The Digital First Aid Kit – Intro

The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.

The Kit begins with ways to establish secure communication when you or a contact are facing a digital threat and want to reach out for support. The Kit then moves on to sections on account hijacking, seizure of devices, malware infections and DDoS attacks. Each section begins with a series of questions about you, your devices and your situation. These questions will guide you through a self-assessment or help a first responder better understand the challenges you are facing. It then lays out initial steps to understand and potentially fix the problems. The steps should also help you or a first responder to recognize when to request help from a specialist.

The Digital First Aid Kit is not meant to serve as the ultimate solution to all your digital emergencies. It strives to give you tools that can help you make a first assessment of what is happening and determine if you can mitigate the problem on your own. If at any moment you feel uncomfortable or unsure about implementing any of the solutions outlined here, ask for help from trained professionals.

The Digital First Aid Kit came about when a number of organizations working in the digital emergency field observed that once a person is targeted digitally, he or she often does not know what to do or where to turn for assistance. It was inspired by the belief that everyone has the ability to take preventative measures to avoid emergencies and responsive steps when they are in trouble. Further, everyone has the ability to help out a colleague facing trouble. The self-diagnostic quality of the Kit should also enable journalists, bloggers, activists and human rights defenders to understand what is happening to their digital assets, to be able to determine more rapidly when they should reach out for help, what kind of help they need, and improve individual digital safety. In addition, the Kit serves as a first responder checklist for individuals who a person under possible digital attack reaches out to first.

The Digital First Aid Kit is a collaborative effort of EFF, Global Voices, Hivos & the Digital Defenders Partnership, Front Line Defenders, Internews, Freedom House, Access, Qurium, CIRCL, IWPR, Open Technology Fund and individual security experts who are working in the field of digital security and rapid response. It is a work in progress and if there are things that need to be added, comments or questions regarding any of the sections please go to Github.

Find a printable version of the Digital First Aid Kit here.


Secure Communication

Account Hijacking

Devices Seized


DDoS Mitigation

Helpful Resources


For questions, please get in touch with the Digital Defenders Partnership:
E: ddp[at]
Twitter: @DigiDefenders

Secure Communication

This section will provide you with guidance on ways to establish secure communication when reaching out for help when confronted with a potential digital attack. As a general rule, it is important to understand that most ‘normal’ communications tools are not very secure against eavesdropping. Mobile and landline phone communication is not encrypted and can be listened to by governments, law enforcement agencies, or other parties with the necessary technical equipment. Sending unencrypted communication is like sending a postcard, anyone who has access to the postcard can read the message. Sending encrypted communication is like placing the postcard inside a safe and then sending the safe, which only you and those you trust know the combination to and are able to open and read the message.

Secure communication is always a trade-off between security and convenience. Choosing the most appropriate form of secure communication will depend on your unique situation, your threat model and the activities in which you are involved. The Digital First Aid Kit is specifically meant for those who are under digital attack; therefore, this section on secure communication assumes you are at high risk.

Finally, when communicating there are different levels of security. How and what kind of encryption a tool makes use of will increase or decrease your communication security. A communication tool that provides end-to-end encryption (such a PGP-encrypted email, or chat with OTR or Textsecure on your phone) is better than using a tool with transport-layer encryption (such as Gmail, Facebook, or Twitter). This, in turn, is better than using unencrypted communications (such as a postcard, your phone or text messages). Do the best that you can with the resources and skills available. Start with the most secure form of communication you can manage and the person you reach out to may be able to help you establish a line of communications that is more secure, if necessary. In many cases, it is better to reach out for help insecurely than not to reach out for help at all.

Where to start?
If you believe that your computer has been compromised by malware and the device you are using cannot be trusted, please go directly to the Safer Computing section below. If you think that your communication might be targeted and/or you have just changed to a safer computer, the Safer Communication section and Safer Communication on a smartphone section below provides steps to establish secure communications.

Seeking and providing remote help

When you are seeking remote help from a third party please keep the following in mind:

1. If you think there is something wrong with one of your devices or accounts and you are uncomfortable or unsure about what to do next, ask for help from a trained technical professional or (inter)national organizations whom you feel you can trust. The guides referenced in the Resources section can also help. If possible, do not rely on unknown people you find online. Among the organizations you may reach out to include:

2. When seeking help, also remember that the device you are using might be the subject of the attack. In order to establish a secure line of communication with a person who can help you, it may be necessary to contact them from an alternate, trustworthy device.

Account Hijacking

Are you having a problem accessing an email, social media or web account? Does an account show activity that you do not recognize? There are many things you can do to mitigate this problem.

