26
You’ve Been Attacked –
What Should You Do?
The basic essentials:
1. Acquire evidence without altering or damaging the original data
2. Authenticate that recovered evidence is the same as seized data
3. Analyze the data without modifying it
–
– Computer Forensics: incident response essentials (Kruse & Heiser, 2002)
So, where do you begin when you think you may have been hacked.

First, follow these three principles to maintain the integrity of the evidence you collect:
1. Acquire the evidence without altering or damaging the original.
2. Authenticate that your recovered evidence is the same as the originally seized data.
3. Analyze the data without modifying it.