Forensic Investigation Procedures


New Member
Oct 25, 2006
Does anyone have any rules of engagment for starting a forensic investigation? Who do you notify, how do you notify them, etc?

Or a proper procedure template they can guide me with.



New Member
Sep 11, 2006
There are a variety of guidelines and (ewww) "Best Practices" guides. Be wary of using vendor based guides. The Secret Service has a method, there is always ACPO, and a variety of other guides. It would be very hard without knowing your industry and need to make a suggestion on waht would work best for you.


New Member
Nov 8, 2006
I believe that if you want to get in to this field you first need to invest in some classes that will help you do this. Remember if you go in because you did not know something that will be no excuse for the mishandling of evidence and then you will never work in the industry again. Be safe and get educated. the education will also help you get the gigs.

Good luck

Eric Lakes –
Certified Computer Examiner,
[Edited: No ad links in posts please]


New Member
Nov 30, 2006
Additionally, search the web for Incident Response and Incident Handling procedures first. Most cases have there origins in IR. That is unless you are working with/for LE or counsel.
Plus, always check with local counsel (corporate/company) first. Some IT managers like to jump into the pot without checking the water first -- "It's my network and computer's blah, blah, blah...".

An improperly performed investigation can destroy all the evidence. For example, a linux administrator thinks the system was infected by an unauthorized program. So he search's the complete system for an exe file = find / -name "*.exe" -print. This single command changes the access timestamp on every file in the system and it will not provide any useful information. This did not destroy all your evidence but you will have a hard time trying to identify when the program was used.

Training is a must -- so is legal advice.

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu