T8.2.9 - COLLECTION OF EVIDENCE Implementation Guidance
The entity shall identify, collect, and preserve the information, which can serve as evidence.
Back to T8.2.9 - P4 - COLLECTION OF EVIDENCE
Internal procedures should be developed and followed when dealing with evidence for the purposes of disciplinary and legal action.
Identification is the process involving the search for, recognition and documentation of potential evidence. Collection is the process of gathering the physical items that can contain potential evidence. Acquisition is the process of creating a copy of data within a defined set. Preservation is the process to maintain and safeguard the integrity and original condition of the potential evidence.
In general, the procedures for evidence should provide processes of identification, collection, acquisition and preservation in accordance with different types of media, devices and status of devices, e.g., powered on or off. The procedures should take account of:
- A. Chain of custody
- B. Safety of evidence
- C. Safety of the personnel
- D. Roles and responsibilities of personnel involved
- E. Competency of the personnel
- F. Documentation
- G. Briefing
Where available, certification or other relevant means of qualification of personnel and tools should be sought, so as to strengthen the value of the preserved evidence.
Forensic evidence may transcend organizational or jurisdictional boundaries. In such cases, it should be ensured that the entity is entitled to collect the required information as forensic evidence. The requirements of different jurisdictions should also be considered to maximize chances of admission across the relevant jurisdictions.
