • A period for forensic analysis of the image, again for a number of business days or an unlimited period.
    • A voluntary waiver of rights and acknowledgement that withdrawal of consent is possible at any time during seizure/search.
  • The form emphasizes voluntary consent, absence of coercion, and documentation of withdrawal rights.

Subpoena

  • When you do not have consent from the device owner to search and seize digital equipment, you can seek a court order or subpoena.
  • Special care: if informed, the suspect may destroy evidence; time to destroy could be reduced if they know in advance you will search.
  • Subpoena is typically used when informing the device owner would likely lead to destruction of digital evidence.
  • Example: Banks and some organizations require court permission before handing information to investigators; this does not indicate non-cooperation but rather internal policies and regulations.

Search Warrant

  • This is the most powerful search and seizure procedure.
  • Used when informing the subject could lead to destruction of evidence.
  • A search warrant is typically executed without prior notice to the suspect, to prevent the destruction or hiding of evidence.
  • Warrants are available only to law enforcement officers; independent digital forensic investigators generally cannot request this permission from courts.

Contd… (Note on warrants)

  • Courts usually do not grant search warrants easily; investigators should have reasonable clues tying a specific person and computing devices to criminal activity.

Search Warrant Types

  • Electronic storage device search warrant: Allows seizing digital storage devices (computers, flash drives, external hard drives, CD/DVDs) from the suspect’s premises.
  • Service provider search warrant: If the crime involved the Internet, investigators may need to search through external providers (ISP, cloud storage providers, online merchants).

First Responder Toolkit

  • After obtaining consent/search warrant, the first responder proceeds to the scene and prepares.
  • It is advisable to know as much about the incident and scene beforehand to prepare needed equipment and software.
  • The following items should be present in a first responder’s bag:
    1. Crime scene tape
    2. Stick-on labels and ties
    3. Colour marker pens
    4. Notepad
    5. Gloves
    6. Magnifying glass
    7. Flashlight
    8. Sealable bags of mixed sizes (antistatic bags to preserve evidence integrity)
    9. Camera (video and image capture, configured to show date/time)
    10. Radio frequency-shielding material (Faraday shielding bag) to prevent devices from receiving calls/messages and to protect against lightning/ESE
    11. Chain of custody forms
    12. Secure sanitized external hard drive to store image data
    13. USB thumb drives (at least two)
    14. USB hub
    15. Bootable CDs
    16. Etc.
    17. Seek advice from professionals with relevant computing experience

Contd… (Toolkit continued)

  • Additional notes: Faraday shielding bags protect evidence with wireless-capable devices and help prevent remote access or tampering.

First Responder Tasks

  • Follow general principles for correct acquisition of digital devices holding digital evidence.
  • Implement steps in proper order, considering crime scene circumstances:
    • Official search warrant or owner consent must be available.
    • It is advisable to have a trained computer forensics examiner to acquire digital evidence.
    • Photograph the entire crime scene before searching/seizing any digital device.
    • Safety is a key consideration during investigation.

Contd…. Arrival and Immediate Actions

  • If a surveillance camera is present, disconnect it before acting or cover it if immediate disconnection is not possible.
  • If the computer appears to be destroying evidence (e.g., running wiping software), observe indicators such as continuous hard drive LED activity and fast fan; if suspected, shut down the computer immediately.
    • How to shut down: power off by unplugging the power cord; for laptops with non-removable batteries, power button hold until OFF; if removable battery, remove first, then unplug power.
    • If the computer is OFF, do not power it ON again. Seize it in an antistatic bag and transport to the forensic lab.
  • If the computer is ON and there are no signs of a destruction program, follow other procedures as outlined.

Contd… (More on power and login screens)

  • If the screen shows a login window (password prompt), power off via hard shutdown (remove power cord).
  • If the screen is dark or showing a screensaver, move the mouse slowly to wake it up without pressing keys; photograph the screen to show running programs and opened files/folders; record system date/time.
  • Acquire volatile memory (RAM) using specialized tools (live memory dump) before powering OFF whenever possible, as RAM can contain cryptographic keys, chat logs, unencrypted contents, clipboard contents, and process information.

Contd… (Networking considerations)

  • If the device was connected to a network device (router/switch), first attempt to acquire networking information: IP address, open sessions, open ports, routing table, LAN addresses, broadcast address, NIC number.
  • Some experts argue to unplug the network cable to prevent remote access, but this may destroy evidence, especially in network intrusion cases.
  • Acquiring networking information can reveal other computers on the network that may hold evidence; disconnecting the device may disrupt business operations, so decisions should be case-by-case.
  • If you see suspicious traffic, you can disconnect the network cable to prevent unauthorized access, but weigh operational impact.