Start by answering some simple questions:

  • Which service are you having trouble with?
  • Are you the only person who uses the account? Sometimes, multiple people have access to Facebook group pages, WordPress blogs or email accounts. If multiple people have access to this account, first check that your friends or colleagues haven’t changed permissions.
  • What is the username and the URL of the account?
  • Are you unable to access your account?
  • Can you see someone else using your account?
  • Did you get an alert or have friends/contacts received strange messages from you?
  • What other evidence have you seen of the problem?

After answering these questions, please scroll down to take the first steps to mitigate the problem:

First steps to mitigate the problem:

If you still have access to the account

Move to a different computer – one that you consider to be safe or uncompromised. Log in and change the password on your account. Then move to the following steps:

  • Step 1: Stop using this account for the exchange of sensitive information until you better understand the situation.
  • Step 2: If possible, review the connection history/account activity (an available feature for Facebook, Gmail and other email platforms). Check to see if your account was used at a time when you were not online or if your account was accessed from an unfamiliar location or IP address.
  • Step 3: Take a look at the account settings. Have they been changed? For email accounts, check for auto-forwards in email, possible changes to the backup/reset email address of phone numbers, synchronization to different devices, including phones, computers or tablets, permissions to applications or other account permissions.
  • Step 4: Change the passwords for all your other online accounts that are linked to this one. For example, if you are looking at an email account and it is the recovery address for another account, change the password for that account.
  • Step 5: Don’t stop here! Follow the important next steps below

If you no longer have access to the account:

Follow the recovery procedures of the different providers. Note that different services have different ways to reset the password on your account. Some will send you a link to change your password using your recovery email address, while others reset it to your last password. In the reset case it is important to change your password immediately after regaining access to your account. If these steps do not work and your account is being abused, contact one of the organizations listed above for possible support in shutting the account down.

Devices Seized

Is your device lost? Has it been stolen or seized by a third party? In any of these incidences it is very important to get a clear picture of what happened, what kinds of data and accounts may be vulnerable as a result and what steps must be taken to prevent the leaking and misuse of your information, contacts and accounts.

Start by answering some simple questions:

  • What happened?
  • What sort of device are you missing? A computer, mobile phone, tablet or an external hard drive?
  • When and where did you lose the device?
  • How did you lose the device? Was it stolen by another person, taken by a state authority or did you simply lose track of it?
  • Is the device still missing?

 What kinds of security protections did the device have?

  • Was the device protected by a password or other security measures?
  • Which operating system was running on the device? Was this a legal version, or was it an illegal, jailbroken or rooted version?
  • Does the device have full disk encryption turned on?
  • What state was your device in when it was lost? Were you logged in? Was the device on but password-locked? Was it sleeping or hibernating? Completely turned off?
  • Do you have remote access to the device?

What was on the device?

  • Make an inventory of the different types of sensitive information that was on your device. Examples include email, chat history, social media, contacts (email, Skype, chat, etc.), files, location data, credit card data and more.
  • What sort of base software was it using, i.e. Windows, OS X, Android, iPhone?
  • Did you use encryption tools for email or chat (such as PGP and OTR)?
  • What accounts does this device have access to? This can be email, social media, chat, IM and banking accounts that the device can access, browsers that have saved passwords to account, cookies that show your internet browsing history, authentication tokens such as fingerprint on iPhone 5 and accounts that use the device for secondary authentication.
  • Do your accounts have saved passwords and/or automatically log in? This is common for email, Skype and other chat programs, or if you save your passwords in your web browser instead of a password manager like KeePass.

After answering these questions, please scroll down to take the first steps to mitigate the problem:

First steps to mitigate the problem:

If your device is still missing

If your device is lost or seized by a third party and you did not get it back, the first steps to take are the following:

  • Step 1: When your device has access to accounts (email, social media or web account) remove the authorization for this device for all accounts. This can be done by going to your accounts online and changing the account permissions.
  • Step 2: Change the passwords for all accounts that are accessible by this device.
  • Step 3: Turn on 2-factor authentication for all accounts that were accessible by this device. Please note that not all accounts support 2-factor authentication [See 2-factor notes from ‘Account Hijack’ section].
  • Step 4: If you have a tool installed on your lost devices that allows you to erase the data and the history of your device, use it.

If you get your device back

If your device was lost, taken by a third party or had to be handed over at a border crossing but you have it back, be careful as you do not know who has had access to it. Depending on the level of risk you’re facing, you may want to treat the device as if it is now untrusted or compromised. Ask yourself the following questions and assess the risk that your device has been compromised:

  • How long was the device out of your sight?
  • Who potentially could have had access to it?
  • Why would they want access to it?
  • Are there signs that the device has been physically tampered with?

For more extensive threat modeling assistance see the Surveillance Self Defense Guide.

If you have lost contact with your device for an extended period of time and you feel there is a chance that something has been installed on it, please consider the following:

  • Computer: reinstall the OS from scratch and recover all documents from the last backup and scan all your documents and files with antivirus software. For more guidance on this, see cleaning up your device in the malware section.
  • Phones and tablets: Depending on your level of risk and the circumstances under which your mobile phone or tablet was taken, it may be advisable to not use it again. If possible, migrate all of the data off of your phone or tables and purchase a new one. If you cannot change devices but you suspect it might be compromised, take precautions and do not use your phone or tablet for sensitive communication or opening sensitive files. Do not take it with you when going to sensitive meetings or have it with you when discussing sensitive topics.


‘Malware’ is malicious software that facilitates an unauthorized takeover of your device by another user, government or third party to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage. Malware is used to gain control of devices. It exploits access to the device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers. If you suspect a malware infection on your device here are some things you can do:

Start by answering some simple questions:

  • Are you sure this is not account hijacking or a compromised password, see Account Hijacking?
  • What are your indicators of compromise?

What is an ‘indicator of compromise’ anyway?

There are many reasons why you may think your device has been infected with malware; these are called ‘indicators of compromise.’ They may include the following:

  • You opened an attachment or link that you think may have been malicious
  • Your webcam LED turns on when you are not using the webcam
  • Your accounts have been compromised multiple times, even after you have changed the password

You may also have reason to suspect your device is infected with malware if:

  • Your device was seized and then returned
  • Someone broke into your home and may have tampered with your device
  • Some of your personal data has been made public and it could only come from your personal computer
  • Your group is being targeted by a government, law enforcement, or an actor with equivalent capabilities

After answering these questions, please scroll down to take the first steps to mitigate the problem:

First steps to mitigate the problem:

After confirming that it is not an account hijacking and there are clear indicators of compromise there are two avenues of approach: getting your devices clean or understanding the attack and then cleaning your devices. Your first priority may be to get your computer ‘clean’ and usable again. Finding out what has happened to you and who has targeted you may be less important to you. However, it can be very valuable to gain understanding of your adversary, their technical capabilities and whether or not the potential attacker (a government entity or other third party) is known to use internet surveillance technology. If understanding the attacker and the attack is relevant to you, it is essential that collecting and analyzing information on a potential malware infection happens before you engage in ‘cleaning’ your computer. For information collection and analyzing of malware continue to the section recommended steps for first level analyst otherwise, proceed to the section below.

‘Cleaning’ your device

When you have chosen to clean your device without understanding the malware and attack first please keep the following in mind:

  1. There is no quick fix to clean up malware from you computer. Even after completing the following steps a very sophisticated malware infection may still be present. These steps are sufficient to remove most of the malware you are likely to encounter unless you are being targeted by a very advanced attacker.
  2. If you believe that you are being targeted by a state actor and indicators of compromise persist after cleaning up the virus detected through the steps below, disconnect it from the internet, turn off the device, unplug it, if possible remove its battery and seek the help of a security professional.


Anti-virus software can be an effective first response to protecting a device from a significant percentage of malware. However, anti-virus software is generally considered ineffective against targeted attacks, especially by state-sponsored actors. Nevertheless, it remains a valuable defensive tool against non-targeted, but still dangerous, malware. Below is a non-exhaustive list of options:

When you run anti-virus software, ensure that it is up to date. If a virus is detected the following steps are recommended.

  • Step 1: Ensure that your anti-virus software is up to date
  • Step 2: Take a screenshot of the message
  • Step 3: Continue with the recommended steps to remove the virus
  • Step 4: Following the guidelines in the Safer Communication section above, send the screenshot to a person with security expertise

DDoS mitigation

A threat faced by many independent journalists, news sites and bloggers is having their voices muted because their website is down or defaced. In many cases, this maybe an innocent and frustrating problem, but on occasion, it may be due to a ‘denial of service’ attack or a website takeover. This section of the Digital First Aid Kit will walk you through some basic steps to diagnose potential problems. If your site is under a denial of service attack, some immediate options for next steps are suggested.

In general, it is important to know that there are many reasons why your website can be down. Most often this is due to programming errors or technical problems at the company that hosts the site. Sometimes, other things like legal challenges can cause a host to turn a site off as well. Finding the problem and possible solutions to your website’s problem can be cumbersome if you do not have hosting expertise. Therefore, when possible, the best first step is to contact a trusted person who can help with your website (your webmaster, the people who helped you set up your site, your internal staff if you have them and the company that hosts your site).

