Scene of the Cybercrime by Debra Littlejohn Shinder and Michael Cross. Here's an excerpt:
"Most organizations and experts involved in computer forensics agree on some basic standards regarding the handling of digital evidence, which can be summarized as follows:
- The original evidence should be preserved in a state as close as possible to the state it was in when found.
- If at all possible, an exact copy (image) of the original should be made to be used for examination so as not to damage the integrity of the original.
- Copies of data made for examination should be made on media that is forensically sterile—that is, there must be no preexisting data on the disk or other media; it should be completely “clean” and checked for freedom from viruses and defects.
- All evidence should be properly tagged and documented and the chain of custody preserved, and each step of the forensic examination should be documented in detail.
"Before we move into a discussion of digital forensic principles, it is important that we understand the difference between principles and procedures (methodologies). The Merriam-Webster online dictionary defines a principle as “a comprehensive and fundamental law, doctrine, assumption or rule” and a procedure as “a particular way of accomplishing something or of acting.” The difference between the two terms can appear to be minimal, but it is important: A principle is a fundamental truth that governs a specific endeavor; in contrast, a procedure is a method of accomplishing something."