Checklist for first...
 
Notifications
Clear all

Checklist for first responders

15 Posts
10 Users
0 Likes
860 Views
alien
(@alien)
Posts: 32
Eminent Member
Topic starter
 

Hello,

I recently had a conversation with a tutor of mine, who stated that, according to his opinion, the usage of a checklist in the scene of an e-crime may be misleading.
We were discussing about if the first responders to an e-crime scene may be helped or misleaded by the assistance of a checklist. The first responders may have limited digital forensic knowledge (depending on their computing background), therefore a checklist could help to point out basic pontential e-evidence.
My tutor's opinion was more against the usage of a checklist, though to me it sounds more logical to have a basis from where to start e-evidence collection and then identify any further locations-areas of residence.

It would be really interesting to see the general opinion of active professionals, and for this reason I started this poll.

Please fell free to offer any comment on this matter.

 
Posted : 05/07/2006 3:37 am
psu89
(@psu89)
Posts: 118
Estimable Member
 

I would think a flow chart of if/then statements would be more helpful and could cover a broader range of situations.

 
Posted : 05/07/2006 3:40 am
alien
(@alien)
Posts: 32
Eminent Member
Topic starter
 

psu89,

Actually, the whole discussion with the tutor took place based on my dissertation on which I have created a framework for seizing e-evidences.

The framework consists of a flowchart of actions depending on the type of crime (live or dead) and the forensic knowledge of the first responder. Along with the flowchart I use a checklist, as a remider of the basic areas of e-evidence collection.

Our difference of opinion (with my tutor) was on the usage of this checklist. So, I wanted to see the reaction of professionals who work in the 'real world' of e-crimes.

 
Posted : 05/07/2006 3:53 am
(@berogersjr)
Posts: 28
Eminent Member
 

I use a checklist for my cases, which are mostly private and corporate investigations, and I think it helps a lot. Granted, every case is a bit different, so you have to be flexible enough and have the training and experience to know just when to deviate from the checklist or change it to suite the circumstances. Most investigations don't go strictly by the checklist, although I still wouldn't leave home without it. Just being able to look at it and have it remind me of something I may otherwise forget or do out of sequence is worth it.

Remember that even if you are the best investifgator in the world, when you take the case to court, processes and documentation are more important than just about anything else. Checklists can help establish to the court that you have a formal methodology and process rather than just going off the top of your head. For that reason alone, you should always try to use one. Just my humble opinion, of course…

bobby

 
Posted : 05/07/2006 7:08 am
(@mindsmith)
Posts: 174
Estimable Member
 

I agree with Bobby & Alien.

I use checklists quite extensively for a number of reasons

1. To ensure that one does not become overconfident & miss a key step item.
2. I work in the Middle East & often need others to act as 1st responders for me before I get on site (which may be in a different country) - so it is vital that my case is not compromised or jeopardised by an IT helpddesk person not following chain of evidence, and other related rules - such as an including documenting the nachine correctly etc.
3. checklist also allow for peer review when I review cases handled by others.

Key thing is that they are there to act as a record of activities, to ensure that best practise/legal requiremens are met and followed, and also they are a valuable aid, not the key method of delivery.

I also have use step-by-steps with checklists so that in some cases - where I need Security Guards to assist with a machine seizure - they can do it for me in 'covert investigations' after hours, to buidlings I may not have access to, even though the buildings & everthing contained within belong to my client.

Over dependence on checklists could be a liability. They form an important part of the QA, Review, and documentation process. They can also be a great learning tool for those assisting us in cases.

Just a thought.

 
Posted : 05/07/2006 1:33 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

alien,

The problem may be that the checklist is seen as the be-all-and-end-all for first responders, and a replacement for real knowledge and training. In many cases, first response is not the primary function of the first responder, and is instead a secondary/collateral duty that doesn't get a lot of focus with regards to training. First responders, in many cases, are grossly unprepared…I can't tell you the number of sites I've been to where even the IT management staff (let alone the first responders) have no idea where systems are physically located or where applications "live". This makes response of any kind difficult and problematic, at best.

In many cases I've responded to, when interviewing the on-scene first responder, simply asking what they did and why leads to defensiveness on the part of the interviewee. Again, a lack of knowledge and understanding…"why did you use this tool that modifies last access times instead of another tool that doesn't?" That sort of thing. Many first responders simply have no idea that there are tools that can associate open ports to the processes using those ports…it's not their fault, necessarily, it's simply a short-coming in their training.

In such cases, checklists can be beneficial…if you're responding at 2am after working a 15 hr day, checklists can be a good thing. When I analyze a system, I use a checklist myself…it requires me to document and justify why I skipped something on the list (port scan/netstat not run b/c the system is stand-alone, etc.).

Checklists are very practical tools that can be used to someone's advantage, particularly if you're trying to ensure that a specific process is followed. However, having a checklist and not using it can be as bad or worse than following only the steps on the checklist.

Harlan

 
Posted : 05/07/2006 4:36 pm
alien
(@alien)
Posts: 32
Eminent Member
Topic starter
 

Thank you all for sharing your opinions.

As I gather there is a common ground of beliefs that 'checklists can be a useful tool in the collection process (such as reference or reminder), as long as there are not treated as a unique solution, replacing the knowledge of the first responders'.

Along with that, as mentioned, they can be used to support the documentation.

Finally the point made by Harlan that first responders may be unprepared and with limited forensic knowledge is an existing issue in the digital forensic society. My opinion is that the only solution is more and continuing seminars and more people with computing background working as first responders.

Magioula

 
Posted : 06/07/2006 3:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> more and continuing seminars

I would agree wholeheartedly with that. I would also add to that that the training needs to be functional and up-to-date. I've heard no end of complaints from folks in Windows shops who go off for first responder training, and due to the instructor's own preferences, everything is centered around Linux. This isn't functional for the customer.

Training can be progressive, with a basic, intermediate, advanced approach. It can also be given on-site, rather than having to send a portion of your staff away.

I also believe that it should be incumbent upon the first responders, or their managers, to seek out training, through books, locating instructors, etc.

Harlan

 
Posted : 08/07/2006 7:29 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

I’ve never really advocated live imaging or volatile memory capture, preferring to perform post mortem examinations. However I have recently listened to a presentation from Microsoft regarding Vista. Also, there is a lot of data in RAM we are missing. With the advent of full disk encryption built into Windows Vista (Bitlocker), I foresee the future to be a lot more complex with evidence recovery. We might have to change the way we perform FC in general and initial evidence discovery/recovery. First responders are going to need to perform some kind of 'live' examination if not imaging/recovery if a computer at a scene is switched on.

I am already putting together some ‘live’ side tools & books (Harlan’s) and researching possible future training for myself and colleagues.

First responders are either going to have to get trained an awful lot more than they are at present, or we employ ‘specialist’ first responders that work out of the existing high tech crime units.

It might be that the problem needs addressing at a national level (UK) starting with recruitment. With a requisite that those applying for law enforcement jobs can evidence a amount of computer literacy (European Computer Driving Licence or US equivalent).

Andy

P.S. I still use a checklist for every job.

 
Posted : 08/07/2006 10:13 pm
alien
(@alien)
Posts: 32
Eminent Member
Topic starter
 

Harlan & Andy,

I agree that the first responders will need to enhance their training in the future as the demands on the field grow.

I am still in digital forensics field as a student (finishing a master), but the need for constant self studying and practicing is clear to me. Especially if you really 'care' for this profession and its input to the community.

Thank you again for sharing your ideas, especially being experienced professionals in the domain.

Magioula.

 
Posted : 10/07/2006 2:52 am
Page 1 / 2
Share: