One principle that is often discussed in forensic science is Locard's exchange principle. This principle postulates that, when two objects come into contact, they leave a trace on each other. For example, if you walk into a house with carpeting, dirt from your shoes is left on the carpet, and the carpet leaves fibers on the soles of your shoes.

These traces that are exchanged form the basis of what is termed trace evidence in the physical forensics world. In the digital world, there is often very similar trace evidence left when two systems come into contact with each other. For example, if an individual browses a website, the web server or web application firewall may record the individual's IP address within a collection log. The website may also deposit a cookie on the individual's laptop. Just as in the physical world, evidence exchanged in this manner may be temporary, and our ability to observe it may be limited to the tools and knowledge we currently have.

This principle can guide the identification of potential sources of evidence during an incident. For example, if a CSIRT is attempting to determine the root cause of a malware infection on a system, it will start by analyzing the infected system. As some malware requires access to a C2 server, analysts can search firewall connection or proxy logs for any outbound traffic from the infected system to external IP addresses. A review of those connection IP addresses may reveal the C2 server and, potentially, more details about the particular malware variant that has infected the system.

It should be noted, though, that threat actors very easily manipulate digital evidence, so reliance on a single piece of digital evidence without other corroborating evidence should always be treated with caution; it should be verified before it can be trusted.