Evidence Collection Policy

Introduction

This paper discusses the guidelines for a computer incident response team to ensure evidence is obtained through the best means possible, is authenticated and legitimate when presented in a court of law as proof. Always Fresh, an organization I work for, recently encountered a security breach and, as the security administrator, has been obligated to develop a computer incident response team (CSIRT). A computer security breach issue is an observed incident in a network, system, or electronic component that causes or has the risk of adverse effects, for example, malicious code execution that eliminates or copies data, theft of computer media or parts, website defacement, crashes of system and network packet floods.

Computer Incident Evidence Collection Policy

During the process of securing evidence that is crucial to understand the policy of tracing the attacker, where to find necessary proof, and the methods required to collect obtained evidence. This segment discussion is about protecting proof, assembling evidence, either physical or digital, handling turned-on machines, shutting down machines, navigating through computers networked, operating system management, system files, and obtaining proof from social networks. Any individual acting as the first respondent should document the scene and protect the area of crime and possess the skills and authority required.

The type of evidence is a determiner to which collection method will be used, whether it physical evidence or social networks. For physical evidence, the following qualities are considered:

• Model
• Power standing
• Network standing and type of network
• Back up intervals
• Approval of authorities and native management

Physical evidence collection

Collection of all electronic devices or other media found at the scene of the crime for forensic investigation. Capture storage media like hard drives, memory cards, and universal serial bus peripherals. In addition, portable devices like phones, personal digital assistants, and multimedia devices are necessary during collection (Leighton J,2013). Global position system receivers provide information like chat logs, browsing history sessions, pictures, contacts, emails, the money trail, and files. The report offers by peripheral devices like printers, scanners, and telephone logs contain the valuable proof. Physical evidence should include:

• Removable media
• Cables
• Publications
• All personal computer equipment
• Trash items
• Miscellaneous things

For powered-on machines, the first respondent should be cautious to stop destruction to the evidence, for example, the random-access memory and cache files. Delicate movement and transportation are essential in preservation as any illegal activity results in data loss. The summary of these events should be detailed in an EC council Certified Incident Handler document to show the progress of the forensic investigation based on the computer incident response team. The assortment of data collected should be categorized in a systematic order for analysis.

Social Network Evidence Collection

The number of individuals affected by social networking sites is massive. The utilization of social networks for illegal use has created an opportunity for evidence collection, especially within social forensics in computer incident response teams. The forensic of social media depends on a limited set of information within a service provider’s cooperation to release such information. When collecting data from social media, the following factors are considered:

• Social footprint 
• Activity period
• Footage and videos
• Pattern of communication
• Usage of applications
• Pattern of interaction
• Timestamps of activity
• Location of user

Evidence collection and analysis obtain proof and follow-up investigation into the criminal proof obtained from a computer incident. For threat intelligence, evidence is obtained in various ways. Proper documentation should be used at each stage of the process to support the evidence and provide analysis. Interpretation should be precise and constantly attained to be admissible within a court of law (Johansen G, 2017). No action by the authorities or chain of command should alter evidence in any way. If need be that a person should obtain such data, then he or she should be highly competent to meet the standards that match up to EC-Council Certified Incident Handler standards.

Conclusion

Preservation of evidence is vital in computer incident response. Proof has the meaning that it is reliable, current, and controlled. A high-quality evidence collection policy consists of properly trained individuals, software, recommended instrumentation, and step-by-step procedures to guarantee suitable output for the investigation.