Skip to the main content.

1 min read

The Third Step to Forensic Readiness: Evidence Collection Requirements

Featured Image

Finalizing the first two steps of the forensic readiness plan brings you to a position where it is possible to decide which types and sources of evidence collection (Step 2) can help you in dealing with business risk situations (Step 1). 

So far, you have done a lot of work already. Now, when you have defined the business risk situations and types and sources of digital evidence in your organization you are coming to the thirds step of the forensic readiness plan where you have to define evidence collection requirements.

What is the purpose of this stage?

Mainly to produce a policy where you will define evidence collection requirements so when a business risk situation comes along, the teams responsible for managing the business risk and for security information systems can work and communicate based on defined guidelines.


DFIR Guide

Download our DFIR Guide and learn more how you can elevate your incident response processes.


Cost-benefit analysis

A critical part of this stage is to complete a cost-benefit analysis that will help you in defining an evidence collection guideline that will contain steps referring to evidence collection processes that will be deployed without interfering with any business processes, legal frameworks, and budget.

According to IJDE here is a list of critical questions for successful cost-benefit evidence collection:

  • Can evidence be gathered without interfering with business processes? 

  • Can an investigation proceed at a cost in proportion to the incident? 

  • Can an investigation minimize interruption to the business? 

  • Can the evidence make an impact on the likely success of any formal action? 

  • Can the evidence be gathered legally without infringing employee rights?

On top of that, the financial cost has to be taken into consideration in terms of monitoring costs, tools needed for evidence collection, investigation planning and organization, external resources, and if needed legal review. If planned strategically and in advance, investigation costs can be reduced. 

So far, you have defined potential risks and vulnerabilities in your business processes and you have identified all types and sources of digital evidence across your organization. Now you can define the requirements needed for collecting identified digital evidence.

In the next step, we will cover secure evidence collection processes. To learn about the first two steps to forensic readiness, you can check our blog.