NIST SP 800-61
Handling an Incident
3.2. Evidence Gathering and Handling
Although the primary reason for gathering evidence during an incident is to resolve the incident, it may
also be needed for legal proceedings. In such cases, it is important to clearly document how all
evidence, including compromised systems, has been preserved. Evidence should be collected according
to procedures that meet all applicable laws and regulations that have been developed from previous
discussions with legal staff and appropriate law enforcement agencies so that any evidence can be
admissible in court. In addition, evidence should be accounted for at all times; whenever evidence is
transferred from person to person, chain of custody forms should detail the transfer and include each
party's signature. A detailed log should be kept for all evidence, including the following:
- Identifying information (e.g., the location, serial number, model number, hostname, media access control (MAC) addresses, and IP addresses of a computer)
- Name, title, and phone number of each individual who collected or handled the evidence during the investigation
- Time and date (including time zone) of each occurrence of evidence handling
- Locations where the evidence was stored.
Collecting evidence from computing resources presents some challenges. It is generally desirable to
acquire evidence from a system of interest as soon as one suspects that an incident may have occurred.
Many incidents cause a dynamic chain of events to occur; an initial system snapshot may do more good in
identifying the problem and its source than most other actions that can be taken at this stage. From an
evidentiary standpoint, it is much better to get a snapshot of the system as-is rather than doing so after
incident handlers, system administrators, and others have inadvertently altered the state of the machine
during the investigation. Users and system administrators should be made aware of the steps that they
should take to preserve evidence. See NIST SP 800-86, Guide to Integrating Forensic Techniques into
Incident Response, for additional information on preserving evidence.