First Response to a Computer Incident

The purpose of this exercise is to prepare you for the second part of your EnCE examination, which is the practical. After passing your written examination, you$$ll be given a CD with a case to work. Part of that process will be to document your first$-$response procedures for your report. To prepare for the phase, assume the following:

$1.$ You are responding with others to the scene of a computer incident. You are the one responsible for the computers at the scene. The target system $($only one$)$ is in a business. The screen is locked, with the operating system logo displayed as Windows $2008$ Server. The prompt explains that the computer is locked and that only the administrator can unlock it$.$ The system administrator is available and is not the target of the investigation, and she is considered a person with high integrity who is willing to assist.

$2.$ Describe in detail how you would take down this machine and take it to the lab for imaging if the Enterprise, FIM $6,$ Portable, or EnCase $7$ version is not an option and if your directive is to seize it and take it to the lab.

$3.$ Write your narrative as though it were going to be included in your report. Be sure to describe your shutdown methodology and reasoning. Include details sufficient to establish the complete chain of custody from the scene to the lab.