Conclusions

Although computer forensics might be a technically simple task, the exact steps can be difficult to follow in every case. The "best evidence" rule must be considered when the situation prevents the investigator from exactly following the standard steps. In most cases, if the investigator takes a certain degree of care to protect the evidence from modification and tampering and can demonstrate why certain steps were omitted, the evidence will probably still be admissible .

Advanced forensics, however, should also be considered the realm of the properly trained expert, not the well-intentioned amateur . The risk of destroying evidence, damaging critical machines, and exposing the company to liability is high. When in doubt, the incident response team should limit itself to securing the area and the evidence and should rely on expert outside assistance in the actual investigation.

Again, where large volumes of data are available or where the incident response team does not have specific expertise on the suspect machine, outside assistance might be invaluable. In other cases, IT operations might have the only available knowledge of proprietary applications or legacy systems. Assuming that there are no reasons to exclude operations personnel (that is, they are not suspects ), these administrators can be vital in the conduct of the investigation. When they must be excluded, the incident response team must accept (and inform management) that it might not be possible to completely examine all the data.