Incident Response in Forensic Informatics

Hello dear KernelBlog followers. In this article, I will talk about the importance of the rules to be followed during Incident Response in Forensic Informatics.

First of all, if we divide Forensic Informatics under three main headings, the first step is to identify, collect and preserve evidence. Special forces, law enforcement agencies, crime scene investigation experts make this stage in today’s conditions. In this article, we will focus on what people working at this stage should do. After the evidence is found, the stage of uncovering and analyzing the evidence comes. At this stage, forensic experts and forensic engineers come into play, and in the second and third stages, these people take more duties. The third stage is the reporting of the analyzed evidence.

In forensic informatics, the mistakes made in the process of the crime scene interrupt the whole process as they will compromise the authenticity and reliability of the evidence. Therefore, the people working in the first stage must perform the search, copy and seizure operations in accordance with the regulation without error and under control.

Speaking of the regulations, there are regulations in countries that have made progress by people fighting against cyber crimes that make binding on how the team working on the scene will act on forensic matters, and that the wrong transactions will be considered as a violation and this will have sanctions. But in our country, there is no comprehensive regulation on this subject yet.

Let’s take a look at Article 134 of the Criminal Procedure Code and Article 17 of the Regulation on Judicial and Prevention Searches.


The articles are in this way, but as you have noticed, the items are quite incomplete. Article 17 only mentions the stage of the investigation and there is no clear conclusion about what the suspect computer in the prosecution phase will be. The use of the phrase “if there is no possibility of obtaining evidence in any other way” in the law and regulation is perceived as putting the evidence obtained from electronic devices, which are a direct crime instrument or used as a means during the commitment of the crime, and it is not meaningful. Because in cyber crimes committed using information systems, there is no other way to obtain evidence.

We can list the main issues that the intervention group at the scene should pay attention to.

  • The security of the scene should be ensured to prevent alteration or deterioration of evidence. At this stage, the entrance to the scene should be controlled, the records of the people entering and leaving should be kept and they should not be allowed to be at the scene without purpose.
  • Whenever possible, a forensic expert should also be present at the scene and the collection of digital evidence should be carried out by law enforcement, special forces or a forensic IT specialist. Before starting the procedures, checklists, hardware and software to be used should be prepared. (Checklists help to make a healthy and complete study without skipping any step while at the scene. should be reviewed and updated depending on new situations.)
  • As many photos as possible should be taken from different angles before any action is taken on the scene. It is used to detect missed points later or to remove any doubts that may be heard later. During the study, all the materials used at the scene, the information seen on the computer screen and all connection cables should be photographed, showing their location in the room.
  • All materials found at the scene and likely to be used as evidence should be labeled with evidence tags. There should be sufficient explanations on the labels. It is useful to label the cable connections on the back of the computer cases showing the port, if possible. Portable devices should be labeled separately after packaging is made or placed in a protected container.
  • By establishing an inventory, all objects seized at the scene should be recorded on the list with their serial numbers. A different inventory list should be created for each type of object and the created lists should also be checked by different people in the group. It should not be neglected to copy inventories and have each copy signed.
  • Every process from the beginning of the process to the last moment must be recorded in the documents. It can be used as a defense against later objections. The presence of date / time information and signatures of the suspect and his attorney at the scene of the crime are also important issues.
  • Devices and connections that allow access to computers for remote access must first be identified and labeled without disassembly. If the computer is turned on and remote access is available when the scene is reached, then the connection should be canceled and it should be noted. Similarly, all connections used for computers to communicate with other computers or computer networks should be labeled.
  •  Chemicals should not be used at the scene to obtain hidden traces without collecting digital evidence, as they could damage digital evidence. Fingerprints on CD / DVD, keyboard, mouse and other computer hardware units are important in terms of establishing the link between the evidence obtained after the examination and the persons and care should be taken to protect them. After taking environmental precautions, examinations should be made on working systems. In the meantime, attention should be paid to the presence of webcams and trapped running programs.
  • It should be ensured that there are no programs or operating system definitions to clean some data due to the computer shutdown process. BIOS information of computer systems at the scene should be recorded. Especially if the BIOS date / time information is different from the real time information, this must be stated in the review form.
  • During the image taking process, different computers should be used and care should be taken in naming and labeling processes in order not to confuse the images. All data storage units must be imaged in accordance with forensic information standards. Original discs should be stored in safe environments so that they will not be damaged during transportation.
  • Any electronic device with a data storage unit at the scene should be taken into consideration and carefully examined. During the collection of digital evidence in institutions and organizations, care should be taken to ensure that the systems are operational. A thorough understanding of the connections between the workstation and the host computer and other network hardware units is essential at this stage.
  •  Notes around the computer or desk should be recorded and photographed at the same time. Such notes can contain the password and user registration information that may be needed during the analysis phase.

These conditions may cause instant solutions to be produced and the addition of new substances, depending on the incident, the location of the crime or the existence of living systems. Let’s not forget that in every system with human beings, there is always a deficit. Although it appears as an examining program, it depends on the expert’s forensic computing ability. It is necessary to know how to extract the required evidence from the program. Hope to see you in my next article. Good reading.

Leave a Reply

Your email address will not be published. Required fields are marked *