By /

Back to: Data Center Physical Security Professional

0

Lesson 6.3: Incident Reporting & Forensics

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Construct a legally defensible Incident Report using the “5 Ws.”
  • Distinguish between Objective Facts and Subjective Opinions in writing.
  • Maintain the Chain of Custody for physical and digital evidence.
  • Conduct a “Post-Mortem” or After-Action Review (AAR) to improve future responses.

2. The Incident Report (The PIR)

The Post-Incident Report (PIR) is the official record of truth. It may be read by the CEO, the Insurance Adjuster, or a Judge.

A. The Golden Rule: Facts, Not Opinions

  • Bad (Subjective): “The guard was lazy and didn’t check the door properly.”
    • Why it’s bad: “Lazy” is an opinion. The defense lawyer will destroy this.
  • Good (Objective): “Video log 14:00:23 shows Guard Smith walking past Door 4 without physically testing the handle.”
    • Why it’s good: This is an indisputable fact based on evidence.

B. The Structure: The 5 Ws

  1. Who: Who caused it? Who responded? Who was the victim?
  2. What: What happened? (Theft, Fire, Slip & Fall).
  3. When: Exact timeline (down to the second).
  4. Where: Specific location (e.g., “Aisle 4, Rack 12”).
  5. Why: The root cause (e.g., “Door lock battery failure”).

3. Evidence & Forensics

If you catch a thief but mishandle the video file, the thief walks free.

A. Chain of Custody

The Chain of Custody is a paper trail that proves nobody tampered with the evidence.

  • The Log: Every time evidence changes hands, it must be signed for.
    • Entry: “Jan 20, 14:00 – Hard Drive removed by Manager A.”
    • Entry: “Jan 20, 14:15 – Hard Drive handed to Police Officer B.”
  • The Gap: If there is an hour unaccounted for, the defense will argue someone planted fake evidence during that hour.

B. Digital Forensics (Video)

  • Never analyze the original: Always make a copy of the video file and analyze the copy. Keep the master file locked (Read-Only).
  • Watermarking: Professional VMS exports include a digital watermark. If someone tries to edit the video (e.g., cutting out 5 seconds), the watermark breaks, proving the file is corrupted.

4. The Post-Mortem (After-Action Review)

A crisis is a terrible thing to waste. After the dust settles, the team must gather for a “No-Blame” analysis.

The Three Questions:

  1. What was supposed to happen? (What does the SOP say?)
  2. What actually happened? (Did we follow the SOP? Did the equipment fail?)
  3. How do we fix the gap? (Do we need better training? Better radios? A new SOP?)

Example:

  • Issue: The guards couldn’t find the keys to the server room during the fire alarm.
  • Fix: Install a “Knox Box” (Key Safe) next to the door for emergency access.

5. Practical Application: Report Writing Exercise

Scenario: You found a door propped open with a brick at 2:00 AM.

  • Draft 1 (Poor): “I found the back door open again. Probably the cleaners. They are always careless. I closed it.”
  • Draft 2 (Professional):
    • Time: 02:00 AM.
    • Observation: During routine patrol, Officer X observed Emergency Exit 3 propped open by a red brick.
    • Action: Officer X removed the obstruction and secured the door. Verified door was locked.
    • Investigation: Review of CCTV camera 4 shows Cleaner Y placing the brick at 01:45 AM to take a smoke break.
    • Resolution: Incident reported to Facilities Manager. Snapshot of video attached.