Law Investigation, Forensics, and Ethics ◾ 383
© 2011 by Taylor & Francis Group, LLC
respond to an incident? is is a question that management needs to address. In
doing this, consideration should be placed on how a team will be put together to
deal with an incident. is needs to not only include information technology and
corporate counsel, but should incorporate other aspects of the organization such as
public aairs, public relations, and human resources.
Most importantly, teams need to be trained to stay calm. To do this, they need
to prepare before the incident. ey also need somewhere to work. One of the key
aspects of creating an instant response team is preparing a war room in advance.
is is a secure room that can facilitate discussions on the displaying of evidence in
a meaningful manner. It is important that this room has a lockable door.
In preparing the team ensure that regular drills occur. Just like re drills it is essential
to have people work through dierent scenarios in advance of an incident so that they
know how to respond during a crisis. Unannounced drills are particularly eective.
Evidence Preservation
Document everything! Maintain copious notes of everything you do. In digital
investigations, the most critical thing to remember is documentation, or maintain-
ing the chain of custody. Documentation must be maintained from the beginning
to end of the engagement. Having an improper chain of evidence is worse than
having no evidence at all!
Document the systems hardware conguration. After you have moved the sys-
tem to a secure location where an appropriate chain of custody can be maintained,
it is crucial to take the indispensable photographs from all sides. Take pictures as
documentation of the system hardware components and how the connections and
cables are arranged.
Document the system date and time. Documenting the system date and time is
extremely important. An incorrect date and time stamp can allow the refuting of evi-
dence and call into question the integrity of the ndings. Even if everything else occurs
perfectly, the mere fact that it got this point will impact the entire investigation.
Document le names, dates, and times on the system and create a timeline. e
le name, creation date, and last modied date and time are of vital importance
from an evidentiary standpoint when admitting digital evidence. e le name,
size, content, and creation and modied dates have to be documented.
Document all of the ndings. It is essential to document the results and evi-
dence sequentially as the issues are recognized and evidence is discovered. A proper
record of all the software employed in evaluation of the evidence should be pre-
pared. Include the software license and the screen prints to show how software was
used in the evidence collection process.
e admissibility of evidence in a court is determined by the relevance, reliabil-
ity, and legal permissibility of the evidence.