Section 5

Incident Evidence

There are many types of computer-based and network-based incidents that produce documentable evidence that will be available for investigation. One of the major requirements for handling incident evidence is known as the chain of custody. Evidence handling has four primary areas in any incident response activity.


Data collection; evidence; chain of custody; image copy

Attacks on information systems and networks have become more numerous, sophisticated, and severe over the past few years. While preventing such attacks would be the ideal course of action for any organization or agency, not all information system security incidents can be prevented. Security incident response team (SIRT) managers are often held responsible ...

Get Computer Incident Response and Forensics Team Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.