Guidelines for Evidence Collection and Archiving

Taken from the RFC 3227 Network Working Group and amended as required for applicability to eDiscovery.

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.

The collection of data, which can be simply defined as the acquisition of potentially relevant electronically stored information (ESI), represents an important part of audition, investigation, and litigation processes.  The purpose of this information is to provide Legal and IT professionals with considerations for the collection of ESI based evidence.  This information is not intended to be a rigidly followed guideline for each and every process involving the collection of ESI, but is designed to provide consideration and guidance in collection activities.

Collections represents a considerable effort on the part of the Legal Forensics Experts and IT System Administrators. Great progress has been made in recent years to speed up the re-installation of the Operating System and to facilitate the reversion of a system to a ‘known’ state, thus making the ‘easy option’ even more attractive. Meanwhile little has been done to provide easy ways of collecting and archiving evidence. Further, increasing disk and memory capacities and the more widespread use of stealth and cover-your-tracks tactics by policy, regulation, and law violators, have exacerbated the problem.

If evidence collection is done correctly, it is much more useful in apprehending violators, and stands a much greater chance of being admissible in the event of prosecution. These guidelines may help serve as a basis for formulating evidence collection procedures, and should incorporate an organization’s procedures into it’s Incident Handling documentation. The guidelines may not be appropriate under all jurisdictions and once evidence collection procedures have been established, organization’s should have the proper law enforcement officials for their jurisdiction(s) confirm that the evidence collection procedures are adequate.

For the complete article on iPaper, click here.

Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an “AS IS” basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.