Computer Crime Investigations
Incident response team:
Basic items -
- List of outside agencies and resources to contact or report to.
- List of computer of forensics experts to contact.
- Steps on how to secure and preserve evidence.
- Steps on how to search for evidence
- List of items that should be included on the report.
- A list that indicates how the different systems should be treated in this type of situation.

Computer Forensics:
Forensics investigation -
1st step: Make a sound image of the attacked system and perform forensic analysis on this copy. This will ensure that the evidence stays unharmed on the original system in case some steps in the investigation actually corrupt or destroy data. Also the memory of the system should be dumped to a file before doing any work on the system or powering it down.
2nd step / Chain of custody: Must follow a very strict and organized procedure when collecting and tagging evidence.
Dictates that all evidence be labeled with information indication who secured and validated it.
The chain of custody is a history that shows how evidence was collected, analyzed, transported and preserved in order to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

The life cycle of evidence:
Includes following
- Collection and identification
- Storage, preservation and transportation.
- Presentation in court
- Being returned to victim or owner.

Evidence:
Best evidence - Is the primary evidence used in a trial because it provides the most reliability. Is used for documentary evidence such as contracts.
Secondary evidence - Is not viewed as reliable and strong in proving innocence or guilt when compared to best evidence.
Direct evidence - Can prove fact all by itself instead of needing backup information to refer to.
Conclusive evidence - Is irrefutable and cannot be contradicted.
Circumstantial evidence - Can prove an intermediate fact that can then be used to deduce or assume the existence of another fact.
Corroborative evidence - Is supporting evidence used to help prove an idea or point. It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence.
Opinion evidence - When a witness testifies, the opinion rule dictates that she must testify to only the facts of the issue and not her opinion of the facts.
Hearsay evidence - Pertains to oral or written evidence that is presented in court that is secondhand and that has no firsthand proof of accuracy or reliability.