Contd… (Servers and networked devices)

  • For servers that are difficult to disconnect (e.g., web and email servers), perform a risk assessment and seek expert knowledge.
  • Perform a hard shutdown (unplug power). For laptops, remove the battery first; if battery cannot be removed, press and hold power button for 20 seconds to power off.
  • Document all seizure steps so the device can be reconstructed later.
  • When seizing portable devices with wireless capabilities, place them in impermeable bags to block wireless communications.

Contd…. Note about disguising digital devices

  • Some digital media devices (like USB thumb drives) may be designed to look like toys, pens, keys, jewelry to conceal their purpose.
  • First responders should be aware to avoid missing such devices and ensure they are seized.

Order of Volatility

  • It is the first responder’s job to determine the order of digital evidence collection, prioritizing the most volatile data first:
    • 1.1. CPU, registers, and system cache
    • 2.2. Routing table, ARP cache, Process table, Kernel statistics
    • 3.3. RAM memory
    • 4.4. Temporary file systems
    • 5.5. Swap space or virtual memory (named “page file” in Windows OS) — a file on the hard drive that extends RAM
    • 6.6. Hard drive and/or other removable media storage
    • 7.7. Remote logging and monitoring data
    • 8.8. Physical configuration, network topology
    • 9.9. Backup data and printouts
  • Note: Remote data on networking devices (proxy servers, routers, IDS/IPS, firewalls) also follow a volatility order.

Documenting the Digital Crime Scene

  • Documenting digital crime scenes is analogous to traditional crime scene documentation; detailed photos and notes are essential to avoid leaving clues and aid in the final report and court testimony.
  • Key points to document clearly:
    1) When you entered, how long you stayed, and with whom
    2) Names and roles of all people who accessed the scene
    3) All items related to the case acquired at the scene, documented in a chain of custody form
    4) Create a sketch showing where digital devices and peripherals were located, including device type, model, and other details
    5) Photograph all areas; use video if needed; perform two photography sessions: on entry and before leaving after seizure
    6) Write detailed notes about everything seen; these notes aid testimony
    7) If laws prohibit searching/seizing certain devices, note this in the crime scene documentation

Contd… (Additional documentation guidance)

  • Maintain a clear, organized narrative linking evidence to scene actions for courtroom clarity.

Packaging and Transporting Electronic Devices

  • After documenting the scene and shutting down devices (if ON), begin packaging:
    • Unplug cables, tag each cable and the corresponding port with a unique number
    • Photograph cables before unplugging to aid later system reconstruction in the lab
    • Tape over the power switch to prevent accidental power-on during transit
    • Place the device in antistatic bags
    • Put devices in appropriate evidence bags, seal with tape, and record your name and date/time on the seal
  • The evidence bag should include a panel with: contents, names of investigators who seized, photographed, sketched, and packaged; location of seizure; suspect information and criminal record if applicable; date/time of seizure; passwords (if available); and any additional notes
  • For devices capable of receiving network signals (e.g., smartphones), use a Faraday bag; seize power adapters and cables.

Contd… Transport and handling

  • While transporting the evidence bags, place them securely in the back seat and secure to avoid shocks and vibrations.
  • Maintain a dry, cool environment, away from magnets and dust; avoid high temperature or humidity to preserve evidence integrity.
  • Document all transportation steps in the chain of custody forms and keep forms in a safe location to ensure traceability in court.

Conducting Interview

  • Upon receiving a call about the incident, the first responder should ask clarifying questions to understand the case.

First Responder Questions When Contacted by a Client

  • The client should be asked the following initial questions:
    1. What is the problem?
    2. If a company is involved, who is responsible for handling digital crime incidents?
    3. What is the location of the incident?
    4. Under which jurisdiction will the evidence be searched and seized?
    5. What types of computing devices are going to be seized?
    6. What tasks are expected at the scene (e.g., live memory capture/analysis)? Are networking devices involved?
    7. What type of Internet access does the target organization have?
    8. What is the ISP name?
    9. Has there been any offsite storage?

Witness Interview Questions

  • Questions for witnesses at the scene include:
    1) What they saw, and where/how
    2) Names and contact details of all people present, plus roles/job titles
    3) Work account usernames and passwords (jurisdiction rules apply)
    4) Social profiles and instant messaging screen names for employees of interest
    5) Identity of any administrator/site manager who can identify devices and custodians

Witness Signature

  • In some jurisdictions, a witness signature may be required to verify information collected from the crime scene; not always applicable, especially if the interviewer is a law enforcement officer; assess applicability per jurisdiction.

Closing

  • Thanks.”
  • End of the notes set; material compiled from the Incident Response and Digital Forensics course by Anas Aliyu Usman (dated 27/08/2025).