Nigel Phair, in the CSO Magazine Australia Opinion column (2006), wrote the following guidelines. I do believe they still apply 3 years later:
- Identify and gather relevant pieces of information which may assist police in an investigation. This includes network layout diagram, details of user accounts, details of system backups and information relating to operating systems and software used.
- Anyone involved in the incident response process may be required to provide statements to investigators and may also be required to give evidence in court.
- Those involved in the incident response should take detailed notes of any actions they have undertaken in responding to the incident; and
- Those involved in the incident response process should ensure the continuity of any evidence is maintained, including the labelling of where and when evidence was obtained.