Intrusion detection systems can and should be used for collecting proof of unauthorized activity. They provide the following functional capabilities:
Logging events that take place during an attack, and saving this information for future analysis
Imitating non-existent applications in order to deceive the intruder (the so-called deception mode)
Enhanced analysis of the log files created by the system and application software, database servers, web servers, and so on
The possibility of investigating security events before taking any specific action
Obtaining information on the intruder, including his DNS, MAC, NetBIOS, and IP addresses