ABSTRACT
This chapter reviews what steps can and should be taken by an organization once it learns its data has been successfully attacked. Because of the emergence of computers in our everyday lives, a thorough approach to digital forensics has surfaced as the de facto guideline. The process of identifying evidence is without a doubt the most difficult part of the entire process. This is especially true if the suspect being investigated is computer savvy and has taken steps to specifically hide, delete, or otherwise obfuscate evidence. The data recovered from a computer used in facilitating a crime is considered evidence, and therefore the chain of custody for each bit of information gathered during the investigation must be properly documented. Relying on experience, ingenuity, and a growing arsenal of forensic tools, the digital investigator can often be the linchpin in a solid case against a criminal.
