This snapshot, taken on 26/07/2008, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 26 July 2008
Department for Innovation, Universities and Skills (DIUS)
 
You are here:
 

Forensics

If you suffer an information security incident, you should ensure you have the ability to identify who did what and when they did it.

This issue becomes complex if there is potential legal action pending, or a need to involve the police.

Computer data is extremely volatile, and this makes it difficult to preserve in a way that meets the normal criteria for court evidence.

To do so requires a combination of IT tools, investigation techniques and legal understanding. Evidence may be required for a number of issues such as:

  • E-mail abuse
  • Fraud
  • Infringement of intellectual property rights
  • Computer misuse

All data and facts are potential evidence and have to be painstakingly recorded with evidential integrity maintained. The approach should be closely linked to the law enforcement concept of the 'crime scene' and should consider many factors such as:

  • Paper-based evidence and notes
  • Hardware geometry and configuration
  • System usage patterns
  • CCTV footage
  • Proximity logs

As the issue is so complex, and the occurrence of incidents infrequent, it is unlikely that many organisations will have either the need or capacity for forensic skills full time. However, wherever possible you should at least consider how to prepare for an investigation

© Crown copyright 2008