is corrective control ○ The Incident scene is the environment where potential evidence may exists ▪

Identity the scene ▪ Protect the environment ▪ Identify evidence and potential source of evidence ▪
Collect evidence ▪ Minimize the degree of contamination ○ The principle of criminalistics apply in both
case: ▪ Its challenge to collect the Live Evidence. Data that is dynamic and exists in processes that
disappear in a relatively short time frame once the system is powered down, stored in RAM, exists in the
running processes. Data might be lost when you power off the system. ▪ ○ Live Evidence ▪ When a crime
is committed, the perpetrators leave something behind and take something with them. ○ Locard’s
Exchange Principle during incident/investigations. ▪ All general Forensic and procedural principles must
be applied ▪ Seizing digital evidence must not alter the evidence ▪ Any person accessing original digital
evidence must be trained. All activity relating to seizure , access , storage , or transfer of digital evidence
must be fully documented, preserved and available for review. ▪ ▪ While an individual is in possession of
digital evidence , he or she is responsible for all actions Any agency responsible for seizing , accessing ,
storing or transferring digital evidence is responsible for compliance with these principle. ▪ ○ General
Guidelines • The Incident Scene • Electronic Discovery Reference Model ( EDRM ) EXAM IMP ❖ U