In a physical crime scene, say a home has been burned down as a result of an arsonist or maybe a home has been burglarized, the role of first responders on the scene is very important. These skilled individuals must be able to avoid contaminating the crime scene or destroying evidence, all the while securing the crime scene and documenting every detail, down to the most minute. First responders take note of the victims, the lighting, talk to witnesses and potential suspects and try to gather any other information that could be integral in solving the case. Those who arrive on the scene after first responders wear special clothes, foot covering and latex gloves to maintain the preservation of the crime scene and gather any additional evidence. Roles are clearly defined and everyone knows their tasks.These same ideas apply when cybercrimes occur. Individuals skilled in the field of digital forensics arrive on the scene to collect crucial evidence. Care needs to be taken to preserve important evidence, however since first responders of digital crimes tend to be members of a company’s cyber security team or network administrators, they tend to prioritize lessening the attack rather than preserving evidence and this can lead to crucial evidence being tampered with or even destroyed. This rush to end an attack could destroy the very information crucial to helping investigators discover how the hackers or malware got into their system which would help investigators solve the crime. Often, the focus is so much on getting the system back up and running, that evidence is often destroyed.To keep this from occurring, companies need to have a clearly defined plan of action in case of a cyberattack. The plan needs to answer the following questions and be ready to implement in case of an attack:
- Who is on the response team?
- Who has the authority to take down systems and networks?
- Who will collect evidence?
In addition to having a plan in place that everyone is aware of, it’s also a good idea to staff the response team with experts in computer forensics
to lessen the risk of any data loss. Moreover, if cyber incident responders find an attack before forensic investigators arrive, they need to take very detailed attacks about when the attack occurred and any actions that have been taken. Preserving evidence needs to be the first priority an as this can take a long time, it is recommended a company have replacement set of hard drives so a company’s business operations can get back up and running as quickly as possible while allowing incident responders to gather their evidence.Since cybercrime is so prevalent today, it is crucial for today’s professionals to learn about the latest techniques in the field, such as knowing NTFS and CHDisk
. So, this is yet another reason to spend more time taking free cyber security training