Incident response spans a wide range of disciplines, from legal to scientific. CSIRT members responsible for conducting digital forensics examinations should be very familiar with the legal and technical aspects of digital forensics. In addition, they should be familiar with the wide variety of tools and equipment necessary to acquire, examine, and present data discovered during an examination. The proper application of forensic techniques is critical to provide insight into the chain of events that led to the deployment of the CSIRT to investigate an incident. This chapter initially delved into the various legal aspects of digital forensics, such as the rules of evidence and laws pertaining to cybercrime. Next, the science of digital forensics was discussed, providing an understanding of how techniques should be applied to investigations. To enhance this knowledge, we looked at how these techniques fit into a framework of digital investigations. This led to an overview of the various tools available for digital forensics examiners.

In the next chapter, the focus will be on jumping onto the wire, with a discussion of network forensics.