Jesse Kornblum (Facebook)

Abstract

The nature of computer based evidence makes it inherently fragile. Data can be erased or changed without a trace, impeding an investigator’s job to find the truth. The efforts of first responders are critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. This paper describes the challenges first responders face and some strategies for dealing with them. As an example, the paper also details a sample tool for first responders to incidents on Windows based computers.