Investigating and taking control of the computer incident scene in the corporate environment is considered to be much easier than in the criminal environment because the incident scene is often the workplace, these workplaces have databases of computer hardware and software which can also be analyzed, proper tools can be adopted to analyze a policy violation if any.
Many companies either state their policy right away or show some warning, some apply both whose purpose is to tell that they hold the complete right to inspect the computing assets of their respective subjects at will, in addition to that every company must describe when an investigation can be initiated and allow the corporate investigators to know that under what circumstances they can examine the computer of an employee, if the investigator finds about the wrongdoing of the employee then the company can file a criminal complaint against him.
Documenting all the evidence in the lab is also a necessary process, which involves in recording the activities and findings as the investigators work; this can be done by maintaining a journal to record the steps taken as the investigator process evidence.
The main objective is to produce the same results when the main investigator or any other repeat the steps that were taken to collect evidence, a journal serves as reference that documents all the methods that have been used to process evidence.
Try the very best to save the data from the current applications as much safe as possible, properly record all active windows or other shell sessions, and photograph the scene.
Also make notes of everything that is done even when copying the data from a live computer of a suspect, save open files to external storage medium such as a hard drive or on a network share (if somehow the saving mentioned is causing problems then save with some new titles), then close applications and shut down the computer.
If any evidence is discovered of a crime during the investigation then the management must be informed of the incident, checking the incident itself that it meets the elements of criminal law, work with the corporate attorney and also to see that you don’t violate any other constitutional law in all the procedure.
Preparing for a computer seizure for search operation is one of the most important point in conducting computing investigation.
Determining location of the evidence and the case’s type is very crucial, it allows to determine if computers can be removed.
If the removal of the computers will cause harm to the company then it should not be done in the interest of the company, problems in investigation may arise if the files are most probably hidden, encrypted or stored in some offsite, if the computers are not allowed to be taken for investigation then the investigator must determine the resources to acquire digital evidence and the proper tools which will be needed to make data acquisition faster.