employees sign an agreement that provides consent to search and seize any necessary evidence dur- ing an investigation. In this manner, consent is provided as a term of the employment agreement. This makes confiscation much easier and reduces the chances of a loss of evidence while waiting for legal permission to seize it. Make sure your security policy addresses this important topic. Incident Data Integrity and Retention No matter how persuasive evidence may be, it can be thrown out of court if you change it during the evidence collection process. Make sure you can prove that you maintained the integrity of all evidence. Chapter 17, “Law and Investigations,” includes more information on evidence rules. But what about the integrity of data before it is collected? You may not detect all incidents as they are happening. Sometimes an investigation reveals that there were previous incidents that went undetected. It is discouraging to follow a trail of evidence and find that a key log file that could point back to an attacker has been purged. Carefully con- sider the fate of log files or other possible evidence locations. A simple archiving policy can help ensure that key evidence is available upon demand no matter how long ago the incident occurred. Because many log files can contain valuable evidence, attackers often attempt to sanitize them after a successful attack. Take steps to protect the integrity of log files and to deter their modification. One technique is to implement remote logging. Although not a perfect solution, it does provide some protection from post-incident log file cleansing. Another important forensic technique is to preserve the original evidence. Remember that the very conduct of your investigation may alter the evidence you are evaluating. Therefore, it’s always best to work with a copy of the actual evidence whenever possible. For example, when conducting an investigation into the contents of a hard drive, make an image of that drive, seal the original drive in an evidence bag, and then use the disk image for your investigation. As with every aspect of security planning, there is no single solution. Get familiar with your system and take the steps that make the most sense for your organization to protect it. Reporting Incidents When should you report an incident? To whom should you report it? These questions are often difficult to answer. Your security policy should contain guidelines on answering both questions. There is a fundamental problem with reporting incidents. If you report every incident, you run the very real risk of being viewed as a noisemaker. When you have a serious incident, you may be ignored. Also, reporting an unimportant incident could give the impression that your orga- nization is more vulnerable than is the case. This can have a serious detrimental effect for orga- nizations that must maintain strict security. For example, hearing about daily incidents from your bank would probably not instill additional confidence in their security practices. On the other hand, escalation and legal action become more difficult if you do not report an inci- dent soon after discovery. If you delay notifying authorities of a serious incident, you will probably have to answer questions about your motivation for delaying. Even an innocent person could look as if they were trying to hide something by not reporting an incident in a timely manner. As with most security topics, the answer is not an easy one. In fact, you are compelled by law or regulation to report some incidents. If your organization is regulated by a government