The documentation required by a system administrator and a computer forensics expert is extremely detailed. They must document not only what evidence was gathered, but how it was gathered and with which tools. Incident documentation should use consistent naming conventions for forensic tool output. Stamp logs with the time, date, and identity of the person performing the forensic collection. Document as much information about the security incident as possible. These best practices provide an audit trail for the information collection process.

Even if you are not a system administrator or computer forensics expert, it is a good habit to create detailed documentation of all the work that you do. If you discover illegal activity on a computer or network on which you are working, at a minimum, document the following:

First responders want to know what you have done and what you have not done. Your documentation may become part of the evidence in the prosecution of a crime. If you make additions or changes to this documentation, it is critical that you inform all interested parties.

Chain of Custody

For evidence to be admitted, it must be authenticated. A system administrator may testify about the evidence that was collected. But he or she must also be able to prove how this evidence was collected, where it has been physically stored, and who has had access to it between the time of collection and its entry into the court proceedings. This is known as the chain of custody. To prove the chain of custody, first responders have documentation procedures in place that track the collected evidence. These procedures also prevent evidence tampering so that the integrity of the evidence can be ensured.

Incorporate computer forensics procedures into your approach to computer and network security to ensure the integrity of the data. These procedures help you capture necessary data in the event of a network breach. Ensuring the viability and integrity of the captured data helps you prosecute the intruder.