It is good practice to contact your webmaster and the site host after investigating these common challenges below! The problem you face may not have been reported on their status page, may be a temporary problem, or the site host may not yet be aware of the problem. A good relationship with your service providers goes a long way – be clear and polite and share the results of your investigation using these questions to help them quickly troubleshoot the problem.

Start by answering some simple questions:

Basic information

  • Who built your website? Are they available to help?
  • Who is your web hosting provider? This is the company that provides the server where your website lives. If you do not know, you can use a tool like this to help.
  • Do you have your account log in details for this hosting provider?
  • Where did you purchase your domain name? In some cases this is also your website host, but it could also be another company.
  • Do you have the log in details for the domain name service? If not, finding these is your first step to recovering your site
  • Who else knows or may have access to these account details?

After answering these questions, please scroll down to take the first steps to mitigate the problem:

Diagnostic information

There can be different reasons why your website is down. This can range from network to policy, hosting, blocking, software, defacement and performance problems. The section below explains what each of these problems is and how to diagnose which problem you are facing.

  • Is your web host working, but your website is unavailable? Check – your site might be up, but you can’t see it. This is a network problem. Your own iinternet connection could be having problems or be blocking your access to your site. This could also indicate that your account has been disabled: Are you seeing a message from your web hosting provider? You could have been taken offline for billing, legal, copyright or other reasons. This is a policy problem. First, make sure your billing information is up to date and that there is no outstanding balance on your hosting services or your domain name. If the message is due to a legal issue, the resources provided by EFF, while focused on US copyright laws, are a good place to learn more.
  • Is your site not loading at all? Your hosting company may be having problems, in which case you may be facing a hosting problem. Can you visit the website of your hosting company? Note that this is not the admin section of your own site, but that of the company or organization that hosts your site. Look or search for a ‘status’ blog (e.g.; also search on for other users discussing downtime at the host – a simple search like ‘(company name) down’ can often reveal whether others are having the same problem.
  • Can you visit other sites with similar content to your site? Try visiting websites related to yours or covering similar issues. Also try using Tor or Psiphon to access your site. If this helps, you have a blocking problem – you are still online for other parts of the world, but are being censored in your own country.
  • Are you seeing error messages? This could be a software problem. You should reflect on any recent changes you or your team may have made and contact your webmaster. Sending your webmaster a screenshot, the link of the page you are having problems with and any error messages you see will help them figure out what might be causing the problem. You might also copy the error messages into a search to see if they are easily fixed.
  • Are you seeing a website that is not yours? Are you receiving a warning from your browser about malware on your own site? This could be a defacement problem. See below for next steps; you will need to work with your web hosting provider and review the Account Hijacking section.
  • Is your site loading intermittently or unusually slowly? Your site may be overwhelmed by the number and speed of requests for pages it is receiving – this is a performance problem. This could be ‘good’ insofar as your site has become more popular and it simply needs some improvements to respond to more readers – check your site analytics for a long-term pattern in growth. Contact your webmaster or hosting provider for guidance. Many popular blogging and CMS platforms (Joomla, WordPress, Drupal and others) have plugins to help cache your website locally and integrate CDNs, which can dramatically improve site performance and resilience. Many of the solutions below can also help performance problems.

Establishing Trust

Above, we mention some basic ways to begin to establish trust between someone seeking help and someone helping out. This section addresses how to add a technical layer of trust onto that, and understand the tools that help you maintain a secure conversation with only the person you think you’re conversing with. It’s important to note that while this section is rather technical, do the best you can – it is better to use encryption tools than to not use them!

Encryption tools like OTR (“Off The Record”) and PGP (“Pretty Good Privacy”) provide many benefits. Encrypted messages or files with OTR or PGP are protected from anyone peeking at them or tampering with them from when they leave your computer until they reach their destination. The problem, though, is knowing for certain if their destination is the ‘right’ one.

To use encryption tools like these, you must know the right address to send the encrypted message to – this is not just an email account or IM nickname, but requires more specific information – the encryption ‘key’ that goes with that account. Most of this is managed by your computer, but it is important for you to provide the final sign-off! Theoretically, if you were trying to establish secure communications with someone, an attacker could replace the specific encryption information with their own and read your communication. To defend against this, there are a few tricks.

Website Trust

Secure websites (those starting with HTTPS) have a system where browsers rely on a limited number of trustworthy companies to manage this. This makes it relatively easy for users, but if any of these companies are compromised (which has happened!) or are willing to cooperate with a government that may be a threat to you, the entire trust network becomes a problem (this same model is also used for a specific type of email security which is called S/MIME).