Acquiring and Managing Incident Evidence
One of an investigation’s goals is to discover evidence that answers the who, what, when, where, why, and how questions you learned about in the previous section. The evidence you collect will further the discovery of facts. The same evidence could provide the proof necessary to result in a legal finding in your favor.
Treat every investigation as if it will end up in court. When you begin a new investigation, you don’t know how it will be resolved. Any investigation can end up as an internal matter. Alternatively, it could end up in civil or criminal court. Ensure that any evidence you collect will be useful in court if that’s where you end up.
Your investigation should produce evidence of an incident ...
Get Security Strategies in Windows Platforms and Applications, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
