Guideline Data Acquisition for Investigation Purposes
IT security incidents sometimes are of such nature that the organisation affected by the incident wants to pursue prosecution. However, often the facts are not necessarily immediately communicated to the police for a variety of reasons, including the fact that the ir scope and nature is not clear from the beginning. For prosecution to be successful, the chain of custody needs to be preserved in a legally accepted manner, which requires the evidence to be preserved immediately after the detection of the incident.
It should be noted that communication to law enforcement authorities must be made as soon as possible after discovery of the facts given the volatility of traces and actions that could be taken (Internet identification, etc.). The purpose of these guidelines in this white paper is to help IT services to preserve evidence in an IT security incident in such a way that the investigation by IT security experts or law enforcement authorities can be carried out in an optimal manner.