Forensic v’s Tactical – Acpo Guidelines Computer Evidence
A key consideration for any organisation responding to an incident will be the decision about whether to take a forensically sound approach to data acquisition and interrogation. The purpose of forensics is to gain legally permissive evidence from computers and digital storage media. Organisations should therefore take the decision at an early stage whether they may wish to take the case to court or involve law enforcement. Should this be the case organisations should use an approach that meets the evidential handling requirements of the local legal jurisdiction of the incident. In the UK the foundations for this approach have been well documented by the Association of Chief Police Officers (ACPO). More information can be found on their website:
http://www.acpo.police.uk/documents/crime/2011/201110-cba-digital-evidence-v5.pdf
Taking a forensically sound approach can limit the options available to you in responding to an incident. If your organisation only needs to understand the facts around an incident and has no requirement to involve law enforcement, a more tactical approach can be taken.
Taking a tactical approach broadens the tools and overall options available as part of an incident response. It will enable your organisation to gain a rapid understanding of the size and complexity of the event.