Computer Incident Response Guidelines

The popularity of desktop and notebook computers has come with a mixed blessing. These wonderful tools contribute to increased productivity and help facilitate communications and file transfers worldwide over the Internet. However, they also provide opportunities for abuse of corporate policies and the commission of computer related crimes. Internet viewing of pornography has become a serious problem for corporations and government agencies. Embezzlements using computers have become common place in small and medium size businesses.

Computer forensic tools and techniques can help to identify such abuses. They can also be used to find and document evidence in a civil or criminal case. However, the computer evidence must be preserved and protected. As a result, it is important that things are done correctly as soon as a computer incident is identified. By following the guidelines listed below, you stand a good chance of preserving the evidence. If you have questions, don't hesitate to call NTI. Computer evidence is very fragile and it can easily be altered or destroyed if the wrong things are done.

1. Don't turn on or operate the subject computer.

The computer should first be backed up using bit stream backup software. When the computer is run, the potential exists for information in the Windows swap file to be overwritten. Internet activity and fragments of Windows work sessions exist in the Windows swap file. This can prove to be valuable from an evidence standpoint. In the case of a DOS based system, the running of the computer can destroy 'deleted' files. For that matter, the same is true of a Windows system. To save grief, don't run the computer.

2. Don't solicit the assistance of the resident 'computer expert'.

The processing of computer evidence is tricky to say the least. Without proper training even a world class computer scientist can do the wrong things. Like any other science, computer science has its areas of specialty. We typically get calls 'after the fact' and are advised that a computer knowledgeable Internal Auditor or Systems Administrator has attempted to process a computer for evidence. In some cases, valuable evidence is lost or the evidence is so tainted that it loses its evidentiary value. For these reasons, seek the assistance of a computer specialist that has been trained in computer evidence processing procedures. Do this before you turn on the computer!

3. Don't evaluate employee E-mail unless corporate policy allows it.

New electronic privacy laws protect the privacy of electronic communications. If your corporate policy specifically states that all computers and data stored on them belongs to the corporation, then you are probably on safe ground. However, be sure that you have such a policy and that the employee(s) involved have read the policy. Furthermore, it is always a good idea to check with corporate counsel. NTI's NTA Stealth program can evaluate and report Internet usage abuses as identified in the Windows swap file. This process can be performed in just a few minutes. Therefore, a tendency exists to use the tool prior to checking on corporate policies and/or checking with corporate counsel. Don't be in a hurry and do things by the book! To do otherwise, could subject you and your corporation to a law suit.

Note: A comprehensive article, targeted specifically at classified U. S. Government agencies, is available for NTI's U. S. Government clients and it can be downloaded from this site. However, a password is required to access the restricted article and the password can be obtained from NTI by U. S. Government computer security specialists once their identity has been verified. Click here to obtain the password protected article.

Click here for more information and articles.

Click here for technical definitions.

Back To NTI's Home Page