Preserving evidence does not begin only at the acquisition of data, but as early on as the physical viewing of the suspect device. There should be some kind of structured response to the suspected crime or breach in the same way as with a crime reported to the police. In the same way, a person makes a call to the emergency services who then dispatch the police, fire services, and ambulance personnel and other first responders who may then escalate the issue to the FBI or other agencies. There should also be a similar chain of command when dealing with reports that require digital investigation.

When a breach or crime is discovered or suspected, there should be a dedicated first responder who is alerted and called to the scene. This person usually has some knowledge or understanding of the workings of devices, networks, and even of the IT infrastructure in the organization if applicable.

First responder personnel can include:

• Systems administrators
• Network administrators
• Security administrators
• IT managers

While the people in the preceding roles may not be skilled in digital forensics or digital investigations, they will be responsible for securing the scene and ensuring that the data, peripherals, equipment, and storage are not used, tampered with, removed, or compromised by unauthorized individuals.

Duties of first responders include:

• Being the first to respond to the scene (as the name suggests) and making an initial assessment
• Documenting the scene and room fully in a circular fashion using the center of the room as a focal point
• Securing the scene by not allowing unauthorized users or suspects, access to the devices or area, and especially to volatile data and storage media
• Preserving and packaging evidence for transportation, ensuring the use of the Chain of Custody (CoC) forms